Working with Amazon S3 bucket policies - AWS SDK for JavaScript

Help us improve the AWS SDK for JavaScript version 3 (V3) documentation by providing feedback using the Feedback link, or create an issue or pull request on GitHub.

The AWS SDK for JavaScript V3 API Reference Guide describes in detail all the API operations for the AWS SDK for JavaScript version 3 (V3).

Working with Amazon S3 bucket policies


                        JavaScript code example that applies to Node.js execution

This Node.js code example shows:

  • How to retrieve the bucket policy of an Amazon S3 bucket.

  • How to add or update the bucket policy of an Amazon S3 bucket.

  • How to delete the bucket policy of an Amazon S3 bucket.

The scenario

In this example, a series of Node.js modules are used to retrieve, set, or delete a bucket policy on an Amazon S3 bucket. The Node.js modules use the SDK for JavaScript to configure policy for a selected Amazon S3 bucket using these methods of the Amazon S3 client class:

For more information about bucket policies for Amazon S3 buckets, see Using bucket policies and user policies in the Amazon Simple Storage Service Developer Guide.

Prerequisite tasks

To set up and run this example, you must first complete these tasks:

Important

These examples demonstrate how to import/export client service objects and command using ECMAScript6 (ES6).

Retrieving the current bucket policy

Create a libs directory, and create a Node.js module with the file name s3Client.js. Copy and paste the code below into it, which creates the Amazon S3 client object. Replace REGION with your AWS region.

import { S3Client} from "@aws-sdk/client-s3"; // Set the AWS Region. const REGION = "REGION"; //e.g. "us-east-1" // Create an Amazon S3 service client object. const s3Client = new S3Client({ region: REGION }); export { s3Client };

This code is available here on GitHub.

Create a Node.js module with the file name s3_getbucketpolicy.js. The module takes a single command-line argument that specifies the bucket whose policy you want. Make sure to configure the SDK as previously shown, including installing the required clients and packages.

Create an S3 service object. The only parameter you need to pass is the name of the selected bucket when calling the GetBucketPolicyCommand method. If the bucket currently has a policy, that policy is returned by Amazon S3 in the data parameter passed to the callback function.

If the selected bucket has no policy, that information is returned to the callback function in the error parameter.

// Import required AWS SDK clients and commands for Node.js import { GetBucketPolicyCommand } from "@aws-sdk/client-s3"; import { s3Client } from "./libs/s3Client.js"; // Helper function that creates Amazon S3 service client module. // Create the parameters for calling export const bucketParams = { Bucket: "BUCKET_NAME" }; export const run = async () => { try { const data = await s3Client.send(new GetBucketPolicyCommand(bucketParams)); console.log("Success", data); return data; // For unit tests. } catch (err) { console.log("Error", err); } }; run();

To run the example, enter the following at the command prompt.

node s3_getbucketpolicy.js

This sample code can be found here on GitHub.

Setting a simple bucket policy

Create a libs directory, and create a Node.js module with the file name s3Client.js. Copy and paste the code below into it, which creates the Amazon S3 client object. Replace REGION with your AWS region.

import { S3Client} from "@aws-sdk/client-s3"; // Set the AWS Region. const REGION = "REGION"; //e.g. "us-east-1" // Create an Amazon S3 service client object. const s3Client = new S3Client({ region: REGION }); export { s3Client };

This code is available here on GitHub.

Create a Node.js module with the file name s3_setbucketpolicy.js. The module takes a single command-line argument that specifies the bucket whose policy you want to apply. Configure the SDK as previously shown, including installing the required clients and packages.

Bucket policies are specified in JSON. First, create a JSON object that contains all of the values to specify the policy except for the Resource value that identifies the bucket.

Format the Resource string required by the policy, incorporating the name of the selected bucket. Insert that string into the JSON object. Prepare the parameters for the PutBucketPolicyCommand method, including the name of the bucket and the JSON policy converted to a string value.

// Import required AWS SDK clients and commands for Node.js import { PutBucketPolicyCommand } from "@aws-sdk/client-s3"; import { s3Client } from "./libs/s3Client.js"; // Helper function that creates Amazon S3 service client module. // Create params JSON for S3.createBucket const BUCKET_NAME = "BUCKET_NAME"; export const bucketParams = { Bucket: BUCKET_NAME, }; // Create the policy const readOnlyAnonUserPolicy = { Version: "2012-10-17", Statement: [ { Sid: "AddPerm", Effect: "Allow", Principal: "*", Action: ["s3:GetObject"], Resource: [""], }, ], }; // create selected bucket resource string for bucket policy const bucketResource = "arn:aws:s3:::" + BUCKET_NAME + "/*"; //BUCKET_NAME readOnlyAnonUserPolicy.Statement[0].Resource[0] = bucketResource; // // convert policy JSON into string and assign into params const bucketPolicyParams = { Bucket: BUCKET_NAME, Policy: JSON.stringify(readOnlyAnonUserPolicy), }; export const run = async () => { try { // const response = await s3.putBucketPolicy(bucketPolicyParams); const response = await s3Client.send( new PutBucketPolicyCommand(bucketPolicyParams) ); return response; console.log("Success, permissions added to bucket", response); } catch (err) { console.log("Error", err); } }; run();

To run the example, enter the following at the command prompt.

node s3_setbucketpolicy.js

This sample code can be found here on GitHub.

Deleting a bucket policy

Create a libs directory, and create a Node.js module with the file name s3Client.js. Copy and paste the code below into it, which creates the Amazon S3 client object. Replace REGION with your AWS region.

import { S3Client} from "@aws-sdk/client-s3"; // Set the AWS Region. const REGION = "REGION"; //e.g. "us-east-1" // Create an Amazon S3 service client object. const s3Client = new S3Client({ region: REGION }); export { s3Client };

This code is available here on GitHub.

Create a Node.js module with the file name s3_deletebucketpolicy.js. The module takes a single command-line argument that specifies the bucket whose policy you want to delete. Configure the SDK as previously shown, including installing the required clients and packages.

The only parameter you need to pass when calling the DeleteBucketPolicy method is the name of the selected bucket.

// Import required AWS SDK clients and commands for Node.js import { DeleteBucketPolicyCommand } from "@aws-sdk/client-s3/"; import { s3Client } from "./libs/s3Client.js"; // Helper function that creates Amazon S3 service client module. // Set the bucket parameters export const bucketParams = { Bucket: "BUCKET_NAME" }; export const run = async () => { try { const data = await s3Client.send(new DeleteBucketPolicyCommand(bucketParams)); console.log("Success", data + ", bucket policy deleted"); return data; // For unit tests. } catch (err) { console.log("Error", err); } }; // Invoke run() so these examples run out of the box. run();

To run the example, enter the following at the command prompt.

node s3_deletebucketpolicy.js

This sample code can be found here on GitHub.