S3Control / Client / list_access_grants

list_access_grants#

S3Control.Client.list_access_grants(**kwargs)#

Returns the list of access grants in your S3 Access Grants instance.

Permissions

You must have the s3:ListAccessGrants permission to use this operation.

See also: AWS API Documentation

Request Syntax

response = client.list_access_grants(
    AccountId='string',
    NextToken='string',
    MaxResults=123,
    GranteeType='DIRECTORY_USER'|'DIRECTORY_GROUP'|'IAM',
    GranteeIdentifier='string',
    Permission='READ'|'WRITE'|'READWRITE',
    GrantScope='string',
    ApplicationArn='string'
)
Parameters:

  • AccountId (string) –

    [REQUIRED]

    The ID of the Amazon Web Services account that is making this request.

  • NextToken (string) – A pagination token to request the next page of results. Pass this value into a subsequent List Access Grants request in order to retrieve the next page of results.

  • MaxResults (integer) – The maximum number of access grants that you would like returned in the List Access Grants response. If the results include the pagination token NextToken, make another call using the NextToken to determine if there are more results.

  • GranteeType (string) –

    The type of the grantee to which access has been granted. It can be one of the following values:

    • IAM - An IAM user or role.

    • DIRECTORY_USER - Your corporate directory user. You can use this option if you have added your corporate identity directory to IAM Identity Center and associated the IAM Identity Center instance with your S3 Access Grants instance.

    • DIRECTORY_GROUP - Your corporate directory group. You can use this option if you have added your corporate identity directory to IAM Identity Center and associated the IAM Identity Center instance with your S3 Access Grants instance.

  • GranteeIdentifier (string) – The unique identifer of the Grantee. If the grantee type is IAM, the identifier is the IAM Amazon Resource Name (ARN) of the user or role. If the grantee type is a directory user or group, the identifier is 128-bit universally unique identifier (UUID) in the format a1b2c3d4-5678-90ab-cdef-EXAMPLE11111. You can obtain this UUID from your Amazon Web Services IAM Identity Center instance.

  • Permission (string) –

    The type of permission granted to your S3 data, which can be set to one of the following values:

    • READ – Grant read-only access to the S3 data.

    • WRITE – Grant write-only access to the S3 data.

    • READWRITE – Grant both read and write access to the S3 data.

  • GrantScope (string) – The S3 path of the data to which you are granting access. It is the result of appending the Subprefix to the location scope.

  • ApplicationArn (string) – The Amazon Resource Name (ARN) of an Amazon Web Services IAM Identity Center application associated with your Identity Center instance. If the grant includes an application ARN, the grantee can only access the S3 data through this application.

Return type:

dict

Returns:

Response Syntax

{
    'NextToken': 'string',
    'AccessGrantsList': [
        {
            'CreatedAt': datetime(2015, 1, 1),
            'AccessGrantId': 'string',
            'AccessGrantArn': 'string',
            'Grantee': {
                'GranteeType': 'DIRECTORY_USER'|'DIRECTORY_GROUP'|'IAM',
                'GranteeIdentifier': 'string'
            },
            'Permission': 'READ'|'WRITE'|'READWRITE',
            'AccessGrantsLocationId': 'string',
            'AccessGrantsLocationConfiguration': {
                'S3SubPrefix': 'string'
            },
            'GrantScope': 'string',
            'ApplicationArn': 'string'
        },
    ]
}

Response Structure

  • (dict) –

    • NextToken (string) –

      A pagination token to request the next page of results. Pass this value into a subsequent List Access Grants request in order to retrieve the next page of results.

    • AccessGrantsList (list) –

      A container for a list of grants in an S3 Access Grants instance.

      • (dict) –

        Information about the access grant.

        • CreatedAt (datetime) –

          The date and time when you created the S3 Access Grants instance.

        • AccessGrantId (string) –

          The ID of the access grant. S3 Access Grants auto-generates this ID when you create the access grant.

        • AccessGrantArn (string) –

          The Amazon Resource Name (ARN) of the access grant.

        • Grantee (dict) –

          The user, group, or role to which you are granting access. You can grant access to an IAM user or role. If you have added your corporate directory to Amazon Web Services IAM Identity Center and associated your Identity Center instance with your S3 Access Grants instance, the grantee can also be a corporate directory user or group.

          • GranteeType (string) –

            The type of the grantee to which access has been granted. It can be one of the following values:

            • IAM - An IAM user or role.

            • DIRECTORY_USER - Your corporate directory user. You can use this option if you have added your corporate identity directory to IAM Identity Center and associated the IAM Identity Center instance with your S3 Access Grants instance.

            • DIRECTORY_GROUP - Your corporate directory group. You can use this option if you have added your corporate identity directory to IAM Identity Center and associated the IAM Identity Center instance with your S3 Access Grants instance.

          • GranteeIdentifier (string) –

            The unique identifier of the Grantee. If the grantee type is IAM, the identifier is the IAM Amazon Resource Name (ARN) of the user or role. If the grantee type is a directory user or group, the identifier is 128-bit universally unique identifier (UUID) in the format a1b2c3d4-5678-90ab-cdef-EXAMPLE11111. You can obtain this UUID from your Amazon Web Services IAM Identity Center instance.

        • Permission (string) –

          The type of access granted to your S3 data, which can be set to one of the following values:

          • READ – Grant read-only access to the S3 data.

          • WRITE – Grant write-only access to the S3 data.

          • READWRITE – Grant both read and write access to the S3 data.

        • AccessGrantsLocationId (string) –

          The ID of the registered location to which you are granting access. S3 Access Grants assigns this ID when you register the location. S3 Access Grants assigns the ID default to the default location s3:// and assigns an auto-generated ID to other locations that you register.

        • AccessGrantsLocationConfiguration (dict) –

          The configuration options of the grant location. The grant location is the S3 path to the data to which you are granting access.

          • S3SubPrefix (string) –

            The S3SubPrefix is appended to the location scope creating the grant scope. Use this field to narrow the scope of the grant to a subset of the location scope. This field is required if the location scope is the default location s3:// because you cannot create a grant for all of your S3 data in the Region and must narrow the scope. For example, if the location scope is the default location s3://, the S3SubPrefx can be a <bucket-name>/*, so the full grant scope path would be s3://<bucket-name>/*. Or the S3SubPrefx can be <bucket-name>/<prefix-name>*, so the full grant scope path would be or s3://<bucket-name>/<prefix-name>*.

            If the S3SubPrefix includes a prefix, append the wildcard character * after the prefix to indicate that you want to include all object key names in the bucket that start with that prefix.

        • GrantScope (string) –

          The S3 path of the data to which you are granting access. It is the result of appending the Subprefix to the location scope.

        • ApplicationArn (string) –

          The Amazon Resource Name (ARN) of an Amazon Web Services IAM Identity Center application associated with your Identity Center instance. If the grant includes an application ARN, the grantee can only access the S3 data through this application.