Interface IBucket

Inherited Members

IResource.Env

IResource.Stack

IConstruct.Node

Namespace: Amazon.CDK.AWS.S3

Assembly: Amazon.CDK.AWS.S3.dll

Syntax (csharp)

public interface IBucket : IResource, IConstruct, IConstruct, IDependable

Syntax (vb)

Public Interface IBucket
    Inherits IResource, IConstruct, IConstruct, IDependable

Synopsis

Properties

BucketArn	The ARN of the bucket.
BucketDomainName	The IPv4 DNS name of the specified bucket.
BucketDualStackDomainName	The IPv6 DNS name of the specified bucket.
BucketName	The name of the bucket.
BucketRegionalDomainName	The regional domain name of the specified bucket.
BucketWebsiteDomainName	The Domain name of the static website.
BucketWebsiteUrl	The URL of the static website.
EncryptionKey	Optional KMS encryption key associated with this bucket.
IsWebsite	If this bucket has been configured for static website hosting.
Policy	The resource policy associated with this bucket.

Methods

AddToResourcePolicy(PolicyStatement)	Adds a statement to the resource policy for a principal (i.e. account/role/service) to perform actions on this bucket and/or it's contents. Use bucketArn and arnForObjects(keys) to obtain ARNs for this bucket or objects.
ArnForObjects(String)	Returns an ARN that represents all objects within the bucket that match the key pattern specified.
GrantDelete(IGrantable, Object)	Grants s3:DeleteObject* permission to an IAM pricipal for objects in this bucket.
GrantPublicAccess(String, String[])	Allows unrestricted access to objects from this bucket.
GrantPut(IGrantable, Object)	Grants s3:PutObject* and s3:Abort* permissions for this bucket to an IAM principal.
GrantPutAcl(IGrantable, String)	Grant the given IAM identity permissions to modify the ACLs of objects in the given Bucket.
GrantRead(IGrantable, Object)	Grant read permissions for this bucket and it's contents to an IAM principal (Role/Group/User).
GrantReadWrite(IGrantable, Object)	Grants read/write permissions for this bucket and it's contents to an IAM principal (Role/Group/User).
GrantWrite(IGrantable, Object)	Grant write permissions to this bucket to an IAM principal.
OnCloudTrailEvent(String, IOnCloudTrailBucketEventOptions)	Defines a CloudWatch event that triggers when something happens to this bucket.
OnCloudTrailPutObject(String, IOnCloudTrailBucketEventOptions)	Defines an AWS CloudWatch event that triggers when an object is uploaded to the specified paths (keys) in this bucket using the PutObject API call.
OnCloudTrailWriteObject(String, IOnCloudTrailBucketEventOptions)	Defines an AWS CloudWatch event that triggers when an object at the specified paths (keys) in this bucket are written to.
S3UrlForObject(String)	The S3 URL of an S3 object.
UrlForObject(String)	The https URL of an S3 object.
VirtualHostedUrlForObject(String, IVirtualHostedStyleUrlOptions)	The virtual hosted-style URL of an S3 object.

Properties

BucketArn

The ARN of the bucket.

string BucketArn { get; }

Property Value

System.String

Remarks

Attribute: true

BucketDomainName

The IPv4 DNS name of the specified bucket.

string BucketDomainName { get; }

Property Value

System.String

Remarks

Attribute: true

BucketDualStackDomainName

The IPv6 DNS name of the specified bucket.

string BucketDualStackDomainName { get; }

Property Value

System.String

Remarks

Attribute: true

BucketName

The name of the bucket.

string BucketName { get; }

Property Value

System.String

Remarks

Attribute: true

BucketRegionalDomainName

The regional domain name of the specified bucket.

string BucketRegionalDomainName { get; }

Property Value

System.String

Remarks

Attribute: true

BucketWebsiteDomainName

The Domain name of the static website.

string BucketWebsiteDomainName { get; }

Property Value

System.String

Remarks

Attribute: true

BucketWebsiteUrl

The URL of the static website.

string BucketWebsiteUrl { get; }

Property Value

System.String

Remarks

Attribute: true

EncryptionKey

Optional KMS encryption key associated with this bucket.

virtual IKey EncryptionKey { get; }

Property Value

IKey

IsWebsite

If this bucket has been configured for static website hosting.

virtual Nullable<bool> IsWebsite { get; }

Property Value

System.Nullable<System.Boolean>

Policy

The resource policy associated with this bucket.

virtual BucketPolicy Policy { get; set; }

Property Value

BucketPolicy

Remarks

If autoCreatePolicy is true, a BucketPolicy will be created upon the first call to addToResourcePolicy(s).

