Managing Access to Amazon S3 Buckets Using Bucket Policies - AWS SDK for C++

Managing Access to Amazon S3 Buckets Using Bucket Policies

You can set, get, or delete a bucket policy to manage access to your Amazon S3 buckets.

Prerequisites

Before you begin, we recommend you read Getting started using the AWS SDK for C++.

Download the example code and build the solution as described in Get started on code examples.

To run the examples, the user profile your code uses to make the requests must have proper permissions in AWS (for the service and the action). For more information, see Providing AWS credentials.

Set a Bucket Policy

You can set the bucket policy for a particular S3 bucket by calling the S3Client’s PutBucketPolicy function and providing it with the bucket name and policy’s JSON representation in a PutBucketPolicyRequest.

Code

//! Build a policy JSON string. /*! \param userArn: Aws user Amazon Resource Name (ARN). For more information, see https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_identifiers.html#identifiers-arns. \param bucketName: Name of a bucket. \return String: Policy as JSON string. */ Aws::String getPolicyString(const Aws::String &userArn, const Aws::String &bucketName) { return "{\n" " \"Version\":\"2012-10-17\",\n" " \"Statement\":[\n" " {\n" " \"Sid\": \"1\",\n" " \"Effect\": \"Allow\",\n" " \"Principal\": {\n" " \"AWS\": \"" + userArn + "\"\n"" },\n" " \"Action\": [ \"s3:getObject\" ],\n" " \"Resource\": [ \"arn:aws:s3:::" + bucketName + "/*\" ]\n" " }\n" " ]\n" "}"; }
bool AwsDoc::S3::putBucketPolicy(const Aws::String &bucketName, const Aws::String &policyBody, const Aws::S3::S3ClientConfiguration &clientConfig) { Aws::S3::S3Client s3Client(clientConfig); std::shared_ptr<Aws::StringStream> request_body = Aws::MakeShared<Aws::StringStream>(""); *request_body << policyBody; Aws::S3::Model::PutBucketPolicyRequest request; request.SetBucket(bucketName); request.SetBody(request_body); Aws::S3::Model::PutBucketPolicyOutcome outcome = s3Client.PutBucketPolicy(request); if (!outcome.IsSuccess()) { std::cerr << "Error: putBucketPolicy: " << outcome.GetError().GetMessage() << std::endl; } else { std::cout << "Set the following policy body for the bucket '" << bucketName << "':" << std::endl << std::endl; std::cout << policyBody << std::endl; } return outcome.IsSuccess(); }
Note

The Aws::Utils::Json::JsonValue utility class can be used to help you construct valid JSON objects to pass to PutBucketPolicy.

See the complete example on Github.

Get a Bucket Policy

To retrieve the policy for an Amazon S3 bucket, call the S3Client’s GetBucketPolicy function, passing it the name of the bucket in a GetBucketPolicyRequest.

Code

bool AwsDoc::S3::getBucketPolicy(const Aws::String &bucketName, const Aws::S3::S3ClientConfiguration &clientConfig) { Aws::S3::S3Client s3Client(clientConfig); Aws::S3::Model::GetBucketPolicyRequest request; request.SetBucket(bucketName); Aws::S3::Model::GetBucketPolicyOutcome outcome = s3Client.GetBucketPolicy(request); if (!outcome.IsSuccess()) { const Aws::S3::S3Error &err = outcome.GetError(); std::cerr << "Error: getBucketPolicy: " << err.GetExceptionName() << ": " << err.GetMessage() << std::endl; } else { Aws::StringStream policy_stream; Aws::String line; outcome.GetResult().GetPolicy() >> line; policy_stream << line; std::cout << "Retrieve the policy for bucket '" << bucketName << "':\n\n" << policy_stream.str() << std::endl; } return outcome.IsSuccess(); }

See the complete example on Github.

Delete a Bucket Policy

To delete a bucket policy, call the S3Client’s DeleteBucketPolicy function, providing it with the bucket name in a DeleteBucketPolicyRequest.

Code

bool AwsDoc::S3::deleteBucketPolicy(const Aws::String &bucketName, const Aws::S3::S3ClientConfiguration &clientConfig) { Aws::S3::S3Client client(clientConfig); Aws::S3::Model::DeleteBucketPolicyRequest request; request.SetBucket(bucketName); Aws::S3::Model::DeleteBucketPolicyOutcome outcome = client.DeleteBucketPolicy(request); if (!outcome.IsSuccess()) { const Aws::S3::S3Error &err = outcome.GetError(); std::cerr << "Error: deleteBucketPolicy: " << err.GetExceptionName() << ": " << err.GetMessage() << std::endl; } else { std::cout << "Policy was deleted from the bucket." << std::endl; } return outcome.IsSuccess(); }

This function succeeds even if the bucket doesn’t already have a policy. If you specify a bucket name that doesn’t exist or if you don’t have access to the bucket, an AmazonServiceException is thrown.

See the complete example on Github.

More Info