bucket_policy#

State module for managing AWS S3 bucket policy.

async idem_aws.states.aws.s3.bucket_policy.present(hub, ctx, name: str, bucket: str, policy: str, confirm_remove_self_bucket_access: bool = None, expected_bucket_owner: str = None, resource_id: str = None) Dict[str, Any][source]#

Applies an Amazon S3 bucket policy to an Amazon S3 bucket.

If you are using an identity other than the root user of the Amazon Web Services account that owns the bucket, the calling identity must have the PutBucketPolicy permissions on the specified bucket and belong to the bucket owner’s account in order to use this operation. If you don’t have PutBucketPolicy permissions, Amazon S3 returns a 403 Access Denied error. If you have the correct permissions, but you’re not using an identity that belongs to the bucket owner’s account, Amazon S3 returns a 405 Method Not Allowed error.

Parameters:
  • name (str) – The name of the bucket policy.

  • bucket (str) – The name of the S3 bucket

  • policy (str) – The bucket policy as a JSON document.

  • confirm_remove_self_bucket_access (bool, Optional) – Set this parameter to true to confirm that you want to remove your permissions to change this bucket policy in the future.

  • expected_bucket_owner (str, Optional) – The account ID of the expected bucket owner. If the bucket is owned by a different account, the request will fail with an HTTP 403 (Access Denied) error.

  • resource_id (str, Optional) – S3 Bucket policy ID

Request Syntax:
[bucket_name]-policy:
  aws.s3.bucket_policy.present:
    - bucket: "string"
    - policy: "string"
    - confirm_remove_self_bucket_access: "bool"
    - expected_bucket_owner: "string"
Returns:

dict[str, Any]

Examples

my-s3-bucket-bb7bb32e9533-policy:
  aws.s3.bucket_policy.present:
    - bucket: my-s3-bucket-bb7bb32e9533
    - policy: '{"Version":"2012-10-17","Statement":[{"Sid":"PublicReadGetObject","Effect":"Allow","Principal":{"AWS":"arn:aws:iam::418235808912:root"},"Action":"s3:GetObject","Resource":"arn:aws:s3:::thebugbucket3/*"}]}'
    - confirm_remove_self_bucket_access: False
    - expected_bucket_owner: 1239234249
async idem_aws.states.aws.s3.bucket_policy.absent(hub, ctx, name: str, bucket: str = None, resource_id: str = None, expected_bucket_owner: str = None) Dict[str, Any][source]#

Deletes the policy of specified s3 bucket.

Parameters:
  • name (str) – The name of the bucket policy.

  • bucket (str, Optional) – The name of the S3 bucket

  • resource_id (str, Optional) – S3 Bucket policy ID. Idem automatically considers this resource being absent if this field is not specified.

  • expected_bucket_owner (str, Optional) – The account ID of the expected bucket owner. If the bucket is owned by a different account, the request will fail with an HTTP 403 (Access Denied) error.

Request Syntax:
[bucket_name]-policy:
  aws.s3.bucket_policy.absent:
    - bucket: string
    - expected_bucket_owner: string
Returns:

dict[str, Any]

Examples

my-s3-bucket-bb7bb32e9533-policy:
  aws.s3.bucket_policy.absent:
    - bucket: my-s3-bucket-bb7bb32e9533
    - expected_bucket_owner: 1239234249
async idem_aws.states.aws.s3.bucket_policy.describe(hub, ctx) Dict[str, Dict[str, Any]][source]#

Obtain S3 bucket policy for each bucket under the given context for any user.

Returns:

dict[str, Any]

Examples

$ idem describe aws.s3.bucket_policy