Skip to main content

CDK Constructs for AWS S3

Project description

Amazon S3 Construct Library

---

Stability: Stable


Define an unencrypted S3 bucket.

# Example may have issues. See https://github.com/aws/jsii/issues/826
Bucket(self, "MyFirstBucket")

Bucket constructs expose the following deploy-time attributes:

  • bucketArn - the ARN of the bucket (i.e. arn:aws:s3:::bucket_name)
  • bucketName - the name of the bucket (i.e. bucket_name)
  • bucketWebsiteUrl - the Website URL of the bucket (i.e. http://bucket_name.s3-website-us-west-1.amazonaws.com)
  • bucketDomainName - the URL of the bucket (i.e. bucket_name.s3.amazonaws.com)
  • bucketDualStackDomainName - the dual-stack URL of the bucket (i.e. bucket_name.s3.dualstack.eu-west-1.amazonaws.com)
  • bucketRegionalDomainName - the regional URL of the bucket (i.e. bucket_name.s3.eu-west-1.amazonaws.com)
  • arnForObjects(pattern) - the ARN of an object or objects within the bucket (i.e. arn:aws:s3:::bucket_name/exampleobject.png or arn:aws:s3:::bucket_name/Development/*)
  • urlForObject(key) - the URL of an object within the bucket (i.e. https://s3.cn-north-1.amazonaws.com.cn/china-bucket/mykey)

Encryption

Define a KMS-encrypted bucket:

# Example may have issues. See https://github.com/aws/jsii/issues/826
bucket = Bucket(self, "MyUnencryptedBucket",
    encryption=BucketEncryption.KMS
)

# you can access the encryption key:
assert(bucket.encryption_key instanceof kms.Key)

You can also supply your own key:

# Example may have issues. See https://github.com/aws/jsii/issues/826
my_kms_key = kms.Key(self, "MyKey")

bucket = Bucket(self, "MyEncryptedBucket",
    encryption=BucketEncryption.KMS,
    encryption_key=my_kms_key
)

assert(bucket.encryption_key === my_kms_key)

Use BucketEncryption.ManagedKms to use the S3 master KMS key:

# Example may have issues. See https://github.com/aws/jsii/issues/826
bucket = Bucket(self, "Buck",
    encryption=BucketEncryption.KMS_MANAGED
)

assert(bucket.encryption_key == null)

Permissions

A bucket policy will be automatically created for the bucket upon the first call to addToResourcePolicy(statement):

# Example may have issues. See https://github.com/aws/jsii/issues/826
bucket = Bucket(self, "MyBucket")
bucket.add_to_resource_policy(iam.PolicyStatement(
    actions=["s3:GetObject"],
    resources=[bucket.arn_for_objects("file.txt")],
    principals=[iam.AccountRootPrincipal()]
))

Most of the time, you won't have to manipulate the bucket policy directly. Instead, buckets have "grant" methods called to give prepackaged sets of permissions to other resources. For example:

# Example may have issues. See https://github.com/aws/jsii/issues/826
lambda = lambda.Function(self, "Lambda")

bucket = Bucket(self, "MyBucket")
bucket.grant_read_write(lambda)

Will give the Lambda's execution role permissions to read and write from the bucket.

Sharing buckets between stacks

To use a bucket in a different stack in the same CDK application, pass the object to the other stack:

# Example may have issues. See https://github.com/aws/jsii/issues/826

#
# Stack that defines the bucket
#
class Producer(cdk.Stack):

    def __init__(self, scope, id, props=None):
        super().__init__(scope, id, props)

        bucket = s3.Bucket(self, "MyBucket",
            removal_policy=cdk.RemovalPolicy.DESTROY
        )
        self.my_bucket = bucket

#
# Stack that consumes the bucket
#
class Consumer(cdk.Stack):
    def __init__(self, scope, id, *, userBucket):
        super().__init__(scope, id, userBucket=userBucket)

        user = iam.User(self, "MyUser")
        user_bucket.grant_read_write(user)

producer = Producer(app, "ProducerStack")
Consumer(app, "ConsumerStack", user_bucket=producer.my_bucket)

Importing existing buckets

To import an existing bucket into your CDK application, use the Bucket.fromBucketAttributes factory method. This method accepts BucketAttributes which describes the properties of an already existing bucket:

# Example may have issues. See https://github.com/aws/jsii/issues/826
bucket = Bucket.from_bucket_attributes(self, "ImportedBucket",
    bucket_arn="arn:aws:s3:::my-bucket"
)

# now you can just call methods on the bucket
bucket.grant_read_write(user)

Alternatively, short-hand factories are available as Bucket.fromBucketName and Bucket.fromBucketArn, which will derive all bucket attributes from the bucket name or ARN respectively:

# Example may have issues. See https://github.com/aws/jsii/issues/826
by_name = Bucket.from_bucket_name(self, "BucketByName", "my-bucket")
by_arn = Bucket.from_bucket_arn(self, "BucketByArn", "arn:aws:s3:::my-bucket")

Bucket Notifications

The Amazon S3 notification feature enables you to receive notifications when certain events happen in your bucket as described under S3 Bucket Notifications of the S3 Developer Guide.

To subscribe for bucket notifications, use the bucket.addEventNotification method. The bucket.addObjectCreatedNotification and bucket.addObjectRemovedNotification can also be used for these common use cases.

