Skip to content

S3 Constructs

S3 buckets, bucket policies, and lifecycle rules.

s3

Classes

EnvBaseBucket 

EnvBaseBucket(
    scope: Construct,
    id: str,
    env_base: EnvBase,
    bucket_name: str | None,
    removal_policy: RemovalPolicy = RETAIN,
    account_id: str = ACCOUNT_ID,
    region: str = REGION,
    lifecycle_rules: Sequence[LifecycleRule] | None = None,
    inventories: Sequence[Inventory] | None = None,
    auto_delete_objects: bool = False,
    bucket_key_enabled: bool = False,
    block_public_access: BlockPublicAccess
    | None = BLOCK_ALL,
    public_read_access: bool = False,
    **kwargs
)

Bases: Bucket, EnvBaseConstructMixins

Source code in src/aibs_informatics_cdk_lib/constructs_/s3/bucket.py 
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
def __init__(
    self,
    scope: constructs.Construct,
    id: str,
    env_base: EnvBase,
    bucket_name: str | None,
    removal_policy: cdk.RemovalPolicy = cdk.RemovalPolicy.RETAIN,
    account_id: str = cdk.Aws.ACCOUNT_ID,
    region: str = cdk.Aws.REGION,
    lifecycle_rules: Sequence[s3.LifecycleRule] | None = None,
    inventories: Sequence[s3.Inventory] | None = None,
    auto_delete_objects: bool = False,
    bucket_key_enabled: bool = False,
    block_public_access: s3.BlockPublicAccess | None = s3.BlockPublicAccess.BLOCK_ALL,
    public_read_access: bool = False,
    **kwargs,
):
    self.env_base = env_base
    self._full_bucket_name = bucket_name
    if bucket_name is not None:
        self._full_bucket_name = env_base.get_bucket_name(
            base_name=bucket_name, account_id=account_id, region=region
        )
    super().__init__(
        scope,
        id,
        access_control=s3.BucketAccessControl.PRIVATE,
        auto_delete_objects=auto_delete_objects,
        block_public_access=block_public_access,
        bucket_key_enabled=bucket_key_enabled,
        bucket_name=self.bucket_name,
        public_read_access=public_read_access,
        removal_policy=removal_policy,
        lifecycle_rules=lifecycle_rules,
        inventories=inventories,
        **kwargs,
    )
Functions
grant_permissions 
grant_permissions(
    role: IRole | None,
    *permissions: Literal["rw", "r", "w", "d"],
    objects_key_pattern: str | None = None
)

Grant Bucket access (r,w,d) to a role, optionally specifying a key pattern

Parameters:

Name Type Description Default
role IRole | None

role to grant access to

 required
objects_key_pattern Optional[str]

Optional pattern to constrain access to. The pattern is applied to object keys within the bucket. You can use '*' and '?' wildcards. For more information, see the following link: https://docs.aws.amazon.com/AmazonS3/latest/userguide/security_iam_service-with-iam.html#security_iam_service-with-iam-id-based-policies-resources # noqa: E501

 None
Source code in src/aibs_informatics_cdk_lib/constructs_/s3/bucket.py 
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
def grant_permissions(
    self,
    role: iam.IRole | None,
    *permissions: Literal["rw", "r", "w", "d"],
    objects_key_pattern: str | None = None,
):
    """Grant Bucket access (r,w,d) to a role, optionally specifying a key pattern

    Args:
        role (iam.IRole | None): role to grant access to
        objects_key_pattern (Optional[str], optional): Optional pattern to constrain access to.
            The pattern is applied to object keys within the bucket. You can use '*' and '?'
            wildcards. For more information, see the following link:
            https://docs.aws.amazon.com/AmazonS3/latest/userguide/security_iam_service-with-iam.html#security_iam_service-with-iam-id-based-policies-resources # noqa: E501
    """  # noqa: E501

    grant_bucket_access(self, role, *permissions, objects_key_pattern=objects_key_pattern)

Functions

grant_bucket_access 

grant_bucket_access(
    bucket: Bucket | Sequence[Bucket],
    role: IRole | None,
    *permissions: Literal["rw", "r", "w", "d"],
    objects_key_pattern: str | None = None
)

Grant Bucket access (r,w,d) to a role, optionally specifying a key pattern

Parameters:

Name Type Description Default
bucket Bucket | Sequence[Bucket]

bucket or buckets to grant access to

 required
role IRole | None

role to grant access to

 required
objects_key_pattern Optional[str]

Optional pattern to constrain access to. The pattern is applied to object keys within the bucket. You can use '' and '?' wildcards. For more information, see the following link: https://docs.aws.amazon.com/AmazonS3/latest/userguide/security_iam_service-with-iam.html#security_iam_service-with-iam-id-based-policies-resources Defaults to None (which in turn represents '').

