Resource: aws_s3control_access_grant

Provides a resource to manage an S3 Access Grant. Each access grant has its own ID and gives an IAM user or role or a directory user, or group (the grantee) access to a registered location. You determine the level of access, such as READ or READWRITE. Before you can create a grant, you must have an S3 Access Grants instance in the same Region as the S3 data.

Example Usage

resource "aws_s3control_access_grants_instance" "example" {}

resource "aws_s3control_access_grants_location" "example" {
  depends_on = [aws_s3control_access_grants_instance.example]

  iam_role_arn   = aws_iam_role.example.arn
  location_scope = "s3://${aws_s3_bucket.example.bucket}/prefixA*"
}

resource "aws_s3control_access_grant" "example" {
  access_grants_location_id = aws_s3control_access_grants_location.example.access_grants_location_id
  permission                = "READ"

  access_grants_location_configuration {
    s3_sub_prefix = "prefixB*"
  }

  grantee {
    grantee_type       = "IAM"
    grantee_identifier = aws_iam_user.example.arn
  }
}

Argument Reference

This resource supports the following arguments:

Location Configuration

The access_grants_location_configuration block supports the following:

Grantee

The grantee block supports the following:

Attribute Reference

This resource exports the following attributes in addition to the arguments above:

Import

In Terraform v1.5.0 and later, use an import block to import S3 Access Grants using the account_id and access_grant_id, separated by a comma (,). For example:

import {
  to = aws_s3control_access_grant.example
  id = "123456789012,04549c5e-2f3c-4a07-824d-2cafe720aa22"
}

Using terraform import, import S3 Access Grants using the account_id and access_grant_id, separated by a comma (,). For example:

% terraform import aws_s3control_access_grants_location.example 123456789012,04549c5e-2f3c-4a07-824d-2cafe720aa22