Creating an Amazon S3 Bucket Policy with Ruby - AWS SDK for Ruby
PrerequisitesConfigure the SDKCreate a BucketDefine a Bucket PolicyAdd the Policy to the BucketChange the PolicyClean UpComplete Example

Creating an Amazon S3 Bucket Policy with Ruby

This example demonstrates how to use the AWS SDK for Ruby to:

  1. Create a bucket in Amazon Simple Storage Service (Amazon S3).

  2. Define a bucket policy.

  3. Add the policy to the bucket.

  4. Change the policy.

  5. Remove the policy from the bucket.

  6. Delete the bucket.

For the complete code for this example, see Complete Example.

Prerequisites

To set up and run this example, you must first:

  1. Install the AWS SDK for Ruby. For more information, see Installing the AWS SDK for Ruby.

  2. Set the AWS access credentials that the AWS SDK for Ruby will use to verify your access to AWS services and resources. For more information, see Configuring the AWS SDK for Ruby.

Be sure the AWS credentials map to an AWS Identity and Access Management (IAM) entity with access to the AWS actions and resources described in this example.

This example assumes you have set the credentials in the AWS credentials profile file or in the AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY environment variables on your local system.

Configure the SDK

To configure the SDK for this example, add a require statement so you can use the classes and methods provided by the AWS SDK for Ruby for Amazon S3. Then create an Aws::S3::Client object in the AWS Region where you want to create the bucket. This code creates the Aws::S3::Client object in the us-west-2 region. 

require 'aws-sdk-s3'  # v2: require 'aws-sdk'

s3 = Aws::S3::Client.new(region: "us-west-2")

Create a Bucket

Call the create_bucket method, specifying the bucket’s name. This code uses a variable named bucket to represent the bucket’s name. Substitute example-bucket-name for your bucket’s name.

Note

Bucket names must be unique across Amazon S3—not just unique to your AWS account.

If you already have a bucket you want to use, you don’t have to call create_bucket. 

bucket = "example-bucket-name"

s3.create_bucket(bucket: bucket)

Define a Bucket Policy

Declare a Ruby hash that represents the policy. Then call the to_json method on the hash to convert it to a JSON object. This code uses a variable named policy that contains the policy definition. This policy allows the specified user to have full control over the example-bucket-name (represented by #{bucket}). Substitute arn:aws:iam::111122223333:user/Alice with the Amazon Resource Name (ARN) of the AWS Identity and Access Management (IAM) user you want to use. 

policy = {
  "Version" => "2012-10-17",
  "Statement" => [
    {
      "Effect" => "Allow",
      "Principal" => {
        "AWS" => [
          "arn:aws:iam::111122223333:user/Alice"
        ]
      },
      "Action" => "s3:*",
      "Resource" => [
        "arn:aws:s3:::#{bucket}"
      ]
    }
  ]
}.to_json

For examples of the types of policies you can define, see Bucket Policy Examples in the Amazon S3 Developer Guide.

Add the Policy to the Bucket

Call the put_bucket_policy method, specifying the name of the bucket and the policy definition. 

s3.put_bucket_policy(
  bucket: bucket,
  policy: policy
)

Change the Policy

You can call the put_bucket_policy method again with a complete replacement policy. However, you can also make incremental updates to an existing policy, which can reduce the amount of code you need to write. To do this, retrieve the current policy by calling the get_bucket_policy method. Next, parse the JSON object that is returned into a Ruby hash. Then make your incremental changes to the policy. For example, this code changes the ARN of the IAM entity. After you make your changes, call the put_bucket_policy method again. Be sure to call the to_json method on the hash to convert it back to a JSON object before applying the changed policy to the bucket. 

policy_string = s3.get_bucket_policy(bucket: bucket).policy.read
policy_json = JSON.parse(policy_string)

policy_json["Statement"][0]["Principal"]["AWS"] = "arn:aws:iam::111122223333:root"

s3.put_bucket_policy(
  bucket: bucket,
  policy: policy_json.to_json
)

Clean Up

To remove the policy from the bucket, call the delete_bucket_policy method, specifying the name of the bucket.

To delete the bucket, call the delete_bucket method, specifying the name of the bucket. 

s3.delete_bucket_policy(bucket: bucket)
s3.delete_bucket(bucket: bucket)

Complete Example

Here is the complete code for this example.

require 'aws-sdk-s3'  # v2: require 'aws-sdk'

s3 = Aws::S3::Client.new(region: "us-west-2")

bucket = "example-bucket-name"

s3.create_bucket(bucket: bucket)

policy = {
  "Version" => "2012-10-17",
  "Statement" => [
    {
      "Effect" => "Allow",
      "Principal" => {
        "AWS" => [
          "arn:aws:iam::111122223333:user/Alice"
        ]
      },
      "Action" => "s3:*",
      "Resource" => [
        "arn:aws:s3:::#{bucket}"
      ]
    }
  ]
}.to_json

s3.put_bucket_policy(
  bucket: bucket,
  policy: policy
)

policy_string = s3.get_bucket_policy(bucket: bucket).policy.read
policy_json = JSON.parse(policy_string)

policy_json["Statement"][0]["Principal"]["AWS"] = "arn:aws:iam::111122223333:root"

s3.put_bucket_policy(
  bucket: bucket,
  policy: policy_json.to_json
)

s3.delete_bucket_policy(bucket: bucket)
s3.delete_bucket(bucket: bucket)