Methods

AddToResourcePolicy(PolicyStatement)

Adds a statement to the resource policy for a principal (i.e. account/role/service) to perform actions on this bucket and/or it's contents. Use bucketArn and arnForObjects(keys) to obtain ARNs for this bucket or objects.

IAddToResourcePolicyResult AddToResourcePolicy(PolicyStatement permission)

Parameters

permission PolicyStatement

Returns

IAddToResourcePolicyResult

ArnForObjects(String)

Returns an ARN that represents all objects within the bucket that match the key pattern specified.

string ArnForObjects(string keyPattern)

Parameters

keyPattern System.String

Returns

System.String

Remarks

To represent all keys, specify "*".

GrantDelete(IGrantable, Object)

Grants s3:DeleteObject* permission to an IAM pricipal for objects in this bucket.

Grant GrantDelete(IGrantable identity, object objectsKeyPattern = null)

Parameters

identity IGrantable

The principal.

objectsKeyPattern System.Object

Restrict the permission to a certain key pattern (default '*').

Returns

Grant

GrantPublicAccess(String, String[])

Allows unrestricted access to objects from this bucket.

Grant GrantPublicAccess(string keyPrefix = null, params string[] allowedActions)

Parameters

keyPrefix System.String

the prefix of S3 object keys (e.g. home/*). Default is "*".

allowedActions System.String[]

the set of S3 actions to allow.

Returns

Grant

The iam.PolicyStatement object, which can be used to apply e.g. conditions.

Remarks

IMPORTANT: This permission allows anyone to perform actions on S3 objects in this bucket, which is useful for when you configure your bucket as a website and want everyone to be able to read objects in the bucket without needing to authenticate.

Without arguments, this method will grant read ("s3:GetObject") access to all objects ("*") in the bucket.

The method returns the iam.Grant object, which can then be modified as needed. For example, you can add a condition that will restrict access only to an IPv4 range like this:

 const grant = bucket.grantPublicAccess();
 grant.resourceStatement!.addCondition(‘IpAddress’, { “aws:SourceIp”: “54.240.143.0/24” });

GrantPut(IGrantable, Object)

Grants s3:PutObject* and s3:Abort* permissions for this bucket to an IAM principal.

Grant GrantPut(IGrantable identity, object objectsKeyPattern = null)

Parameters

identity IGrantable

The principal.

objectsKeyPattern System.Object

Restrict the permission to a certain key pattern (default '*').

Returns

Grant

Remarks

If encryption is used, permission to use the key to encrypt the contents of written files will also be granted to the same principal.

GrantPutAcl(IGrantable, String)

Grant the given IAM identity permissions to modify the ACLs of objects in the given Bucket.

Grant GrantPutAcl(IGrantable identity, string objectsKeyPattern = null)

Parameters

identity IGrantable

The principal.

objectsKeyPattern System.String

Restrict the permission to a certain key pattern (default '*').

Returns

Grant

Remarks

If your application has the '@aws-cdk/aws-s3:grantWriteWithoutAcl&apos; feature flag set, calling {@link grantWrite} or {@link grantReadWrite} no longer grants permissions to modify the ACLs of the objects; in this case, if you need to modify object ACLs, call this method explicitly.

GrantRead(IGrantable, Object)

Grant read permissions for this bucket and it's contents to an IAM principal (Role/Group/User).

Grant GrantRead(IGrantable identity, object objectsKeyPattern = null)

Parameters

identity IGrantable

The principal.

objectsKeyPattern System.Object

Restrict the permission to a certain key pattern (default '*').

Returns

Grant

Remarks

If encryption is used, permission to use the key to decrypt the contents of the bucket will also be granted to the same principal.

GrantReadWrite(IGrantable, Object)

Grants read/write permissions for this bucket and it's contents to an IAM principal (Role/Group/User).

Grant GrantReadWrite(IGrantable identity, object objectsKeyPattern = null)

Parameters

identity IGrantable

The principal.

objectsKeyPattern System.Object

Restrict the permission to a certain key pattern (default '*').

Returns

Grant

Remarks

If an encryption key is used, permission to use the key for encrypt/decrypt will also be granted.

