Menu
AWS SDK for Java
Developer Guide

Managing Access to Amazon S3 Buckets Using Bucket Policies

You can set, get, or delete a bucket policy to manage access to your Amazon S3 buckets.

Set a Bucket Policy

You can set the bucket policy for a particular S3 bucket by:

  • Calling the AmazonS3 client's setBucketPolicy and providing it with a SetBucketPolicyRequest

  • Setting the policy directly by using the setBucketPolicy overload that takes a bucket name and policy text (in JSON format)

Imports

Copy
import com.amazonaws.services.s3.AmazonS3; import com.amazonaws.services.s3.AmazonS3ClientBuilder; import com.amazonaws.AmazonServiceException;

Code

Copy
final AmazonS3 s3 = AmazonS3ClientBuilder.defaultClient(); try { s3.setBucketPolicy(bucket_name, policy_text); } catch (AmazonServiceException e) { System.err.println(e.getErrorMessage()); System.exit(1); }

Use the Policy Class to Generate or Validate a Policy

When providing a bucket policy to setBucketPolicy, you can do the following:

  • Specify the policy directly as a string of JSON-formatted text

  • Build the policy using the Policy class

By using the Policy class, you don't have to be concerned about correctly formatting your text string. To get the JSON policy text from the Policy class, use its toJson method.

Imports

Copy
import com.amazonaws.auth.policy.Policy; import com.amazonaws.auth.policy.Principal; import com.amazonaws.auth.policy.Resource; import com.amazonaws.auth.policy.Statement; import com.amazonaws.auth.policy.actions.S3Actions; import java.io.IOException;

Code

Copy
Policy bucket_policy = new Policy().withStatements( new Statement(Statement.Effect.Allow) .withPrincipals(Principal.AllUsers) .withActions(S3Actions.GetObject) .withResources(new Resource( "arn:aws:s3:::" + bucket_name + "/*"))); return bucket_policy.toJson();

The Policy class also provides a fromJson method that can attempt to build a policy using a passed-in JSON string. The method validates it to ensure that the text can be transformed into a valid policy structure, and will fail with an IllegalArgumentException if the policy text is invalid.

Copy
Policy bucket_policy = null; try { bucket_policy = Policy.fromJson(file_text.toString()); } catch (IllegalArgumentException e) { System.out.format("Invalid policy text in file: \"%s\"", policy_file); System.out.println(e.getMessage()); }

You can use this technique to prevalidate a policy that you read in from a file or other means.

See the complete example.

Get a Bucket Policy

To retrieve the policy for an Amazon S3 bucket, call the AmazonS3 client's getBucketPolicy method, passing it the name of the bucket to get the policy from.

Imports

Copy
import com.amazonaws.AmazonServiceException; import com.amazonaws.services.s3.AmazonS3; import com.amazonaws.services.s3.AmazonS3ClientBuilder; import com.amazonaws.services.s3.model.BucketPolicy;

Code

Copy
final AmazonS3 s3 = AmazonS3ClientBuilder.defaultClient(); try { BucketPolicy bucket_policy = s3.getBucketPolicy(bucket_name); policy_text = bucket_policy.getPolicyText(); } catch (AmazonServiceException e) { System.err.println(e.getErrorMessage()); System.exit(1); }

If the named bucket doesn't exist, if you don't have access to it, or if it has no bucket policy, an AmazonServiceException is thrown.

See the complete example.

Delete a Bucket Policy

To delete a bucket policy, call the AmazonS3 client's deleteBucketPolicy, providing it with the bucket name.

Imports

Copy
import com.amazonaws.AmazonServiceException; import com.amazonaws.services.s3.AmazonS3; import com.amazonaws.services.s3.AmazonS3ClientBuilder;

Code

Copy
final AmazonS3 s3 = AmazonS3ClientBuilder.defaultClient(); try { s3.deleteBucketPolicy(bucket_name); } catch (AmazonServiceException e) { System.err.println(e.getErrorMessage()); System.exit(1); }

This method succeeds even if the bucket doesn't already have a policy. If you specify a bucket name that doesn't exist or if you don't have access to the bucket, an AmazonServiceException is thrown.

See the complete example.

More Info