Creating an Amazon S3 Bucket Policy with Ruby
This example demonstrates how to use the AWS SDK for Ruby to:
-
Create a bucket in Amazon Simple Storage Service (Amazon S3).
-
Define a bucket policy.
-
Add the policy to the bucket.
-
Change the policy.
-
Remove the policy from the bucket.
-
Delete the bucket.
For the complete code for this example, see Complete Example.
Prerequisites
To set up and run this example, you must first:
-
Install the AWS SDK for Ruby. For more information, see Installing the AWS SDK for Ruby.
-
Set the AWS access credentials that the AWS SDK for Ruby will use to verify your access to AWS services and resources. For more information, see Configuring the AWS SDK for Ruby.
Be sure the AWS credentials map to an AWS Identity and Access Management (IAM) entity with access to the AWS actions and resources described in this example.
This example assumes you have set the credentials in the AWS credentials profile file
or in the AWS_ACCESS_KEY_ID
and
AWS_SECRET_ACCESS_KEY
environment variables on your local system.
Configure the SDK
To configure the SDK for this example, add a require
statement so you can use the classes and methods
provided by the AWS SDK for Ruby for Amazon S3. Then create an Aws::S3::Client object in the AWS Region where you want to
create the bucket. This code creates the Aws::S3::Client
object in the us-west-2
region.
require 'aws-sdk-s3' # v2: require 'aws-sdk' s3 = Aws::S3::Client.new(region: "us-west-2")
Create a Bucket
Call the create_bucket method, specifying the bucket's name. This code
uses a variable named bucket
to represent the bucket's name. Substitute example-bucket-name
for your
bucket's name.
Note
Bucket names must be unique across Amazon S3—not just unique to your AWS account.
If you already have a bucket you want to use, you don't have to call create_bucket
.
bucket = "example-bucket-name" s3.create_bucket(bucket: bucket)
Define a Bucket Policy
Declare a Ruby hash that represents the policy. Then call the to_json
method on the
hash to convert it to a JSON object. This code uses a variable named policy
that contains the policy definition. This policy
allows the specified user to have full control over the example-bucket-name
(represented by #{bucket}
).
Substitute arn:aws:iam::111122223333:user/Alice
with the Amazon Resource Name (ARN) of the AWS Identity and Access Management (IAM)
user you want to use.
policy = { "Version" => "2012-10-17", "Statement" => [ { "Effect" => "Allow", "Principal" => { "AWS" => [ "arn:aws:iam::111122223333:user/Alice" ] }, "Action" => "s3:*", "Resource" => [ "arn:aws:s3:::#{bucket}" ] } ] }.to_json
For examples of the types of policies you can define, see Bucket Policy Examples in the Amazon S3 Developer Guide.
Add the Policy to the Bucket
Call the put_bucket_policy method, specifying the name of the bucket and the policy definition.
s3.put_bucket_policy( bucket: bucket, policy: policy )
Change the Policy
You can call the put_bucket_policy
method again with a complete replacement policy. However, you can
also make incremental updates to an existing policy, which can reduce the amount of
code you need to write. To do this, retrieve
the current policy by calling the get_bucket_policy method.
Next, parse the JSON object that is returned into a Ruby hash. Then make your incremental
changes to the policy. For example,
this code changes the ARN of the IAM entity. After you make your changes, call the
put_bucket_policy
method again.
Be sure to call the to_json
method on the hash to convert it back to a JSON object before applying the changed
policy to the bucket.
policy_string = s3.get_bucket_policy(bucket: bucket).policy.read policy_json = JSON.parse(policy_string) policy_json["Statement"][0]["Principal"]["AWS"] = "arn:aws:iam::111122223333:root" s3.put_bucket_policy( bucket: bucket, policy: policy_json.to_json )
Clean Up
To remove the policy from the bucket, call the delete_bucket_policy method, specifying the name of the bucket.
To delete the bucket, call the delete_bucket method, specifying the name of the bucket.
s3.delete_bucket_policy(bucket: bucket) s3.delete_bucket(bucket: bucket)
Complete Example
Here is the complete code for this example.
require 'aws-sdk-s3' # v2: require 'aws-sdk' s3 = Aws::S3::Client.new(region: "us-west-2") bucket = "example-bucket-name" s3.create_bucket(bucket: bucket) policy = { "Version" => "2012-10-17", "Statement" => [ { "Effect" => "Allow", "Principal" => { "AWS" => [ "arn:aws:iam::111122223333:user/Alice" ] }, "Action" => "s3:*", "Resource" => [ "arn:aws:s3:::#{bucket}" ] } ] }.to_json s3.put_bucket_policy( bucket: bucket, policy: policy ) policy_string = s3.get_bucket_policy(bucket: bucket).policy.read policy_json = JSON.parse(policy_string) policy_json["Statement"][0]["Principal"]["AWS"] = "arn:aws:iam::111122223333:root" s3.put_bucket_policy( bucket: bucket, policy: policy_json.to_json ) s3.delete_bucket_policy(bucket: bucket) s3.delete_bucket(bucket: bucket)