Bucket policies#
An S3 bucket can have an optional policy that grants access permissions to other AWS accounts or AWS Identity and Access Management (IAM) users. Bucket policies are defined using the same JSON format as a resource-based IAM policy.
Retrieve a bucket policy#
Retrieve a bucket’s policy by calling the AWS SDK for Python
get_bucket_policy
method. The method accepts a parameter that specifies
the bucket name.
import boto3
# Retrieve the policy of the specified bucket
s3 = boto3.client('s3')
result = s3.get_bucket_policy(Bucket='BUCKET_NAME')
print(result['Policy'])
Set a bucket policy#
A bucket’s policy can be set by calling the put_bucket_policy
method.
The policy is defined in the same JSON format as an IAM policy. The policy
defined in the example below enables any user to retrieve any object
stored in the bucket identified by the bucket_name
variable.
import json
# Create a bucket policy
bucket_name = 'BUCKET_NAME'
bucket_policy = {
'Version': '2012-10-17',
'Statement': [{
'Sid': 'AddPerm',
'Effect': 'Allow',
'Principal': '*',
'Action': ['s3:GetObject'],
'Resource': f'arn:aws:s3:::{bucket_name}/*'
}]
}
# Convert the policy from JSON dict to string
bucket_policy = json.dumps(bucket_policy)
# Set the new policy
s3 = boto3.client('s3')
s3.put_bucket_policy(Bucket=bucket_name, Policy=bucket_policy)
Delete a bucket policy#
A bucket’s policy can be deleted by calling the delete_bucket_policy
method.
# Delete a bucket's policy
s3 = boto3.client('s3')
s3.delete_bucket_policy(Bucket='BUCKET_NAME')