The following example will subscribe an SNS topic to be notified of all s3:ObjectCreated:* events:

# Example may have issues. See https://github.com/aws/jsii/issues/826
import aws_cdk.aws_s3_notifications as s3n

my_topic = sns.Topic(self, "MyTopic")
bucket.add_event_notification(s3.EventType.OBJECT_CREATED, s3n.SnsDestination(topic))

This call will also ensure that the topic policy can accept notifications for this specific bucket.

Supported S3 notification targets are exposed by the @aws-cdk/aws-s3-notifications package.

It is also possible to specify S3 object key filters when subscribing. The following example will notify myQueue when objects prefixed with foo/ and have the .jpg suffix are removed from the bucket.

# Example may have issues. See https://github.com/aws/jsii/issues/826
bucket.add_event_notification(s3.EventType.OBJECT_REMOVED,
    s3n.SqsDestination(my_queue), prefix="foo/", suffix=".jpg")

Block Public Access

Use blockPublicAccess to specify block public access settings on the bucket.

Enable all block public access settings:

# Example may have issues. See https://github.com/aws/jsii/issues/826
bucket = Bucket(self, "MyBlockedBucket",
    block_public_access=BlockPublicAccess.BLOCK_ALL
)

Block and ignore public ACLs:

# Example may have issues. See https://github.com/aws/jsii/issues/826
bucket = Bucket(self, "MyBlockedBucket",
    block_public_access=BlockPublicAccess.BLOCK_ACLS
)

Alternatively, specify the settings manually:

# Example may have issues. See https://github.com/aws/jsii/issues/826
bucket = Bucket(self, "MyBlockedBucket",
    block_public_access=BlockPublicAccess(block_public_policy=True)
)

When blockPublicPolicy is set to true, grantPublicRead() throws an error.

Website redirection

You can use the two following properties to specify the bucket redirection policy. Please note that these methods cannot both be applied to the same bucket.

Static redirection

You can statically redirect a to a given Bucket URL or any other host name with websiteRedirect:

# Example may have issues. See https://github.com/aws/jsii/issues/826
bucket = Bucket(self, "MyRedirectedBucket",
    website_redirect={"host_name": "www.example.com"}
)

Routing rules

Alternatively, you can also define multiple websiteRoutingRules, to define complex, conditional redirections:

# Example may have issues. See https://github.com/aws/jsii/issues/826
bucket = Bucket(self, "MyRedirectedBucket",
    website_routing_rules=[{
        "host_name": "www.example.com",
        "http_redirect_code": "302",
        "protocol": RedirectProtocol.HTTPS,
        "replace_key": ReplaceKey.prefix_with("test/"),
        "condition": {
            "http_error_code_returned_equals": "200",
            "key_prefix_equals": "prefix"
        }
    }]
)

Filling the bucket as part of deployment

To put files into a bucket as part of a deployment (for example, to host a website), see the @aws-cdk/aws-s3-deployment package, which provides a resource that can do just that.

Project details


Release history Release notifications | RSS feed

Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

aws-cdk.aws-s3-1.16.3.tar.gz (232.6 kB view details)

Uploaded Source

Built Distribution

aws_cdk.aws_s3-1.16.3-py3-none-any.whl (230.3 kB view details)

Uploaded Python 3

File details

Details for the file aws-cdk.aws-s3-1.16.3.tar.gz.

File metadata

  • Download URL: aws-cdk.aws-s3-1.16.3.tar.gz
  • Upload date:
  • Size: 232.6 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/2.0.0 pkginfo/1.5.0.1 requests/2.22.0 setuptools/39.0.1 requests-toolbelt/0.9.1 tqdm/4.38.0 CPython/3.6.5

File hashes

Hashes for aws-cdk.aws-s3-1.16.3.tar.gz
Algorithm Hash digest
SHA256 b772ec3e3e20737f20af89b78252ac9e8f6e6cab220c8e0f9f690be2d8813e43
MD5 89ce157b1633102cada49f20b80bc8cb
BLAKE2b-256 817dba52ab1495772d0e34e9a1d3e05f004797727380e8149597cfb1a754e420

See more details on using hashes here.

File details

Details for the file aws_cdk.aws_s3-1.16.3-py3-none-any.whl.

File metadata

  • Download URL: aws_cdk.aws_s3-1.16.3-py3-none-any.whl
  • Upload date:
  • Size: 230.3 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/2.0.0 pkginfo/1.5.0.1 requests/2.22.0 setuptools/39.0.1 requests-toolbelt/0.9.1 tqdm/4.38.0 CPython/3.6.5

File hashes

Hashes for aws_cdk.aws_s3-1.16.3-py3-none-any.whl
Algorithm Hash digest
SHA256 044f3f749f27a5be6e3826cfe2fd78953e566d33ab96b2ffd33e57ef0c10a996
MD5 9d2dcc5760ee7e09bff7e032f3e66683
BLAKE2b-256 e95691985f9edf3cab73eae4dfe9148e46f596d5e8dd6f21f941ff5e6c03af5e

See more details on using hashes here.

Supported by

AWS AWS Cloud computing and Security Sponsor Datadog Datadog Monitoring Fastly Fastly CDN Google Google Download Analytics Microsoft Microsoft PSF Sponsor Pingdom Pingdom Monitoring Sentry Sentry Error logging StatusPage StatusPage Status page