S3Control / Client / get_access_grant

get_access_grant

S3Control.Client.get_access_grant(**kwargs)

Get the details of an access grant from your S3 Access Grants instance.

Permissions

You must have the s3:GetAccessGrant permission to use this operation.

Warning

You must URL encode any signed header values that contain spaces. For example, if your header value is my file.txt, containing two spaces after my, you must URL encode this value to my%20%20file.txt.

See also: AWS API Documentation

Request Syntax

response = client.get_access_grant(
    AccountId='string',
    AccessGrantId='string'
)
Parameters:

  • AccountId (string) –

    [REQUIRED]

    The Amazon Web Services account ID of the S3 Access Grants instance.

  • AccessGrantId (string) –

    [REQUIRED]

    The ID of the access grant. S3 Access Grants auto-generates this ID when you create the access grant.

Return type:

dict

Returns:

Response Syntax

{
    'CreatedAt': datetime(2015, 1, 1),
    'AccessGrantId': 'string',
    'AccessGrantArn': 'string',
    'Grantee': {
        'GranteeType': 'DIRECTORY_USER'|'DIRECTORY_GROUP'|'IAM',
        'GranteeIdentifier': 'string'
    },
    'Permission': 'READ'|'WRITE'|'READWRITE',
    'AccessGrantsLocationId': 'string',
    'AccessGrantsLocationConfiguration': {
        'S3SubPrefix': 'string'
    },
    'GrantScope': 'string',
    'ApplicationArn': 'string'
}

Response Structure

  • (dict) –

    • CreatedAt (datetime) –

      The date and time when you created the access grant.

    • AccessGrantId (string) –

      The ID of the access grant. S3 Access Grants auto-generates this ID when you create the access grant.

    • AccessGrantArn (string) –

      The Amazon Resource Name (ARN) of the access grant.

    • Grantee (dict) –

      The user, group, or role to which you are granting access. You can grant access to an IAM user or role. If you have added a corporate directory to Amazon Web Services IAM Identity Center and associated this Identity Center instance with the S3 Access Grants instance, the grantee can also be a corporate directory user or group.

      • GranteeType (string) –

        The type of the grantee to which access has been granted. It can be one of the following values:

        • IAM - An IAM user or role.

        • DIRECTORY_USER - Your corporate directory user. You can use this option if you have added your corporate identity directory to IAM Identity Center and associated the IAM Identity Center instance with your S3 Access Grants instance.

        • DIRECTORY_GROUP - Your corporate directory group. You can use this option if you have added your corporate identity directory to IAM Identity Center and associated the IAM Identity Center instance with your S3 Access Grants instance.

      • GranteeIdentifier (string) –

        The unique identifier of the Grantee. If the grantee type is IAM, the identifier is the IAM Amazon Resource Name (ARN) of the user or role. If the grantee type is a directory user or group, the identifier is 128-bit universally unique identifier (UUID) in the format a1b2c3d4-5678-90ab-cdef-EXAMPLE11111. You can obtain this UUID from your Amazon Web Services IAM Identity Center instance.

    • Permission (string) –

      The type of permission that was granted in the access grant. Can be one of the following values:

      • READ – Grant read-only access to the S3 data.

      • WRITE – Grant write-only access to the S3 data.

      • READWRITE – Grant both read and write access to the S3 data.

    • AccessGrantsLocationId (string) –

      The ID of the registered location to which you are granting access. S3 Access Grants assigns this ID when you register the location. S3 Access Grants assigns the ID default to the default location s3:// and assigns an auto-generated ID to other locations that you register.

    • AccessGrantsLocationConfiguration (dict) –

      The configuration options of the grant location. The grant location is the S3 path to the data to which you are granting access.

      • S3SubPrefix (string) –

        The S3SubPrefix is appended to the location scope creating the grant scope. Use this field to narrow the scope of the grant to a subset of the location scope. This field is required if the location scope is the default location s3:// because you cannot create a grant for all of your S3 data in the Region and must narrow the scope. For example, if the location scope is the default location s3://, the S3SubPrefx can be a <bucket-name>/*, so the full grant scope path would be s3://<bucket-name>/*. Or the S3SubPrefx can be <bucket-name>/<prefix-name>*, so the full grant scope path would be or s3://<bucket-name>/<prefix-name>*.

        If the S3SubPrefix includes a prefix, append the wildcard character * after the prefix to indicate that you want to include all object key names in the bucket that start with that prefix.

    • GrantScope (string) –

      The S3 path of the data to which you are granting access. It is the result of appending the Subprefix to the location scope.

    • ApplicationArn (string) –

      The Amazon Resource Name (ARN) of an Amazon Web Services IAM Identity Center application associated with your Identity Center instance. If the grant includes an application ARN, the grantee can only access the S3 data through this application.