 None
Source code in src/aibs_informatics_cdk_lib/constructs_/s3/bucket.py 
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
def grant_bucket_access(
    bucket: s3.Bucket | Sequence[s3.Bucket],
    role: iam.IRole | None,
    *permissions: Literal["rw", "r", "w", "d"],
    objects_key_pattern: str | None = None,
):
    """Grant Bucket access (r,w,d) to a role, optionally specifying a key pattern

    Args:
        bucket (s3.Bucket | Sequence[s3.Bucket]): bucket or buckets to grant access to
        role (iam.IRole | None): role to grant access to
        objects_key_pattern (Optional[str], optional): Optional pattern to constrain access to.
            The pattern is applied to object keys within the bucket. You can use '*' and '?'
            wildcards. For more information, see the following link:
            https://docs.aws.amazon.com/AmazonS3/latest/userguide/security_iam_service-with-iam.html#security_iam_service-with-iam-id-based-policies-resources
            Defaults to None (which in turn represents '*').
    """  # noqa: E501
    if not role:
        return
    for bucket in [bucket] if isinstance(bucket, s3.Bucket) else bucket:
        for bucket_permission in permissions:
            if bucket_permission == "rw":
                bucket.grant_read_write(role, objects_key_pattern=objects_key_pattern)
            elif bucket_permission == "r":
                bucket.grant_read(role, objects_key_pattern=objects_key_pattern)
            elif bucket_permission == "w":
                bucket.grant_write(role, objects_key_pattern=objects_key_pattern)
            elif bucket_permission == "d":
                bucket.grant_delete(role, objects_key_pattern=objects_key_pattern)

Modules

bucket

Classes
EnvBaseBucket 
EnvBaseBucket(
    scope: Construct,
    id: str,
    env_base: EnvBase,
    bucket_name: str | None,
    removal_policy: RemovalPolicy = RETAIN,
    account_id: str = ACCOUNT_ID,
    region: str = REGION,
    lifecycle_rules: Sequence[LifecycleRule] | None = None,
    inventories: Sequence[Inventory] | None = None,
    auto_delete_objects: bool = False,
    bucket_key_enabled: bool = False,
    block_public_access: BlockPublicAccess
    | None = BLOCK_ALL,
    public_read_access: bool = False,
    **kwargs
)

Bases: Bucket, EnvBaseConstructMixins

Source code in src/aibs_informatics_cdk_lib/constructs_/s3/bucket.py 
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
def __init__(
    self,
    scope: constructs.Construct,
    id: str,
    env_base: EnvBase,
    bucket_name: str | None,
    removal_policy: cdk.RemovalPolicy = cdk.RemovalPolicy.RETAIN,
    account_id: str = cdk.Aws.ACCOUNT_ID,
    region: str = cdk.Aws.REGION,
    lifecycle_rules: Sequence[s3.LifecycleRule] | None = None,
    inventories: Sequence[s3.Inventory] | None = None,
    auto_delete_objects: bool = False,
    bucket_key_enabled: bool = False,
    block_public_access: s3.BlockPublicAccess | None = s3.BlockPublicAccess.BLOCK_ALL,
    public_read_access: bool = False,
    **kwargs,
):
    self.env_base = env_base
    self._full_bucket_name = bucket_name
    if bucket_name is not None:
        self._full_bucket_name = env_base.get_bucket_name(
            base_name=bucket_name, account_id=account_id, region=region
        )
    super().__init__(
        scope,
        id,
        access_control=s3.BucketAccessControl.PRIVATE,
        auto_delete_objects=auto_delete_objects,
        block_public_access=block_public_access,
        bucket_key_enabled=bucket_key_enabled,
        bucket_name=self.bucket_name,
        public_read_access=public_read_access,
        removal_policy=removal_policy,
        lifecycle_rules=lifecycle_rules,
        inventories=inventories,
        **kwargs,
    )
Functions
grant_permissions 
grant_permissions(
    role: IRole | None,
    *permissions: Literal["rw", "r", "w", "d"],
    objects_key_pattern: str | None = None
)

Grant Bucket access (r,w,d) to a role, optionally specifying a key pattern

Parameters:

Name Type Description Default
role IRole | None

role to grant access to

 required
objects_key_pattern Optional[str]

Optional pattern to constrain access to. The pattern is applied to object keys within the bucket. You can use '*' and '?' wildcards. For more information, see the following link: https://docs.aws.amazon.com/AmazonS3/latest/userguide/security_iam_service-with-iam.html#security_iam_service-with-iam-id-based-policies-resources # noqa: E501

 None
Source code in src/aibs_informatics_cdk_lib/constructs_/s3/bucket.py 
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
def grant_permissions(
    self,
    role: iam.IRole | None,
    *permissions: Literal["rw", "r", "w", "d"],
    objects_key_pattern: str | None = None,
):
    """Grant Bucket access (r,w,d) to a role, optionally specifying a key pattern

    Args:
        role (iam.IRole | None): role to grant access to
        objects_key_pattern (Optional[str], optional): Optional pattern to constrain access to.
            The pattern is applied to object keys within the bucket. You can use '*' and '?'
            wildcards. For more information, see the following link:
            https://docs.aws.amazon.com/AmazonS3/latest/userguide/security_iam_service-with-iam.html#security_iam_service-with-iam-id-based-policies-resources # noqa: E501
    """  # noqa: E501

    grant_bucket_access(self, role, *permissions, objects_key_pattern=objects_key_pattern)
Functions
grant_bucket_access 
grant_bucket_access(
    bucket: Bucket | Sequence[Bucket],
    role: IRole | None,
    *permissions: Literal["rw", "r", "w", "d"],
    objects_key_pattern: str | None = None
)

Grant Bucket access (r,w,d) to a role, optionally specifying a key pattern

Parameters:

Name Type Description Default
bucket Bucket | Sequence[Bucket]

bucket or buckets to grant access to

 required
role IRole | None

role to grant access to

 required
objects_key_pattern Optional[str]

Optional pattern to constrain access to. The pattern is applied to object keys within the bucket. You can use '' and '?' wildcards. For more information, see the following link: https://docs.aws.amazon.com/AmazonS3/latest/userguide/security_iam_service-with-iam.html#security_iam_service-with-iam-id-based-policies-resources Defaults to None (which in turn represents '').

 None
Source code in src/aibs_informatics_cdk_lib/constructs_/s3/bucket.py 
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
def grant_bucket_access(
    bucket: s3.Bucket | Sequence[s3.Bucket],
    role: iam.IRole | None,
    *permissions: Literal["rw", "r", "w", "d"],
    objects_key_pattern: str | None = None,
):
    """Grant Bucket access (r,w,d) to a role, optionally specifying a key pattern

    Args:
        bucket (s3.Bucket | Sequence[s3.Bucket]): bucket or buckets to grant access to
        role (iam.IRole | None): role to grant access to
        objects_key_pattern (Optional[str], optional): Optional pattern to constrain access to.
            The pattern is applied to object keys within the bucket. You can use '*' and '?'
            wildcards. For more information, see the following link:
            https://docs.aws.amazon.com/AmazonS3/latest/userguide/security_iam_service-with-iam.html#security_iam_service-with-iam-id-based-policies-resources
            Defaults to None (which in turn represents '*').
    """  # noqa: E501
    if not role:
        return
    for bucket in [bucket] if isinstance(bucket, s3.Bucket) else bucket:
        for bucket_permission in permissions:
            if bucket_permission == "rw":
                bucket.grant_read_write(role, objects_key_pattern=objects_key_pattern)
            elif bucket_permission == "r":
                bucket.grant_read(role, objects_key_pattern=objects_key_pattern)
            elif bucket_permission == "w":
                bucket.grant_write(role, objects_key_pattern=objects_key_pattern)
            elif bucket_permission == "d":
                bucket.grant_delete(role, objects_key_pattern=objects_key_pattern)