Bucket
data class BucketPolicyArgs(val bucket: Output<String>? = null, val policy: Output<String>? = null) : ConvertibleToJava<BucketPolicyArgs>
Attaches a policy to an S3 bucket resource.
Policies can be attached to both S3 general purpose buckets and S3 directory buckets.
Example Usage
Basic Usage
import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";
const example = new aws.s3.BucketV2("example", {bucket: "my-tf-test-bucket"});
const allowAccessFromAnotherAccount = aws.iam.getPolicyDocumentOutput({
statements: [{
principals: [{
type: "AWS",
identifiers: ["123456789012"],
}],
actions: [
"s3:GetObject",
"s3:ListBucket",
],
resources: [
example.arn,
pulumi.interpolate`${example.arn}/*`,
],
}],
});
const allowAccessFromAnotherAccountBucketPolicy = new aws.s3.BucketPolicy("allow_access_from_another_account", {
bucket: example.id,
policy: allowAccessFromAnotherAccount.apply(allowAccessFromAnotherAccount => allowAccessFromAnotherAccount.json),
});Content copied to clipboard
import pulumi
import pulumi_aws as aws
example = aws.s3.BucketV2("example", bucket="my-tf-test-bucket")
allow_access_from_another_account = aws.iam.get_policy_document_output(statements=[{
"principals": [{
"type": "AWS",
"identifiers": ["123456789012"],
}],
"actions": [
"s3:GetObject",
"s3:ListBucket",
],
"resources": [
example.arn,
example.arn.apply(lambda arn: f"{arn}/*"),
],
}])
allow_access_from_another_account_bucket_policy = aws.s3.BucketPolicy("allow_access_from_another_account",
bucket=example.id,
policy=allow_access_from_another_account.json)Content copied to clipboard
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Aws = Pulumi.Aws;
return await Deployment.RunAsync(() =>
{
var example = new Aws.S3.BucketV2("example", new()
{
Bucket = "my-tf-test-bucket",
});
var allowAccessFromAnotherAccount = Aws.Iam.GetPolicyDocument.Invoke(new()
{
Statements = new[]
{
new Aws.Iam.Inputs.GetPolicyDocumentStatementInputArgs
{
Principals = new[]
{
new Aws.Iam.Inputs.GetPolicyDocumentStatementPrincipalInputArgs
{
Type = "AWS",
Identifiers = new[]
{
"123456789012",
},
},
},
Actions = new[]
{
"s3:GetObject",
"s3:ListBucket",
},
Resources = new[]
{
example.Arn,
$"{example.Arn}/*",
},
},
},
});
var allowAccessFromAnotherAccountBucketPolicy = new Aws.S3.BucketPolicy("allow_access_from_another_account", new()
{
Bucket = example.Id,
Policy = allowAccessFromAnotherAccount.Apply(getPolicyDocumentResult => getPolicyDocumentResult.Json),
});
});Content copied to clipboard
package main
import (
"fmt"
"github.com/pulumi/pulumi-aws/sdk/v6/go/aws/iam"
"github.com/pulumi/pulumi-aws/sdk/v6/go/aws/s3"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
example, err := s3.NewBucketV2(ctx, "example", &s3.BucketV2Args{
Bucket: pulumi.String("my-tf-test-bucket"),
})
if err != nil {
return err
}
allowAccessFromAnotherAccount := iam.GetPolicyDocumentOutput(ctx, iam.GetPolicyDocumentOutputArgs{
Statements: iam.GetPolicyDocumentStatementArray{
&iam.GetPolicyDocumentStatementArgs{
Principals: iam.GetPolicyDocumentStatementPrincipalArray{
&iam.GetPolicyDocumentStatementPrincipalArgs{
Type: pulumi.String("AWS"),
Identifiers: pulumi.StringArray{
pulumi.String("123456789012"),
},
},
},
Actions: pulumi.StringArray{
pulumi.String("s3:GetObject"),
pulumi.String("s3:ListBucket"),
},
Resources: pulumi.StringArray{
example.Arn,
example.Arn.ApplyT(func(arn string) (string, error) {
return fmt.Sprintf("%v/*", arn), nil
}).(pulumi.StringOutput),
},
},
},
}, nil)
_, err = s3.NewBucketPolicy(ctx, "allow_access_from_another_account", &s3.BucketPolicyArgs{
Bucket: example.ID(),
Policy: pulumi.String(allowAccessFromAnotherAccount.ApplyT(func(allowAccessFromAnotherAccount iam.GetPolicyDocumentResult) (*string, error) {
return &allowAccessFromAnotherAccount.Json, nil
}).(pulumi.StringPtrOutput)),
})
if err != nil {
return err
}
return nil
})
}Content copied to clipboard
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.aws.s3.BucketV2;
import com.pulumi.aws.s3.BucketV2Args;
import com.pulumi.aws.iam.IamFunctions;
import com.pulumi.aws.iam.inputs.GetPolicyDocumentArgs;
import com.pulumi.aws.s3.BucketPolicy;
import com.pulumi.aws.s3.BucketPolicyArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var example = new BucketV2("example", BucketV2Args.builder()
.bucket("my-tf-test-bucket")
.build());
final var allowAccessFromAnotherAccount = IamFunctions.getPolicyDocument(GetPolicyDocumentArgs.builder()
.statements(GetPolicyDocumentStatementArgs.builder()
.principals(GetPolicyDocumentStatementPrincipalArgs.builder()
.type("AWS")
.identifiers("123456789012")
.build())
.actions(
"s3:GetObject",
"s3:ListBucket")
.resources(
example.arn(),
example.arn().applyValue(_arn -> String.format("%s/*", _arn)))
.build())
.build());
var allowAccessFromAnotherAccountBucketPolicy = new BucketPolicy("allowAccessFromAnotherAccountBucketPolicy", BucketPolicyArgs.builder()
.bucket(example.id())
.policy(allowAccessFromAnotherAccount.applyValue(_allowAccessFromAnotherAccount -> _allowAccessFromAnotherAccount.json()))
.build());
}
}Content copied to clipboard
resources:
example:
type: aws:s3:BucketV2
properties:
bucket: my-tf-test-bucket
allowAccessFromAnotherAccountBucketPolicy:
type: aws:s3:BucketPolicy
name: allow_access_from_another_account
properties:
bucket: ${example.id}
policy: ${allowAccessFromAnotherAccount.json}
variables:
allowAccessFromAnotherAccount:
fn::invoke:
function: aws:iam:getPolicyDocument
arguments:
statements:
- principals:
- type: AWS
identifiers:
- '123456789012'
actions:
- s3:GetObject
- s3:ListBucket
resources:
- ${example.arn}
- ${example.arn}/*Content copied to clipboard
Import
Using pulumi import, import S3 bucket policies using the bucket name. For example:
$ pulumi import aws:s3/bucketPolicy:BucketPolicy allow_access_from_another_account my-tf-test-bucketContent copied to clipboard
Properties
Link copied to clipboard
Text of the policy. Although this is a bucket policy rather than an IAM policy, the aws.iam.getPolicyDocument data source may be used, so long as it specifies a principal. For more information about building AWS IAM policy documents, see the AWS IAM Policy Document Guide. Note: Bucket policies are limited to 20 KB in size. //////