Before CDK version 1.85.0, this method granted the s3:PutObject* permission that included s3:PutObjectAcl, which could be used to grant read/write object access to IAM principals in other accounts. If you want to get rid of that behavior, update your CDK version to 1.85.0 or later, and make sure the @aws-cdk/aws-s3:grantWriteWithoutAcl feature flag is set to true in the context key of your cdk.json file. If you've already updated, but still need the principal to have permissions to modify the ACLs, use the {@link grantPutAcl} method.

GrantWrite(IGrantable, Object)

Grant write permissions to this bucket to an IAM principal.

Grant GrantWrite(IGrantable identity, object objectsKeyPattern = null)

Parameters

identity IGrantable

The principal.

objectsKeyPattern System.Object

Restrict the permission to a certain key pattern (default '*').

Returns

Grant

Remarks

If encryption is used, permission to use the key to encrypt the contents of written files will also be granted to the same principal.

Before CDK version 1.85.0, this method granted the s3:PutObject* permission that included s3:PutObjectAcl, which could be used to grant read/write object access to IAM principals in other accounts. If you want to get rid of that behavior, update your CDK version to 1.85.0 or later, and make sure the @aws-cdk/aws-s3:grantWriteWithoutAcl feature flag is set to true in the context key of your cdk.json file. If you've already updated, but still need the principal to have permissions to modify the ACLs, use the {@link grantPutAcl} method.

OnCloudTrailEvent(String, IOnCloudTrailBucketEventOptions)

Defines a CloudWatch event that triggers when something happens to this bucket.

Rule OnCloudTrailEvent(string id, IOnCloudTrailBucketEventOptions options = null)

Parameters

id System.String

The id of the rule.

options IOnCloudTrailBucketEventOptions

Options for adding the rule.

Returns

Rule

Remarks

Requires that there exists at least one CloudTrail Trail in your account that captures the event. This method will not create the Trail.

OnCloudTrailPutObject(String, IOnCloudTrailBucketEventOptions)

Defines an AWS CloudWatch event that triggers when an object is uploaded to the specified paths (keys) in this bucket using the PutObject API call.

Rule OnCloudTrailPutObject(string id, IOnCloudTrailBucketEventOptions options = null)

Parameters

id System.String

The id of the rule.

options IOnCloudTrailBucketEventOptions

Options for adding the rule.

Returns

Rule

Remarks

Note that some tools like aws s3 cp will automatically use either PutObject or the multipart upload API depending on the file size, so using onCloudTrailWriteObject may be preferable.

Requires that there exists at least one CloudTrail Trail in your account that captures the event. This method will not create the Trail.

OnCloudTrailWriteObject(String, IOnCloudTrailBucketEventOptions)

Defines an AWS CloudWatch event that triggers when an object at the specified paths (keys) in this bucket are written to.

Rule OnCloudTrailWriteObject(string id, IOnCloudTrailBucketEventOptions options = null)

Parameters

id System.String

The id of the rule.

options IOnCloudTrailBucketEventOptions

Options for adding the rule.

Returns

Rule

Remarks

This includes the events PutObject, CopyObject, and CompleteMultipartUpload.

Note that some tools like aws s3 cp will automatically use either PutObject or the multipart upload API depending on the file size, so using this method may be preferable to onCloudTrailPutObject.

Requires that there exists at least one CloudTrail Trail in your account that captures the event. This method will not create the Trail.

S3UrlForObject(String)

The S3 URL of an S3 object.

string S3UrlForObject(string key = null)

Parameters

key System.String

The S3 key of the object.

Returns

System.String

an ObjectS3Url token

Remarks

For example:

Examples

// Example automatically generated without compilation. See https://github.com/aws/jsii/issues/826
s3:

UrlForObject(String)

The https URL of an S3 object.

string UrlForObject(string key = null)

Parameters

key System.String

The S3 key of the object.

Returns

System.String

an ObjectS3Url token

Remarks

For example:

Examples

// Example automatically generated without compilation. See https://github.com/aws/jsii/issues/826
https:

VirtualHostedUrlForObject(String, IVirtualHostedStyleUrlOptions)

The virtual hosted-style URL of an S3 object.

string VirtualHostedUrlForObject(string key = null, IVirtualHostedStyleUrlOptions options = null)

Parameters

key System.String

The S3 key of the object.

options IVirtualHostedStyleUrlOptions

Options for generating URL.

Returns

System.String

an ObjectS3Url token

Remarks

Specify regional: false at the options for non-regional URL. For example:

Examples

// Example automatically generated without compilation. See https://github.com/aws/jsii/issues/826
https: