Skip to main content

bucket_policies

Creates, updates, deletes or gets a bucket_policy resource or lists bucket_policies in a region

Overview

Namebucket_policies
TypeResource
Description
Applies an Amazon S3 bucket policy to an Amazon S3 bucket. If you are using an identity other than the root user of the AWS-account that owns the bucket, the calling identity must have the PutBucketPolicy permissions on the specified bucket and belong to the bucket owner's account in order to use this operation.If you don't have PutBucketPolicy permissions, Amazon S3 returns a 403 Access Denied error. If you have the correct permissions, but you're not using an identity that belongs to the bucket owner's account, Amazon S3 returns a 405 Method Not Allowed error.
As a security precaution, the root user of the AWS-account that owns a bucket can always use this operation, even if the policy explicitly denies the root user the ability to perform this action.
When using the AWS::S3::BucketPolicy resource, you can create, update, and delete bucket policies for S3 buckets located in Regions that are different from the stack's Region. However, the CloudFormation stacks should be deployed in the US East (N. Virginia) or us-east-1 Region. This cross-region bucket policy modification functionality is supported for backward compatibility with existing workflows.
If the DeletionPolicy attribute is not specified or set to Delete, the bucket policy will be removed when the stack is deleted. If set to Retain, the bucket policy will be preserved even after the stack is deleted.
For example, a CloudFormation stack in us-east-1 can use the AWS::S3::BucketPolicy resource to manage the bucket policy for an S3 bucket in us-west-2. The retention or removal of the bucket policy during the stack deletion is determined by the DeletionPolicy attribute specified in the stack template.
For more information, see Bucket policy examples.
The following operations are related to PutBucketPolicy:
+ CreateBucket
+ DeleteBucket
Idawscc.s3.bucket_policies

Fields

NameDatatypeDescription
bucketstringThe name of the Amazon S3 bucket to which the policy applies.
policy_documentobjectA policy document containing permissions to add to the specified bucket. In IAM, you must provide policy documents in JSON format. However, in CloudFormation you can provide the policy in JSON or YAML format because CloudFormation converts YAML to JSON before submitting it to IAM. For more information, see the AWS::IAM::Policy PolicyDocument resource description in this guide and Access Policy Language Overview in the Amazon S3 User Guide.
regionstringAWS region.

For more information, see AWS::S3::BucketPolicy.

Methods

NameResourceAccessible byRequired Params
create_resourcebucket_policiesINSERTBucket, PolicyDocument, region
delete_resourcebucket_policiesDELETEIdentifier, region
update_resourcebucket_policiesUPDATEIdentifier, PatchDocument, region
list_resourcesbucket_policies_list_onlySELECTregion
get_resourcebucket_policiesSELECTIdentifier, region

SELECT examples

Gets all properties from an individual bucket_policy.

SELECT
  region,
  bucket,
  policy_document
FROM awscc.s3.bucket_policies
WHERE
  region = '{{ region }}' AND
  Identifier = '{{ bucket }}';

INSERT example

Use the following StackQL query and manifest file to create a new bucket_policy resource, using stack-deploy.

/*+ create */
INSERT INTO awscc.s3.bucket_policies (
  Bucket,
  PolicyDocument,
  region
)
SELECT
  '{{ bucket }}',
  '{{ policy_document }}',
  '{{ region }}'
RETURNING
  ErrorCode,
  EventTime,
  Identifier,
  Operation,
  OperationStatus,
  RequestToken,
  ResourceModel,
  RetryAfter,
  StatusMessage,
  TypeName
;

UPDATE example

Use the following StackQL query and manifest file to update a bucket_policy resource, using stack-deploy.

/*+ update */
UPDATE awscc.s3.bucket_policies
SET PatchDocument = string('{{ {
    "PolicyDocument": policy_document
} | generate_patch_document }}')
WHERE
  region = '{{ region }}' AND
  Identifier = '{{ bucket }}'
RETURNING
  ErrorCode,
  EventTime,
  Identifier,
  Operation,
  OperationStatus,
  RequestToken,
  ResourceModel,
  RetryAfter,
  StatusMessage,
  TypeName
;

DELETE example

/*+ delete */
DELETE FROM awscc.s3.bucket_policies
WHERE
  Identifier = '{{ bucket }}' AND
  region = '{{ region }}'
RETURNING
  ErrorCode,
  EventTime,
  Identifier,
  Operation,
  OperationStatus,
  RequestToken,
  ResourceModel,
  RetryAfter,
  StatusMessage,
  TypeName
;

Additional Parameters

Mutable resources in the Cloud Control provider support additional optional parameters which can be supplied with INSERT, UPDATE, or DELETE operations. These include:

ParameterDescription
ClientToken
A unique identifier to ensure the idempotency of the resource request.This allows the provider to accurately distinguish between retries and new requests.
A client token is valid for 36 hours once used.
After that, a resource request with the same client token is treated as a new request.
If you do not specify a client token, one is generated for inclusion in the request.
RoleArn
The ARN of the IAM role used to perform this resource operation.The role specified must have the permissions required for this operation.
If you do not specify a role, a temporary session is created using your AWS user credentials.
TypeVersionId
For private resource types, the type version to use in this resource operation.If you do not specify a resource version, the default version is used.

Permissions

To operate on the bucket_policies resource, the following permissions are required:

s3:GetBucketPolicy,
s3:PutBucketPolicy