CreateAccessGrantsInstance - Amazon Simple Storage Service


Creates an S3 Access Grants instance, which serves as a logical grouping for access grants. You can create one S3 Access Grants instance per Region per account.


You must have the s3:CreateAccessGrantsInstance permission to use this operation.

Additional Permissions

To associate an IAM Identity Center instance with your S3 Access Grants instance, you must also have the sso:DescribeInstance, sso:CreateApplication, sso:PutApplicationGrant, and sso:PutApplicationAuthenticationMethod permissions.

Request Syntax

POST /v20180820/accessgrantsinstance HTTP/1.1 Host: x-amz-account-id: AccountId <?xml version="1.0" encoding="UTF-8"?> <CreateAccessGrantsInstanceRequest xmlns=""> <IdentityCenterArn>string</IdentityCenterArn> <Tags> <Tag> <Key>string</Key> <Value>string</Value> </Tag> </Tags> </CreateAccessGrantsInstanceRequest>

URI Request Parameters

The request uses the following URI parameters.


The ID of the AWS account that is making this request.

Length Constraints: Maximum length of 64.

Pattern: ^\d{12}$

Required: Yes

Request Body

The request accepts the following data in XML format.


Root level tag for the CreateAccessGrantsInstanceRequest parameters.

Required: Yes


If you would like to associate your S3 Access Grants instance with an AWS IAM Identity Center instance, use this field to pass the Amazon Resource Name (ARN) of the AWS IAM Identity Center instance that you are associating with your S3 Access Grants instance. An IAM Identity Center instance is your corporate identity directory that you added to the IAM Identity Center. You can use the ListInstances API operation to retrieve a list of your Identity Center instances and their ARNs.

Type: String

Length Constraints: Minimum length of 10. Maximum length of 1224.

Pattern: arn:[^:]+:sso::(\d{12}){0,1}:instance/.*$

Required: No


The AWS resource tags that you are adding to the S3 Access Grants instance. Each tag is a label consisting of a user-defined key and value. Tags can help you manage, identify, organize, search for, and filter resources.

Type: Array of Tag data types

Array Members: Minimum number of 0 items. Maximum number of 50 items.

Required: No

Response Syntax

HTTP/1.1 200 <?xml version="1.0" encoding="UTF-8"?> <CreateAccessGrantsInstanceResult> <CreatedAt>timestamp</CreatedAt> <AccessGrantsInstanceId>string</AccessGrantsInstanceId> <AccessGrantsInstanceArn>string</AccessGrantsInstanceArn> <IdentityCenterArn>string</IdentityCenterArn> </CreateAccessGrantsInstanceResult>

Response Elements

If the action is successful, the service sends back an HTTP 200 response.

The following data is returned in XML format by the service.


Root level tag for the CreateAccessGrantsInstanceResult parameters.

Required: Yes


The Amazon Resource Name (ARN) of the S3 Access Grants instance.

Type: String

Length Constraints: Minimum length of 1. Maximum length of 2048.

Pattern: arn:[a-z\-]+:s3:[a-z0-9\-]+:\d{12}:access\-grants\/[a-zA-Z0-9\-]+


The ID of the S3 Access Grants instance. The ID is default. You can have one S3 Access Grants instance per Region per account.

Type: String

Length Constraints: Minimum length of 1. Maximum length of 64.

Pattern: [a-zA-Z0-9\-]+


The date and time when you created the S3 Access Grants instance.

Type: Timestamp


If you associated your S3 Access Grants instance with an AWS IAM Identity Center instance, this field returns the Amazon Resource Name (ARN) of the IAM Identity Center instance application; a subresource of the original Identity Center instance passed in the request. S3 Access Grants creates this Identity Center application for this specific S3 Access Grants instance.

Type: String

Length Constraints: Minimum length of 10. Maximum length of 1224.

Pattern: arn:[^:]+:sso::(\d{12}){0,1}:instance/.*$

See Also

For more information about using this API in one of the language-specific AWS SDKs, see the following: