Initiate Vault Lock (POST lock-policy) - Amazon S3 Glacier
DescriptionRequestsResponsesExamplesRelated SectionsSee Also

If you're new to archival storage in Amazon Simple Storage Service (Amazon S3), we recommend that you start by learning more about the S3 Glacier storage classes in Amazon S3, S3 Glacier Instant Retrieval, S3 Glacier Flexible Retrieval, and S3 Glacier Deep Archive. For more information, see S3 Glacier storage classes and Storage classes for archiving objects in the Amazon S3 User Guide.

Initiate Vault Lock (POST lock-policy)

Description

This operation initiates the vault locking process by doing the following:

  • Installing a vault lock policy on the specified vault.

  • Setting the lock state of vault lock to InProgress.

  • Returning a lock ID, which is used to complete the vault locking process.

You can set one vault lock policy for each vault and this policy can be up to 20 KB in size. For more information about vault lock policies, see Vault Lock Policies.

You must complete the vault locking process within 24 hours after the vault lock enters the InProgress state. After the 24 hour window ends, the lock ID expires, the vault automatically exits the InProgress state, and the vault lock policy is removed from the vault. You call Complete Vault Lock (POST lockId) to complete the vault locking process by setting the state of the vault lock to Locked.

Note

After a vault lock is in the Locked state, you cannot initiate a new vault lock for the vault.

You can stop the vault locking process by calling Abort Vault Lock (DELETE lock-policy). You can get the state of the vault lock by calling Get Vault Lock (GET lock-policy). For more information about the vault locking process, see S3 Glacier Vault Lock.

If this operation is called when the vault lock is in the InProgress state, the operation returns an AccessDeniedException error. When the vault lock is in the InProgress state you must call Abort Vault Lock (DELETE lock-policy) before you can initiate a new vault lock policy.

Requests

To initiate the vault locking process, send an HTTP POST request to the URI of the lock-policy subresource of the vault, as shown in the following syntax example.

Syntax

POST /AccountId/vaults/vaultName/lock-policy HTTP/1.1
Host: glacier.Region.amazonaws.com
Date: Date
Authorization: SignatureValue
Content-Length: Length
x-amz-glacier-version: 2012-06-01
			
{
  "Policy": "string"
}

Note

The AccountId value is the AWS account ID. This value must match the AWS account ID associated with the credentials used to sign the request. You can either specify an AWS account ID or optionally a single '-' (hyphen), in which case Amazon S3 Glacier uses the AWS account ID associated with the credentials used to sign the request. If you specify your account ID, do not include any hyphens ('-') in the ID.

Request Parameters

This operation does not use request parameters.

Request Headers

This operation uses only request headers that are common to all operations. For information about common request headers, see Common Request Headers.

Request Body

The request body contains the following JSON fields.

Policy

The vault lock policy as a JSON string, which uses "\" as an escape character.

Type: String

Required: Yes

Responses

Amazon S3 Glacier (S3 Glacier) returns an HTTP 201 Created response, if the policy is accepted.

Syntax

HTTP/1.1 201 Created
x-amzn-RequestId: x-amzn-RequestId
Date: Date
x-amz-lock-id: lockId

Response Headers

A successful response includes the following response headers, in addition to the response headers that are common to all operations. For more information about common response headers, see Common Response Headers.

Name Description
x-amz-lock-id

The lock ID, which is used to complete the vault locking process.

Type: String

Response Body

This operation does not return a response body.

Errors

For information about Amazon S3 Glacier exceptions and error messages, see Error Responses.

Examples

Example Request

The following example sends an HTTP PUT request to the URI of the vault's lock-policy subresource. The Policy JSON string uses "\" as an escape character.

PUT /-/vaults/examplevault/lock-policy HTTP/1.1
Host: glacier.us-west-2.amazonaws.com
x-amz-Date: 20170210T120000Z
Authorization: AWS4-HMAC-SHA256 Credential=AKIAIOSFODNN7EXAMPLE/20141123/us-west-2/glacier/aws4_request,SignedHeaders=host;x-amz-date;x-amz-glacier-version,Signature=9257c16da6b25a715ce900a5b45b03da0447acf430195dcb540091b12966f2a2
Content-Length: length
x-amz-glacier-version: 2012-06-01

{"Policy":"{\"Version\":\"2012-10-17\",\"Statement\":[{\"Sid\":\"Define-vault-lock\",\"Effect\":\"Deny\",\"Principal\":{\"AWS\":\"arn:aws:iam::999999999999:root\"},\"Action\":\"glacier:DeleteArchive\",\"Resource\":\"arn:aws:glacier:us-west-2:999999999999:vaults/examplevault\",\"Condition\":{\"NumericLessThanEquals\":{\"glacier:ArchiveAgeinDays\":\"365\"}}}]}"}

Example Response

If the request was successful, S3 Glacier returns an HTTP 201 Created response, as shown in the following example.

HTTP/1.1 201 Created
x-amzn-RequestId: AAABZpJrTyioDC_HsOmHae8EZp_uBSJr6cnGOLKp_XJCl-Q
Date: Wed, 10 Feb 2017 12:02:00 GMT
x-amz-lock-id: AE863rKkWZU53SLW5be4DUcW

See Also

For more information about using this API in one of the language-specific Amazon SDKs, see the following: