<?xml version="1.0" encoding="utf-8" ?>
<configuration>
<appSettings>
<add key="AWSProfileName" value="AWS Default"/>
</appSettings>
</configuration>
<?xml version="1.0" encoding="utf-8" ?>
<configuration>
<appSettings>
<add key="AWSProfileName" value="AWS Default"/>
</appSettings>
</configuration>
<?xml version="1.0" encoding="utf-8" ?>
<configuration>
<appSettings>
<add key="AWSProfileName" value="AWS Default"/>
</appSettings>
</configuration>
AbortMultipartUpload
:
AccessPointName-AccountId.outpostID.s3-outposts.Region.amazonaws.com
. When using this action with S3 on Outposts through the Amazon Web Services SDKs, you provide the Outposts bucket ARN in place of the bucket name. For more information about S3 on Outposts ARNs, see Using Amazon S3 on Outposts in the Amazon S3 User Guide.
Key of the object for which the multipart upload was initiated.
Upload ID that identifies the multipart upload.
AbortMultipartUpload
:
ETag
value, returned after that part was uploaded.
CompleteMultipartUpload
fails, applications should be prepared
to retry the failed requests. For more information, see Amazon
S3 Error Best Practices.
Content-Type: application/x-www-form-urlencoded
with Complete
Multipart Upload requests. Also, if you do not provide a Content-Type
header, CompleteMultipartUpload
returns a 200 OK response.
CompleteMultipartUpload
has the following special errors:
EntityTooSmall
InvalidPart
InvalidPartOrder
NoSuchUpload
CompleteMultipartUpload
:
200 OK
response. This means that
a 200 OK
response can contain either a success or an error. Design your
application to parse the contents of the response and handle it appropriately.
Bad
Request
error. For more information, see Transfer
Acceleration.
x-amz-metadata-directive
header. When you grant permissions, you can use the s3:x-amz-metadata-directive
condition key to enforce certain metadata behavior when objects are uploaded. For
more information, see Specifying
Conditions in a Policy in the Amazon S3 User Guide. For a complete list
of Amazon S3-specific condition keys, see Actions,
Resources, and Condition Keys for Amazon S3.
Etag
matches or whether the object was modified before or after a specified date, use the
following request parameters:
x-amz-copy-source-if-match
x-amz-copy-source-if-none-match
x-amz-copy-source-if-unmodified-since
x-amz-copy-source-if-modified-since
x-amz-copy-source-if-match
and x-amz-copy-source-if-unmodified-since
headers are present in the request and evaluate as follows, Amazon S3 returns 200
OK
and copies the data:
x-amz-copy-source-if-match
condition evaluates to true
x-amz-copy-source-if-unmodified-since
condition evaluates to false
x-amz-copy-source-if-none-match
and x-amz-copy-source-if-modified-since
headers are present in the request and evaluate as follows, Amazon S3 returns the
412 Precondition Failed
response code:
x-amz-copy-source-if-none-match
condition evaluates to false
x-amz-copy-source-if-modified-since
condition evaluates to true
x-amz-
prefix, including x-amz-copy-source
,
must be signed.
bucket-owner-full-control
canned ACL or an equivalent form of this ACL expressed in the XML format.
x-amz-checksum-algorithm
header.
CopyObject
action to change the storage class of an object
that is already stored in Amazon S3 using the StorageClass
parameter.
For more information, see Storage
Classes in the Amazon S3 User Guide.
x-amz-copy-source
identifies the current version of an object
to copy. If the current version is a delete marker, Amazon S3 behaves as if the object
was deleted. To copy a different version, use the versionId
subresource.
x-amz-version-id
response header in the response.
CopyObject
:
200 OK
response. This means that
a 200 OK
response can contain either a success or an error. Design your
application to parse the contents of the response and handle it appropriately.
Bad
Request
error. For more information, see Transfer
Acceleration.
x-amz-metadata-directive
header. When you grant permissions, you can use the s3:x-amz-metadata-directive
condition key to enforce certain metadata behavior when objects are uploaded. For
more information, see Specifying
Conditions in a Policy in the Amazon S3 User Guide. For a complete list
of Amazon S3-specific condition keys, see Actions,
Resources, and Condition Keys for Amazon S3.
Etag
matches or whether the object was modified before or after a specified date, use the
following request parameters:
x-amz-copy-source-if-match
x-amz-copy-source-if-none-match
x-amz-copy-source-if-unmodified-since
x-amz-copy-source-if-modified-since
x-amz-copy-source-if-match
and x-amz-copy-source-if-unmodified-since
headers are present in the request and evaluate as follows, Amazon S3 returns 200
OK
and copies the data:
x-amz-copy-source-if-match
condition evaluates to true
x-amz-copy-source-if-unmodified-since
condition evaluates to false
x-amz-copy-source-if-none-match
and x-amz-copy-source-if-modified-since
headers are present in the request and evaluate as follows, Amazon S3 returns the
412 Precondition Failed
response code:
x-amz-copy-source-if-none-match
condition evaluates to false
x-amz-copy-source-if-modified-since
condition evaluates to true
x-amz-
prefix, including x-amz-copy-source
,
must be signed.
bucket-owner-full-control
canned ACL or an equivalent form of this ACL expressed in the XML format.
x-amz-checksum-algorithm
header.
CopyObject
action to change the storage class of an object
that is already stored in Amazon S3 using the StorageClass
parameter.
For more information, see Storage
Classes in the Amazon S3 User Guide.
x-amz-copy-source
identifies the current version of an object
to copy. If the current version is a delete marker, Amazon S3 behaves as if the object
was deleted. To copy a different version, use the versionId
subresource.
x-amz-version-id
response header in the response.
CopyObject
:
200 OK
response. This means that
a 200 OK
response can contain either a success or an error. Design your
application to parse the contents of the response and handle it appropriately.
Bad
Request
error. For more information, see Transfer
Acceleration.
x-amz-metadata-directive
header. When you grant permissions, you can use the s3:x-amz-metadata-directive
condition key to enforce certain metadata behavior when objects are uploaded. For
more information, see Specifying
Conditions in a Policy in the Amazon S3 User Guide. For a complete list
of Amazon S3-specific condition keys, see Actions,
Resources, and Condition Keys for Amazon S3.
Etag
matches or whether the object was modified before or after a specified date, use the
following request parameters:
x-amz-copy-source-if-match
x-amz-copy-source-if-none-match
x-amz-copy-source-if-unmodified-since
x-amz-copy-source-if-modified-since
x-amz-copy-source-if-match
and x-amz-copy-source-if-unmodified-since
headers are present in the request and evaluate as follows, Amazon S3 returns 200
OK
and copies the data:
x-amz-copy-source-if-match
condition evaluates to true
x-amz-copy-source-if-unmodified-since
condition evaluates to false
x-amz-copy-source-if-none-match
and x-amz-copy-source-if-modified-since
headers are present in the request and evaluate as follows, Amazon S3 returns the
412 Precondition Failed
response code:
x-amz-copy-source-if-none-match
condition evaluates to false
x-amz-copy-source-if-modified-since
condition evaluates to true
x-amz-
prefix, including x-amz-copy-source
,
must be signed.
bucket-owner-full-control
canned ACL or an equivalent form of this ACL expressed in the XML format.
x-amz-checksum-algorithm
header.
CopyObject
action to change the storage class of an object
that is already stored in Amazon S3 using the StorageClass
parameter.
For more information, see Storage
Classes in the Amazon S3 User Guide.
x-amz-copy-source
identifies the current version of an object
to copy. If the current version is a delete marker, Amazon S3 behaves as if the object
was deleted. To copy a different version, use the versionId
subresource.
x-amz-version-id
response header in the response.
CopyObject
:
s3:PutAnalyticsConfiguration
action. The bucket owner has this permission by default. The bucket owner can grant
this permission to others. For more information about permissions, see Permissions
Related to Bucket Subresource Operations and Managing
Access Permissions to Your Amazon S3 Resources.
DeleteBucketAnalyticsConfiguration
:
DeleteBucketIntelligentTieringConfiguration
include:
s3:PutInventoryConfiguration
action. The bucket owner has this permission by default. The bucket owner can grant
this permission to others. For more information about permissions, see Permissions
Related to Bucket Subresource Operations and Managing
Access Permissions to Your Amazon S3 Resources.
DeleteBucketInventoryConfiguration
include:
s3:PutMetricsConfiguration
action. The bucket owner has this permission by default. The bucket owner can grant
this permission to others. For more information about permissions, see Permissions
Related to Bucket Subresource Operations and Managing
Access Permissions to Your Amazon S3 Resources.
DeleteBucketMetricsConfiguration
:
OwnershipControls
for an Amazon S3 bucket. To use this operation,
you must have the s3:PutBucketOwnershipControls
permission. For more
information about Amazon S3 permissions, see Specifying
Permissions in a Policy.
DeleteBucketOwnershipControls
:
DeleteBucketPolicy
permissions on the specified bucket and belong
to the bucket owner's account to use this operation.
DeleteBucketPolicy
permissions, Amazon S3 returns a
403 Access Denied
error. If you have the correct permissions, but you're
not using an identity that belongs to the bucket owner's account, Amazon S3 returns
a 405 Method Not Allowed
error.
DeleteBucketPolicy
DeleteBucketPolicy
permissions on the specified bucket and belong
to the bucket owner's account to use this operation.
DeleteBucketPolicy
permissions, Amazon S3 returns a
403 Access Denied
error. If you have the correct permissions, but you're
not using an identity that belongs to the bucket owner's account, Amazon S3 returns
a 405 Method Not Allowed
error.
DeleteBucketPolicy
s3:PutReplicationConfiguration
action. The bucket owner has these permissions by default and can grant it to others.
For more information about permissions, see Permissions
Related to Bucket Subresource Operations and Managing
Access Permissions to Your Amazon S3 Resources.
DeleteBucketReplication
:
s3:PutBucketTagging
action. By default, the bucket owner has this permission and can grant this permission
to others.
DeleteBucketTagging
:
s3:PutBucketTagging
action. By default, the bucket owner has this permission and can grant this permission
to others.
DeleteBucketTagging
:
200
OK
response upon successfully deleting a website configuration on the specified
bucket. You will get a 200 OK
response if the website configuration you
are trying to delete does not exist on the bucket. Amazon S3 returns a 404
response if the bucket specified in the request does not exist.
S3:DeleteBucketWebsite
permission. By
default, only the bucket owner can delete the website configuration attached to a
bucket. However, bucket owners can grant other users permission to delete the website
configuration by writing a bucket policy granting them the S3:DeleteBucketWebsite
permission.
DeleteBucketWebsite
:
200
OK
response upon successfully deleting a website configuration on the specified
bucket. You will get a 200 OK
response if the website configuration you
are trying to delete does not exist on the bucket. Amazon S3 returns a 404
response if the bucket specified in the request does not exist.
S3:DeleteBucketWebsite
permission. By
default, only the bucket owner can delete the website configuration attached to a
bucket. However, bucket owners can grant other users permission to delete the website
configuration by writing a bucket policy granting them the S3:DeleteBucketWebsite
permission.
DeleteBucketWebsite
:
s3:PutLifecycleConfiguration
action. By default, the bucket owner has this permission and the bucket owner can
grant this permission to others.
s3:PutLifecycleConfiguration
action. By default, the bucket owner has this permission and the bucket owner can
grant this permission to others.
x-amz-delete-marker
,
to true.
x-amz-mfa
request header
in the DELETE versionId
request. Requests that include x-amz-mfa
must use HTTPS.
s3:DeleteObject
,
s3:DeleteObjectVersion
, and s3:PutLifeCycleConfiguration
actions.
DeleteObject
:
AccessPointName-AccountId.outpostID.s3-outposts.Region.amazonaws.com
. When using this action with S3 on Outposts through the Amazon Web Services SDKs, you provide the Outposts bucket ARN in place of the bucket name. For more information about S3 on Outposts ARNs, see Using Amazon S3 on Outposts in the Amazon S3 User Guide.
Key name of the object to delete.
x-amz-delete-marker
,
to true.
x-amz-mfa
request header
in the DELETE versionId
request. Requests that include x-amz-mfa
must use HTTPS.
s3:DeleteObject
,
s3:DeleteObjectVersion
, and s3:PutLifeCycleConfiguration
actions.
DeleteObject
:
AccessPointName-AccountId.outpostID.s3-outposts.Region.amazonaws.com
. When using this action with S3 on Outposts through the Amazon Web Services SDKs, you provide the Outposts bucket ARN in place of the bucket name. For more information about S3 on Outposts ARNs, see Using Amazon S3 on Outposts in the Amazon S3 User Guide.
Key name of the object to delete.
VersionId used to reference a specific version of the object.
x-amz-delete-marker
,
to true.
x-amz-mfa
request header
in the DELETE versionId
request. Requests that include x-amz-mfa
must use HTTPS.
s3:DeleteObject
,
s3:DeleteObjectVersion
, and s3:PutLifeCycleConfiguration
actions.
DeleteObject
:
DeleteObjects
:
s3:DeleteObjectTagging
action.
versionId
query
parameter in the request. You will need permission for the s3:DeleteObjectVersionTagging
action.
DeleteBucketMetricsConfiguration
:
PublicAccessBlock
configuration for an Amazon S3 bucket.
To use this operation, you must have the s3:PutBucketPublicAccessBlock
permission. For more information about permissions, see Permissions
Related to Bucket Subresource Operations and Managing
Access Permissions to Your Amazon S3 Resources.
DeletePublicAccessBlock
:
ServerSideEncryptionConfigurationNotFoundError
.
s3:GetEncryptionConfiguration
action. The bucket owner has this permission by default. The bucket owner can grant
this permission to others. For more information about permissions, see Permissions
Related to Bucket Subresource Operations and Managing
Access Permissions to Your Amazon S3 Resources.
GetBucketEncryption
:
GetBucketIntelligentTieringConfiguration
include:
s3:GetInventoryConfiguration
action. The bucket owner has this permission by default and can grant this permission
to others. For more information about permissions, see Permissions
Related to Bucket Subresource Operations and Managing
Access Permissions to Your Amazon S3 Resources.
GetBucketInventoryConfiguration
:
LocationConstraint
request parameter in a CreateBucket
request. For more information, see
CreateBucket.
GetBucketLocation
:
LocationConstraint
request parameter in a CreateBucket
request. For more information, see
CreateBucket.
GetBucketLocation
:
GetBucketLogging
:
GetBucketLogging
:
s3:GetMetricsConfiguration
action. The bucket owner has this permission by default. The bucket owner can grant
this permission to others. For more information about permissions, see Permissions
Related to Bucket Subresource Operations and Managing
Access Permissions to Your Amazon S3 Resources.
GetBucketMetricsConfiguration
:
NotificationConfiguration
element.
s3:GetBucketNotification
permission.
GetBucketNotification
:
NotificationConfiguration
element.
s3:GetBucketNotification
permission.
GetBucketNotification
:
OwnershipControls
for an Amazon S3 bucket. To use this operation,
you must have the s3:GetBucketOwnershipControls
permission. For more
information about Amazon S3 permissions, see Specifying
permissions in a policy.
GetBucketOwnershipControls
:
GetBucketPolicy
permissions on the specified bucket
and belong to the bucket owner's account in order to use this operation.
GetBucketPolicy
permissions, Amazon S3 returns a 403
Access Denied
error. If you have the correct permissions, but you're not using
an identity that belongs to the bucket owner's account, Amazon S3 returns a 405
Method Not Allowed
error.
GetBucketPolicy
:
GetBucketPolicy
permissions on the specified bucket
and belong to the bucket owner's account in order to use this operation.
GetBucketPolicy
permissions, Amazon S3 returns a 403
Access Denied
error. If you have the correct permissions, but you're not using
an identity that belongs to the bucket owner's account, Amazon S3 returns a 405
Method Not Allowed
error.
GetBucketPolicy
:
s3:GetBucketPolicyStatus
permission. For more information about Amazon S3 permissions, see Specifying
Permissions in a Policy.
GetBucketPolicyStatus
:
GetBucketRequestPayment
:
GetBucketRequestPayment
:
s3:GetBucketTagging
action. By default, the bucket owner has this permission and can grant this permission
to others.
GetBucketTagging
has the following special error:
NoSuchTagSet
GetBucketTagging
:
enabled
, the bucket owner must use an authentication
device to change the versioning state of the bucket.
GetBucketVersioning
:
enabled
, the bucket owner must use an authentication
device to change the versioning state of the bucket.
GetBucketVersioning
:
S3:GetBucketWebsite
permission. By default,
only the bucket owner can read the bucket website configuration. However, bucket owners
can allow other users to read the website configuration by writing a bucket policy
granting them the S3:GetBucketWebsite
permission.
DeleteBucketWebsite
:
S3:GetBucketWebsite
permission. By default,
only the bucket owner can read the bucket website configuration. However, bucket owners
can allow other users to read the website configuration by writing a bucket policy
granting them the S3:GetBucketWebsite
permission.
DeleteBucketWebsite
:
s3:GetBucketCORS
action. By default, the bucket owner has this permission and can grant it to others.
GetBucketCors
:
s3:GetBucketCORS
action. By default, the bucket owner has this permission and can grant it to others.
GetBucketCors
:
s3:GetLifecycleConfiguration
action. The bucket owner has this permission, by default. The bucket owner can grant
this permission to others. For more information about permissions, see Permissions
Related to Bucket Subresource Operations and Managing
Access Permissions to Your Amazon S3 Resources.
GetBucketLifecycleConfiguration
has the following special error:
NoSuchLifecycleConfiguration
GetBucketLifecycleConfiguration
:
s3:GetLifecycleConfiguration
action. The bucket owner has this permission, by default. The bucket owner can grant
this permission to others. For more information about permissions, see Permissions
Related to Bucket Subresource Operations and Managing
Access Permissions to Your Amazon S3 Resources.
GetBucketLifecycleConfiguration
has the following special error:
NoSuchLifecycleConfiguration
GetBucketLifecycleConfiguration
:
GET
, you must have READ
access to the object. If you grant READ
access to the anonymous user,
you can return the object without using an authorization header.
sample.jpg
, you can name it photos/2006/February/sample.jpg
.
GET
operation. For a virtual hosted-style request example,
if you have the object photos/2006/February/sample.jpg
, specify the resource
as /photos/2006/February/sample.jpg
. For a path-style request example,
if you have the object photos/2006/February/sample.jpg
in the bucket
named examplebucket
, specify the resource as /examplebucket/photos/2006/February/sample.jpg
.
For more information about request types, see HTTP
Host Header Bucket Specification.
InvalidObjectStateError
error. For
information about restoring archived objects, see Restoring
Archived Objects.
x-amz-server-side-encryption
, should
not be sent for GET requests if your object uses server-side encryption with KMS keys
(SSE-KMS) or server-side encryption with Amazon S3–managed encryption keys (SSE-S3).
If your object does use these types of keys, you’ll get an HTTP 400 BadRequest error.
x-amz-tagging-count
header that provides the count of number of tags
associated with the object. You can use GetObjectTagging
to retrieve the tag set associated with an object.
s3:ListBucket
permission.
s3:ListBucket
permission on the bucket, Amazon S3 will
return an HTTP status code 404 ("no such key") error.
s3:ListBucket
permission, Amazon S3 will return
an HTTP status code 403 ("access denied") error.
versionId
subresource.
versionId
, you need the s3:GetObjectVersion
permission to access a specific version of an object. If you request a specific version,
you do not need to have the s3:GetObject
permission.
x-amz-delete-marker: true
in the response.
Content-Disposition
response
header value in your GET request.
Content-Type
,
Content-Language
, Expires
, Cache-Control
, Content-Disposition
,
and Content-Encoding
. To override these header values in the GET response,
you use the following request parameters.
response-content-type
response-content-language
response-expires
response-cache-control
response-content-disposition
response-content-encoding
If-Match
and If-Unmodified-Since
headers
are present in the request as follows: If-Match
condition evaluates to
true
, and; If-Unmodified-Since
condition evaluates to false
;
then, S3 returns 200 OK and the data requested.
If-None-Match
and If-Modified-Since
headers
are present in the request as follows: If-None-Match
condition evaluates
to false
, and; If-Modified-Since
condition evaluates to
true
; then, S3 returns 304 Not Modified response code.
GetObject
:
AccessPointName-AccountId.outpostID.s3-outposts.Region.amazonaws.com
. When using this action with S3 on Outposts through the Amazon Web Services SDKs, you provide the Outposts bucket ARN in place of the bucket name. For more information about S3 on Outposts ARNs, see Using Amazon S3 on Outposts in the Amazon S3 User Guide.
Key of the object to get.
GET
, you must have READ
access to the object. If you grant READ
access to the anonymous user,
you can return the object without using an authorization header.
sample.jpg
, you can name it photos/2006/February/sample.jpg
.
GET
operation. For a virtual hosted-style request example,
if you have the object photos/2006/February/sample.jpg
, specify the resource
as /photos/2006/February/sample.jpg
. For a path-style request example,
if you have the object photos/2006/February/sample.jpg
in the bucket
named examplebucket
, specify the resource as /examplebucket/photos/2006/February/sample.jpg
.
For more information about request types, see HTTP
Host Header Bucket Specification.
InvalidObjectStateError
error. For
information about restoring archived objects, see Restoring
Archived Objects.
x-amz-server-side-encryption
, should
not be sent for GET requests if your object uses server-side encryption with KMS keys
(SSE-KMS) or server-side encryption with Amazon S3–managed encryption keys (SSE-S3).
If your object does use these types of keys, you’ll get an HTTP 400 BadRequest error.
x-amz-tagging-count
header that provides the count of number of tags
associated with the object. You can use GetObjectTagging
to retrieve the tag set associated with an object.
s3:ListBucket
permission.
s3:ListBucket
permission on the bucket, Amazon S3 will
return an HTTP status code 404 ("no such key") error.
s3:ListBucket
permission, Amazon S3 will return
an HTTP status code 403 ("access denied") error.
versionId
subresource.
versionId
, you need the s3:GetObjectVersion
permission to access a specific version of an object. If you request a specific version,
you do not need to have the s3:GetObject
permission.
x-amz-delete-marker: true
in the response.
Content-Disposition
response
header value in your GET request.
Content-Type
,
Content-Language
, Expires
, Cache-Control
, Content-Disposition
,
and Content-Encoding
. To override these header values in the GET response,
you use the following request parameters.
response-content-type
response-content-language
response-expires
response-cache-control
response-content-disposition
response-content-encoding
If-Match
and If-Unmodified-Since
headers
are present in the request as follows: If-Match
condition evaluates to
true
, and; If-Unmodified-Since
condition evaluates to false
;
then, S3 returns 200 OK and the data requested.
If-None-Match
and If-Modified-Since
headers
are present in the request as follows: If-None-Match
condition evaluates
to false
, and; If-Modified-Since
condition evaluates to
true
; then, S3 returns 304 Not Modified response code.
GetObject
:
AccessPointName-AccountId.outpostID.s3-outposts.Region.amazonaws.com
. When using this action with S3 on Outposts through the Amazon Web Services SDKs, you provide the Outposts bucket ARN in place of the bucket name. For more information about S3 on Outposts ARNs, see Using Amazon S3 on Outposts in the Amazon S3 User Guide.
Key of the object to get.
VersionId used to reference a specific version of the object.
GET
, you must have READ
access to the object. If you grant READ
access to the anonymous user,
you can return the object without using an authorization header.
sample.jpg
, you can name it photos/2006/February/sample.jpg
.
GET
operation. For a virtual hosted-style request example,
if you have the object photos/2006/February/sample.jpg
, specify the resource
as /photos/2006/February/sample.jpg
. For a path-style request example,
if you have the object photos/2006/February/sample.jpg
in the bucket
named examplebucket
, specify the resource as /examplebucket/photos/2006/February/sample.jpg
.
For more information about request types, see HTTP
Host Header Bucket Specification.
InvalidObjectStateError
error. For
information about restoring archived objects, see Restoring
Archived Objects.
x-amz-server-side-encryption
, should
not be sent for GET requests if your object uses server-side encryption with KMS keys
(SSE-KMS) or server-side encryption with Amazon S3–managed encryption keys (SSE-S3).
If your object does use these types of keys, you’ll get an HTTP 400 BadRequest error.
x-amz-tagging-count
header that provides the count of number of tags
associated with the object. You can use GetObjectTagging
to retrieve the tag set associated with an object.
s3:ListBucket
permission.
s3:ListBucket
permission on the bucket, Amazon S3 will
return an HTTP status code 404 ("no such key") error.
s3:ListBucket
permission, Amazon S3 will return
an HTTP status code 403 ("access denied") error.
versionId
subresource.
versionId
, you need the s3:GetObjectVersion
permission to access a specific version of an object. If you request a specific version,
you do not need to have the s3:GetObject
permission.
x-amz-delete-marker: true
in the response.
Content-Disposition
response
header value in your GET request.
Content-Type
,
Content-Language
, Expires
, Cache-Control
, Content-Disposition
,
and Content-Encoding
. To override these header values in the GET response,
you use the following request parameters.
response-content-type
response-content-language
response-expires
response-cache-control
response-content-disposition
response-content-encoding
If-Match
and If-Unmodified-Since
headers
are present in the request as follows: If-Match
condition evaluates to
true
, and; If-Unmodified-Since
condition evaluates to false
;
then, S3 returns 200 OK and the data requested.
If-None-Match
and If-Modified-Since
headers
are present in the request as follows: If-None-Match
condition evaluates
to false
, and; If-Modified-Since
condition evaluates to
true
; then, S3 returns 304 Not Modified response code.
GetObject
:
GetObjectAttributes
,
you must have READ access to the object.
GetObjectAttributes
combines the functionality of GetObjectAcl
,
GetObjectLegalHold
, GetObjectLockConfiguration
, GetObjectRetention
,
GetObjectTagging
, HeadObject
, and ListParts
.
All of the data returned with each of those individual calls can be returned with
a single call to GetObjectAttributes
.
x-amz-server-side-encryption-customer-algorithm
x-amz-server-side-encryption-customer-key
x-amz-server-side-encryption-customer-key-MD5
x-amz-server-side-encryption
, should
not be sent for GET requests if your object uses server-side encryption with Amazon
Web Services KMS keys stored in Amazon Web Services Key Management Service (SSE-KMS)
or server-side encryption with Amazon S3 managed encryption keys (SSE-S3). If your
object does use these types of keys, you'll get an HTTP 400 Bad Request
error.
If-Match
and If-Unmodified-Since
headers
are present in the request as follows, then Amazon S3 returns the HTTP status code
200 OK
and the data requested:
If-Match
condition evaluates to true
.
If-Unmodified-Since
condition evaluates to false
.
If-None-Match
and If-Modified-Since
headers
are present in the request as follows, then Amazon S3 returns the HTTP status code
304 Not Modified
:
If-None-Match
condition evaluates to false
.
If-Modified-Since
condition evaluates to true
.
s3:GetObjectVersion
and s3:GetObjectVersionAttributes
permissions for this operation. If
the bucket is not versioned, you need the s3:GetObject
and s3:GetObjectAttributes
permissions. For more information, see Specifying
Permissions in a Policy in the Amazon S3 User Guide. If the object that
you request does not exist, the error Amazon S3 returns depends on whether you also
have the s3:ListBucket
permission.
s3:ListBucket
permission on the bucket, Amazon S3 returns
an HTTP status code 404 Not Found
("no such key") error.
s3:ListBucket
permission, Amazon S3 returns an
HTTP status code 403 Forbidden
("access denied") error.
GetObjectAttributes
:
GetObjectLegalHold
:
GetObjectLockConfiguration
:
HEAD
request has the same options as a GET
action on an
object. The response is identical to the GET
response except that there
is no response body. Because of this, if the HEAD
request generates an
error, it returns a generic 404 Not Found
or 403 Forbidden
code. It is not possible to retrieve the exact exception beyond these error codes.
x-amz-server-side-encryption
, should
not be sent for GET requests if your object uses server-side encryption with KMS keys
(SSE-KMS) or server-side encryption with Amazon S3–managed encryption keys (SSE-S3).
If your object does use these types of keys, you’ll get an HTTP 400 BadRequest error.
If-Match
and If-Unmodified-Since
headers are present in the request as follows:
If-Match
condition evaluates to true
, and;
If-Unmodified-Since
condition evaluates to false
;
200 OK
and the data requested.
If-None-Match
and If-Modified-Since
headers are present in the request as follows:
If-None-Match
condition evaluates to false
, and;
If-Modified-Since
condition evaluates to true
;
304 Not Modified
response code.
s3:ListBucket
permission on the bucket, Amazon S3 returns
an HTTP status code 404 ("no such key") error.
s3:ListBucket
permission, Amazon S3 returns an
HTTP status code 403 ("access denied") error.
HeadObject
:
AccessPointName-AccountId.outpostID.s3-outposts.Region.amazonaws.com
. When using this action with S3 on Outposts through the Amazon Web Services SDKs, you provide the Outposts bucket ARN in place of the bucket name. For more information about S3 on Outposts ARNs, see Using Amazon S3 on Outposts in the Amazon S3 User Guide.
The object key.
HEAD
request has the same options as a GET
action on an
object. The response is identical to the GET
response except that there
is no response body. Because of this, if the HEAD
request generates an
error, it returns a generic 404 Not Found
or 403 Forbidden
code. It is not possible to retrieve the exact exception beyond these error codes.
x-amz-server-side-encryption
, should
not be sent for GET requests if your object uses server-side encryption with KMS keys
(SSE-KMS) or server-side encryption with Amazon S3–managed encryption keys (SSE-S3).
If your object does use these types of keys, you’ll get an HTTP 400 BadRequest error.
If-Match
and If-Unmodified-Since
headers are present in the request as follows:
If-Match
condition evaluates to true
, and;
If-Unmodified-Since
condition evaluates to false
;
200 OK
and the data requested.
If-None-Match
and If-Modified-Since
headers are present in the request as follows:
If-None-Match
condition evaluates to false
, and;
If-Modified-Since
condition evaluates to true
;
304 Not Modified
response code.
s3:ListBucket
permission on the bucket, Amazon S3 returns
an HTTP status code 404 ("no such key") error.
s3:ListBucket
permission, Amazon S3 returns an
HTTP status code 403 ("access denied") error.
HeadObject
:
AccessPointName-AccountId.outpostID.s3-outposts.Region.amazonaws.com
. When using this action with S3 on Outposts through the Amazon Web Services SDKs, you provide the Outposts bucket ARN in place of the bucket name. For more information about S3 on Outposts ARNs, see Using Amazon S3 on Outposts in the Amazon S3 User Guide.
The object key.
VersionId used to reference a specific version of the object.
HEAD
request has the same options as a GET
action on an
object. The response is identical to the GET
response except that there
is no response body. Because of this, if the HEAD
request generates an
error, it returns a generic 404 Not Found
or 403 Forbidden
code. It is not possible to retrieve the exact exception beyond these error codes.
x-amz-server-side-encryption
, should
not be sent for GET requests if your object uses server-side encryption with KMS keys
(SSE-KMS) or server-side encryption with Amazon S3–managed encryption keys (SSE-S3).
If your object does use these types of keys, you’ll get an HTTP 400 BadRequest error.
If-Match
and If-Unmodified-Since
headers are present in the request as follows:
If-Match
condition evaluates to true
, and;
If-Unmodified-Since
condition evaluates to false
;
200 OK
and the data requested.
If-None-Match
and If-Modified-Since
headers are present in the request as follows:
If-None-Match
condition evaluates to false
, and;
If-Modified-Since
condition evaluates to true
;
304 Not Modified
response code.
s3:ListBucket
permission on the bucket, Amazon S3 returns
an HTTP status code 404 ("no such key") error.
s3:ListBucket
permission, Amazon S3 returns an
HTTP status code 403 ("access denied") error.
HeadObject
:
GetObjectRetention
:
s3:GetObjectTagging
action. By default, the GET action returns information about current version of an
object. For a versioned bucket, you can have multiple versions of an object in your
bucket. To retrieve tags of any other version, use the versionId query parameter.
You also need permission for the s3:GetObjectVersionTagging
action.
GetObjectTagging
:
GetObjectTorrent
:
GetObjectTorrent
:
PublicAccessBlock
configuration for an Amazon S3 bucket.
To use this operation, you must have the s3:GetBucketPublicAccessBlock
permission. For more information about Amazon S3 permissions, see Specifying
Permissions in a Policy.
PublicAccessBlock
configuration for a bucket
or an object, it checks the PublicAccessBlock
configuration for both
the bucket (or the bucket that contains the object) and the bucket owner's account.
If the PublicAccessBlock
settings are different between the bucket and
the account, Amazon S3 uses the most restrictive combination of the bucket-level and
account-level settings.
GetPublicAccessBlock
:
200 OK
if the bucket exists and you have permission
to access it.
HEAD
request returns a generic 404 Not Found
or 403 Forbidden
code. A message body is not included, so you cannot determine the exception beyond
these error codes.
s3:ListBucket
action. The bucket owner has this permission by default and can grant this permission
to others. For more information about permissions, see Permissions
Related to Bucket Subresource Operations and Managing
Access Permissions to Your Amazon S3 Resources.
CreateMultipartUpload
.
kms:Decrypt
and kms:GenerateDataKey*
actions on the key. These permissions are required because Amazon S3 must decrypt
and read data from the encrypted file parts before it completes the multipart upload.
For more information, see Multipart
upload API and permissions in the Amazon S3 User Guide.
x-amz-acl
request header. For more information,
see Canned
ACL.
x-amz-grant-read
, x-amz-grant-read-acp
,
x-amz-grant-write-acp
, and x-amz-grant-full-control
headers.
These parameters map to the set of permissions that Amazon S3 supports in an ACL.
For more information, see Access
Control List (ACL) Overview.
x-amz-server-side-encryption
x-amz-server-side-encryption-aws-kms-key-id
x-amz-server-side-encryption-context
x-amz-server-side-encryption:aws:kms
, but don't provide
x-amz-server-side-encryption-aws-kms-key-id
, Amazon S3 uses the Amazon
Web Services managed key in Amazon Web Services KMS to protect the data.
x-amz-server-side-encryption-customer-algorithm
x-amz-server-side-encryption-customer-key
x-amz-server-side-encryption-customer-key-MD5
x-amz-acl
) — Amazon S3 supports a set of predefined
ACLs, known as canned ACLs. Each canned ACL has a predefined set of grantees
and permissions. For more information, see Canned
ACL.
x-amz-grant-read
x-amz-grant-write
x-amz-grant-read-acp
x-amz-grant-write-acp
x-amz-grant-full-control
id
– if the value specified is the canonical user ID of an Amazon Web
Services account
uri
– if you are granting permissions to a predefined group
emailAddress
– if the value specified is the email address of an Amazon
Web Services account
x-amz-grant-read
header grants the Amazon
Web Services accounts identified by account IDs permissions to read object data and
its metadata:
x-amz-grant-read: id="11112222333", id="444455556666"
CreateMultipartUpload
:
AccessPointName-AccountId.outpostID.s3-outposts.Region.amazonaws.com
. When using this action with S3 on Outposts through the Amazon Web Services SDKs, you provide the Outposts bucket ARN in place of the bucket name. For more information about S3 on Outposts ARNs, see Using Amazon S3 on Outposts in the Amazon S3 User Guide.
Object key for which the multipart upload is to be initiated.
CreateMultipartUpload
.
kms:Decrypt
and kms:GenerateDataKey*
actions on the key. These permissions are required because Amazon S3 must decrypt
and read data from the encrypted file parts before it completes the multipart upload.
For more information, see Multipart
upload API and permissions in the Amazon S3 User Guide.
x-amz-acl
request header. For more information,
see Canned
ACL.
x-amz-grant-read
, x-amz-grant-read-acp
,
x-amz-grant-write-acp
, and x-amz-grant-full-control
headers.
These parameters map to the set of permissions that Amazon S3 supports in an ACL.
For more information, see Access
Control List (ACL) Overview.
x-amz-server-side-encryption
x-amz-server-side-encryption-aws-kms-key-id
x-amz-server-side-encryption-context
x-amz-server-side-encryption:aws:kms
, but don't provide
x-amz-server-side-encryption-aws-kms-key-id
, Amazon S3 uses the Amazon
Web Services managed key in Amazon Web Services KMS to protect the data.
x-amz-server-side-encryption-customer-algorithm
x-amz-server-side-encryption-customer-key
x-amz-server-side-encryption-customer-key-MD5
x-amz-acl
) — Amazon S3 supports a set of predefined
ACLs, known as canned ACLs. Each canned ACL has a predefined set of grantees
and permissions. For more information, see Canned
ACL.
x-amz-grant-read
x-amz-grant-write
x-amz-grant-read-acp
x-amz-grant-write-acp
x-amz-grant-full-control
id
– if the value specified is the canonical user ID of an Amazon Web
Services account
uri
– if you are granting permissions to a predefined group
emailAddress
– if the value specified is the email address of an Amazon
Web Services account
x-amz-grant-read
header grants the Amazon
Web Services accounts identified by account IDs permissions to read object data and
its metadata:
x-amz-grant-read: id="11112222333", id="444455556666"
CreateMultipartUpload
:
IsTruncated
element in the response.
If there are no more configurations to list, IsTruncated
is set to false.
If there are more configurations to list, IsTruncated
is set to true,
and there will be a value in NextContinuationToken
. You use the NextContinuationToken
value to continue the pagination of the list by passing the value in continuation-token
in the request to GET
the next page.
s3:GetAnalyticsConfiguration
action. The bucket owner has this permission by default. The bucket owner can grant
this permission to others. For more information about permissions, see Permissions
Related to Bucket Subresource Operations and Managing
Access Permissions to Your Amazon S3 Resources.
ListBucketAnalyticsConfigurations
:
ListBucketIntelligentTieringConfigurations
include:
IsTruncated
element in the response. If there
are no more configurations to list, IsTruncated
is set to false. If there
are more configurations to list, IsTruncated
is set to true, and there
is a value in NextContinuationToken
. You use the NextContinuationToken
value to continue the pagination of the list by passing the value in continuation-token
in the request to GET
the next page.
s3:GetInventoryConfiguration
action. The bucket owner has this permission by default. The bucket owner can grant
this permission to others. For more information about permissions, see Permissions
Related to Bucket Subresource Operations and Managing
Access Permissions to Your Amazon S3 Resources.
ListBucketInventoryConfigurations
:
IsTruncated
element in the response. If there
are no more configurations to list, IsTruncated
is set to false. If there
are more configurations to list, IsTruncated
is set to true, and there
is a value in NextContinuationToken
. You use the NextContinuationToken
value to continue the pagination of the list by passing the value in continuation-token
in the request to GET
the next page.
s3:GetMetricsConfiguration
action. The bucket owner has this permission by default. The bucket owner can grant
this permission to others. For more information about permissions, see Permissions
Related to Bucket Subresource Operations and Managing
Access Permissions to Your Amazon S3 Resources.
ListBucketMetricsConfigurations
:
s3:ListAllMyBuckets
permission.
s3:ListAllMyBuckets
permission.
max-uploads
parameter in the response. If additional multipart uploads
satisfy the list criteria, the response will contain an IsTruncated
element
with the value true. To list the additional multipart uploads, use the key-marker
and upload-id-marker
request parameters.
ListMultipartUploads
:
AccessPointName-AccountId.outpostID.s3-outposts.Region.amazonaws.com
. When using this action with S3 on Outposts through the Amazon Web Services SDKs, you provide the Outposts bucket ARN in place of the bucket name. For more information about S3 on Outposts ARNs, see Using Amazon S3 on Outposts in the Amazon S3 User Guide.
max-uploads
parameter in the response. If additional multipart uploads
satisfy the list criteria, the response will contain an IsTruncated
element
with the value true. To list the additional multipart uploads, use the key-marker
and upload-id-marker
request parameters.
ListMultipartUploads
:
AccessPointName-AccountId.outpostID.s3-outposts.Region.amazonaws.com
. When using this action with S3 on Outposts through the Amazon Web Services SDKs, you provide the Outposts bucket ARN in place of the bucket name. For more information about S3 on Outposts ARNs, see Using Amazon S3 on Outposts in the Amazon S3 User Guide.
Lists in-progress uploads only for those keys that begin with the specified prefix. You can use prefixes to separate a bucket into different grouping of keys. (You can think of using prefix to make groups in the same way you'd use a folder in a file system.)
max-uploads
parameter in the response. If additional multipart uploads
satisfy the list criteria, the response will contain an IsTruncated
element
with the value true. To list the additional multipart uploads, use the key-marker
and upload-id-marker
request parameters.
ListMultipartUploads
:
ListObjects
.
ListObjects
:
AccessPointName-AccountId.outpostID.s3-outposts.Region.amazonaws.com
. When using this action with S3 on Outposts through the Amazon Web Services SDKs, you provide the Outposts bucket ARN in place of the bucket name. For more information about S3 on Outposts ARNs, see Using Amazon S3 on Outposts in the Amazon S3 User Guide.
ListObjects
.
ListObjects
:
AccessPointName-AccountId.outpostID.s3-outposts.Region.amazonaws.com
. When using this action with S3 on Outposts through the Amazon Web Services SDKs, you provide the Outposts bucket ARN in place of the bucket name. For more information about S3 on Outposts ARNs, see Using Amazon S3 on Outposts in the Amazon S3 User Guide.
Limits the response to keys that begin with the specified prefix.
ListObjects
.
ListObjects
:
200 OK
response can contain valid or invalid XML. Make
sure to design your application to parse the contents of the response and handle it
appropriately. Objects are returned sorted in an ascending order of the respective
key names in the list. For more information about listing objects, see Listing
object keys programmatically
s3:ListBucket
action. The bucket owner has
this permission by default and can grant this permission to others. For more information
about permissions, see Permissions
Related to Bucket Subresource Operations and Managing
Access Permissions to Your Amazon S3 Resources.
ListObjectsV2
:
max-parts
request parameter. If your multipart upload consists of
more than 1,000 parts, the response returns an IsTruncated
field with
the value of true, and a NextPartNumberMarker
element. In subsequent
ListParts
requests you can include the part-number-marker query string
parameter and set its value to the NextPartNumberMarker
field value from
the previous response.
kms:Decrypt
action for the request to succeed.
ListParts
:
AccessPointName-AccountId.outpostID.s3-outposts.Region.amazonaws.com
. When using this action with S3 on Outposts through the Amazon Web Services SDKs, you provide the Outposts bucket ARN in place of the bucket name. For more information about S3 on Outposts ARNs, see Using Amazon S3 on Outposts in the Amazon S3 User Guide.
Object key for which the multipart upload was initiated.
Upload ID identifying the multipart upload whose parts are being listed.
max-parts
request parameter. If your multipart upload consists of
more than 1,000 parts, the response returns an IsTruncated
field with
the value of true, and a NextPartNumberMarker
element. In subsequent
ListParts
requests you can include the part-number-marker query string
parameter and set its value to the NextPartNumberMarker
field value from
the previous response.
kms:Decrypt
action for the request to succeed.
ListParts
:
s3:ListBucketVersions
action. Be aware of the name difference.
ListObjectVersions
:
s3:ListBucketVersions
action. Be aware of the name difference.
ListObjectVersions
:
s3:ListBucketVersions
action. Be aware of the name difference.
ListObjectVersions
:
s3.amazonaws.com
endpoint,
the request goes to the us-east-1 Region. Accordingly, the signature calculations
in Signature Version 4 must use us-east-1 as the Region, even if the location constraint
in the request specifies another Region where the bucket is to be created. If you
create a bucket in a Region other than US East (N. Virginia), your application must
be able to handle 307 redirect. For more information, see Virtual
hosting of buckets.
400
error and returns the InvalidBucketAclWithObjectOwnership
error code. For more information, see Controlling
object ownership in the Amazon S3 User Guide.
x-amz-acl
request header. Amazon S3 supports
a set of predefined ACLs, known as canned ACLs. Each canned ACL has a predefined
set of grantees and permissions. For more information, see Canned
ACL.
x-amz-grant-read
, x-amz-grant-write
,
x-amz-grant-read-acp
, x-amz-grant-write-acp
, and x-amz-grant-full-control
headers. These headers map to the set of permissions Amazon S3 supports in an ACL.
For more information, see Access
control list (ACL) overview.
id
– if the value specified is the canonical user ID of an Amazon Web
Services account
uri
– if you are granting permissions to a predefined group
emailAddress
– if the value specified is the email address of an Amazon
Web Services account
x-amz-grant-read
header grants the Amazon
Web Services accounts identified by account IDs permissions to read object data and
its metadata:
x-amz-grant-read: id="11112222333", id="444455556666"
s3:CreateBucket
, the following permissions are required
when your CreateBucket includes specific headers:
CreateBucket
request specifies ACL permissions
and the ACL is public-read, public-read-write, authenticated-read, or if you specify
access permissions explicitly through any other ACL, both s3:CreateBucket
and s3:PutBucketAcl
permissions are needed. If the ACL the CreateBucket
request is private or doesn't specify any ACLs, only s3:CreateBucket
permission is needed.
ObjectLockEnabledForBucket
is set to true in
your CreateBucket
request, s3:PutBucketObjectLockConfiguration
and s3:PutBucketVersioning
permissions are required.
x-amz-object-ownership
header, s3:PutBucketOwnershipControls
permission is required.
CreateBucket
:
s3.amazonaws.com
endpoint,
the request goes to the us-east-1 Region. Accordingly, the signature calculations
in Signature Version 4 must use us-east-1 as the Region, even if the location constraint
in the request specifies another Region where the bucket is to be created. If you
create a bucket in a Region other than US East (N. Virginia), your application must
be able to handle 307 redirect. For more information, see Virtual
hosting of buckets.
400
error and returns the InvalidBucketAclWithObjectOwnership
error code. For more information, see Controlling
object ownership in the Amazon S3 User Guide.
x-amz-acl
request header. Amazon S3 supports
a set of predefined ACLs, known as canned ACLs. Each canned ACL has a predefined
set of grantees and permissions. For more information, see Canned
ACL.
x-amz-grant-read
, x-amz-grant-write
,
x-amz-grant-read-acp
, x-amz-grant-write-acp
, and x-amz-grant-full-control
headers. These headers map to the set of permissions Amazon S3 supports in an ACL.
For more information, see Access
control list (ACL) overview.
id
– if the value specified is the canonical user ID of an Amazon Web
Services account
uri
– if you are granting permissions to a predefined group
emailAddress
– if the value specified is the email address of an Amazon
Web Services account
x-amz-grant-read
header grants the Amazon
Web Services accounts identified by account IDs permissions to read object data and
its metadata:
x-amz-grant-read: id="11112222333", id="444455556666"
s3:CreateBucket
, the following permissions are required
when your CreateBucket includes specific headers:
CreateBucket
request specifies ACL permissions
and the ACL is public-read, public-read-write, authenticated-read, or if you specify
access permissions explicitly through any other ACL, both s3:CreateBucket
and s3:PutBucketAcl
permissions are needed. If the ACL the CreateBucket
request is private or doesn't specify any ACLs, only s3:CreateBucket
permission is needed.
ObjectLockEnabledForBucket
is set to true in
your CreateBucket
request, s3:PutBucketObjectLockConfiguration
and s3:PutBucketVersioning
permissions are required.
x-amz-object-ownership
header, s3:PutBucketOwnershipControls
permission is required.
CreateBucket
:
s3:PutAccelerateConfiguration
action. The bucket owner has this permission by default. The bucket owner can grant
this permission to others. For more information about permissions, see Permissions
Related to Bucket Subresource Operations and Managing
Access Permissions to Your Amazon S3 Resources.
PutBucketAccelerateConfiguration
:
Grantee
request element to grant access to other people. The Permissions
request
element specifies the kind of access the grantee has to the logs.
Grantee
request element to grant
access to others. Permissions can only be granted using policies. For more information,
see Permissions
for server access log delivery in the Amazon S3 User Guide.
<Grantee xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="CanonicalUser"><ID><>ID<></ID><DisplayName><>GranteesEmail<></DisplayName>
</Grantee>
<Grantee xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="AmazonCustomerByEmail"><EmailAddress><>Grantees@email.com<></EmailAddress></Grantee>
<Grantee xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="Group"><URI><>http://acs.amazonaws.com/groups/global/AuthenticatedUsers<></URI></Grantee>
<BucketLoggingStatus xmlns="http://doc.s3.amazonaws.com/2006-03-01" />
PutBucketLogging
:
s3:PutMetricsConfiguration
action. The bucket owner has this permission by default. The bucket owner can grant
this permission to others. For more information about permissions, see Permissions
Related to Bucket Subresource Operations and Managing
Access Permissions to Your Amazon S3 Resources.
PutBucketMetricsConfiguration
:
GetBucketLifecycle
has the following special error:
TooManyConfigurations
NotificationConfiguration
.
<NotificationConfiguration>
</NotificationConfiguration>
s3:PutBucketNotification
permission.
TopicConfiguration
specifying only the s3:ReducedRedundancyLostObject
event type, the response
will also include the x-amz-sns-test-message-id
header containing the
message ID of the test notification sent to the topic.
PutBucketNotificationConfiguration
:
OwnershipControls
for an Amazon S3 bucket. To use
this operation, you must have the s3:PutBucketOwnershipControls
permission.
For more information about Amazon S3 permissions, see Specifying
permissions in a policy.
PutBucketOwnershipControls
:
PutBucketPolicy
permissions on the
specified bucket and belong to the bucket owner's account in order to use this operation.
PutBucketPolicy
permissions, Amazon S3 returns a 403
Access Denied
error. If you have the correct permissions, but you're not using
an identity that belongs to the bucket owner's account, Amazon S3 returns a 405
Method Not Allowed
error.
PutBucketPolicy
:
PutBucketPolicy
permissions on the
specified bucket and belong to the bucket owner's account in order to use this operation.
PutBucketPolicy
permissions, Amazon S3 returns a 403
Access Denied
error. If you have the correct permissions, but you're not using
an identity that belongs to the bucket owner's account, Amazon S3 returns a 405
Method Not Allowed
error.
PutBucketPolicy
:
PutBucketPolicy
permissions on the
specified bucket and belong to the bucket owner's account in order to use this operation.
PutBucketPolicy
permissions, Amazon S3 returns a 403
Access Denied
error. If you have the correct permissions, but you're not using
an identity that belongs to the bucket owner's account, Amazon S3 returns a 405
Method Not Allowed
error.
PutBucketPolicy
:
DeleteMarkerReplication
,
Status
, and Priority
.
SourceSelectionCriteria
, SseKmsEncryptedObjects
,
Status
, EncryptionConfiguration
, and ReplicaKmsKeyID
.
For information about replication configuration, see Replicating
Objects Created with SSE Using KMS keys.
PutBucketReplication
errors, see List
of replication-related error codes
PutBucketReplication
request, you must have s3:PutReplicationConfiguration
permissions for the bucket.
PutBucketReplication
:
PutBucketRequestPayment
:
PutBucketRequestPayment
:
s3:PutBucketTagging
action. The bucket owner has this permission by default and can grant this permission
to others. For more information about permissions, see Permissions
Related to Bucket Subresource Operations and Managing
Access Permissions to Your Amazon S3 Resources.
PutBucketTagging
has the following special errors:
InvalidTagError
MalformedXMLError
OperationAbortedError
InternalError
PutBucketTagging
:
s3:PutBucketTagging
action. The bucket owner has this permission by default and can grant this permission
to others. For more information about permissions, see Permissions
Related to Bucket Subresource Operations and Managing
Access Permissions to Your Amazon S3 Resources.
PutBucketTagging
has the following special errors:
InvalidTagError
MalformedXMLError
OperationAbortedError
InternalError
PutBucketTagging
:
website
subresource. To configure a bucket as a website, you can add this subresource on the
bucket with website configuration information such as the file name of the index document
and any redirect rules. For more information, see Hosting
Websites on Amazon S3.
S3:PutBucketWebsite
permission. By default,
only the bucket owner can configure the website attached to a bucket; however, bucket
owners can allow other users to set the website configuration by writing a bucket
policy that grants them the S3:PutBucketWebsite
permission.
WebsiteConfiguration
RedirectAllRequestsTo
HostName
Protocol
WebsiteConfiguration
IndexDocument
Suffix
ErrorDocument
Key
RoutingRules
RoutingRule
Condition
HttpErrorCodeReturnedEquals
KeyPrefixEquals
Redirect
Protocol
HostName
ReplaceKeyPrefixWith
ReplaceKeyWith
HttpRedirectCode
website
subresource. To configure a bucket as a website, you can add this subresource on the
bucket with website configuration information such as the file name of the index document
and any redirect rules. For more information, see Hosting
Websites on Amazon S3.
S3:PutBucketWebsite
permission. By default,
only the bucket owner can configure the website attached to a bucket; however, bucket
owners can allow other users to set the website configuration by writing a bucket
policy that grants them the S3:PutBucketWebsite
permission.
WebsiteConfiguration
RedirectAllRequestsTo
HostName
Protocol
WebsiteConfiguration
IndexDocument
Suffix
ErrorDocument
Key
RoutingRules
RoutingRule
Condition
HttpErrorCodeReturnedEquals
KeyPrefixEquals
Redirect
Protocol
HostName
ReplaceKeyPrefixWith
ReplaceKeyWith
HttpRedirectCode
s3:PutLifecycleConfiguration
permission.
s3:DeleteObject
s3:DeleteObjectVersion
s3:PutLifecycleConfiguration
PutBucketLifecycleConfiguration
:
s3:PutLifecycleConfiguration
permission.
s3:DeleteObject
s3:DeleteObjectVersion
s3:PutLifecycleConfiguration
PutBucketLifecycleConfiguration
:
DefaultRetention
settings require both a mode and a period.
DefaultRetention
period can be either Days
or Years
but you must select one. You cannot specify Days
and Years
at the same time.
s3:PutObjectRetention
permission in order
to place an Object Retention configuration on objects. Bypassing a Governance Retention
configuration requires the s3:BypassGovernanceRetention
permission.
GetObject
operation when using Object
Lambda access points. For information about Object Lambda access points, see Transforming
objects with Object Lambda access points in the Amazon S3 User Guide.
RequestRoute
, RequestToken
, StatusCode
,
ErrorCode
, and ErrorMessage
. The GetObject
response metadata is supported so that the WriteGetObjectResponse
caller,
typically an Lambda function, can provide the same metadata when it internally invokes
GetObject
. When WriteGetObjectResponse
is called by a customer-owned
Lambda function, the metadata returned to the end user GetObject
call
might differ from what Amazon S3 would normally return.
x-amz-meta
. For example, x-amz-meta-my-custom-header:
MyCustomValue
. The primary use case for this is to forward GetObject
metadata.
<?xml version="1.0" encoding="utf-8" ?>
<configuration>
<appSettings>
<add key="AWSProfileName" value="AWS Default"/>
</appSettings>
</configuration>
<?xml version="1.0" encoding="utf-8" ?>
<configuration>
<appSettings>
<add key="AWSProfileName" value="AWS Default"/>
</appSettings>
</configuration>
<?xml version="1.0" encoding="utf-8" ?>
<configuration>
<appSettings>
<add key="AWSProfileName" value="AWS Default"/>
</appSettings>
</configuration>
AbortMultipartUpload
:
AccessPointName-AccountId.outpostID.s3-outposts.Region.amazonaws.com
. When using this action with S3 on Outposts through the Amazon Web Services SDKs, you provide the Outposts bucket ARN in place of the bucket name. For more information about S3 on Outposts ARNs, see Using Amazon S3 on Outposts in the Amazon S3 User Guide.
Key of the object for which the multipart upload was initiated.
Upload ID that identifies the multipart upload.
AbortMultipartUpload
:
ETag
value, returned after that part was uploaded.
CompleteMultipartUpload
fails, applications should be prepared
to retry the failed requests. For more information, see Amazon
S3 Error Best Practices.
Content-Type: application/x-www-form-urlencoded
with Complete
Multipart Upload requests. Also, if you do not provide a Content-Type
header, CompleteMultipartUpload
returns a 200 OK response.
CompleteMultipartUpload
has the following special errors:
EntityTooSmall
InvalidPart
InvalidPartOrder
NoSuchUpload
CompleteMultipartUpload
:
200 OK
response. This means that
a 200 OK
response can contain either a success or an error. Design your
application to parse the contents of the response and handle it appropriately.
Bad
Request
error. For more information, see Transfer
Acceleration.
x-amz-metadata-directive
header. When you grant permissions, you can use the s3:x-amz-metadata-directive
condition key to enforce certain metadata behavior when objects are uploaded. For
more information, see Specifying
Conditions in a Policy in the Amazon S3 User Guide. For a complete list
of Amazon S3-specific condition keys, see Actions,
Resources, and Condition Keys for Amazon S3.
Etag
matches or whether the object was modified before or after a specified date, use the
following request parameters:
x-amz-copy-source-if-match
x-amz-copy-source-if-none-match
x-amz-copy-source-if-unmodified-since
x-amz-copy-source-if-modified-since
x-amz-copy-source-if-match
and x-amz-copy-source-if-unmodified-since
headers are present in the request and evaluate as follows, Amazon S3 returns 200
OK
and copies the data:
x-amz-copy-source-if-match
condition evaluates to true
x-amz-copy-source-if-unmodified-since
condition evaluates to false
x-amz-copy-source-if-none-match
and x-amz-copy-source-if-modified-since
headers are present in the request and evaluate as follows, Amazon S3 returns the
412 Precondition Failed
response code:
x-amz-copy-source-if-none-match
condition evaluates to false
x-amz-copy-source-if-modified-since
condition evaluates to true
x-amz-
prefix, including x-amz-copy-source
,
must be signed.
bucket-owner-full-control
canned ACL or an equivalent form of this ACL expressed in the XML format.
x-amz-checksum-algorithm
header.
CopyObject
action to change the storage class of an object
that is already stored in Amazon S3 using the StorageClass
parameter.
For more information, see Storage
Classes in the Amazon S3 User Guide.
x-amz-copy-source
identifies the current version of an object
to copy. If the current version is a delete marker, Amazon S3 behaves as if the object
was deleted. To copy a different version, use the versionId
subresource.
x-amz-version-id
response header in the response.
CopyObject
:
200 OK
response. This means that
a 200 OK
response can contain either a success or an error. Design your
application to parse the contents of the response and handle it appropriately.
Bad
Request
error. For more information, see Transfer
Acceleration.
x-amz-metadata-directive
header. When you grant permissions, you can use the s3:x-amz-metadata-directive
condition key to enforce certain metadata behavior when objects are uploaded. For
more information, see Specifying
Conditions in a Policy in the Amazon S3 User Guide. For a complete list
of Amazon S3-specific condition keys, see Actions,
Resources, and Condition Keys for Amazon S3.
Etag
matches or whether the object was modified before or after a specified date, use the
following request parameters:
x-amz-copy-source-if-match
x-amz-copy-source-if-none-match
x-amz-copy-source-if-unmodified-since
x-amz-copy-source-if-modified-since
x-amz-copy-source-if-match
and x-amz-copy-source-if-unmodified-since
headers are present in the request and evaluate as follows, Amazon S3 returns 200
OK
and copies the data:
x-amz-copy-source-if-match
condition evaluates to true
x-amz-copy-source-if-unmodified-since
condition evaluates to false
x-amz-copy-source-if-none-match
and x-amz-copy-source-if-modified-since
headers are present in the request and evaluate as follows, Amazon S3 returns the
412 Precondition Failed
response code:
x-amz-copy-source-if-none-match
condition evaluates to false
x-amz-copy-source-if-modified-since
condition evaluates to true
x-amz-
prefix, including x-amz-copy-source
,
must be signed.
bucket-owner-full-control
canned ACL or an equivalent form of this ACL expressed in the XML format.
x-amz-checksum-algorithm
header.
CopyObject
action to change the storage class of an object
that is already stored in Amazon S3 using the StorageClass
parameter.
For more information, see Storage
Classes in the Amazon S3 User Guide.
x-amz-copy-source
identifies the current version of an object
to copy. If the current version is a delete marker, Amazon S3 behaves as if the object
was deleted. To copy a different version, use the versionId
subresource.
x-amz-version-id
response header in the response.
CopyObject
:
200 OK
response. This means that
a 200 OK
response can contain either a success or an error. Design your
application to parse the contents of the response and handle it appropriately.
Bad
Request
error. For more information, see Transfer
Acceleration.
x-amz-metadata-directive
header. When you grant permissions, you can use the s3:x-amz-metadata-directive
condition key to enforce certain metadata behavior when objects are uploaded. For
more information, see Specifying
Conditions in a Policy in the Amazon S3 User Guide. For a complete list
of Amazon S3-specific condition keys, see Actions,
Resources, and Condition Keys for Amazon S3.
Etag
matches or whether the object was modified before or after a specified date, use the
following request parameters:
x-amz-copy-source-if-match
x-amz-copy-source-if-none-match
x-amz-copy-source-if-unmodified-since
x-amz-copy-source-if-modified-since
x-amz-copy-source-if-match
and x-amz-copy-source-if-unmodified-since
headers are present in the request and evaluate as follows, Amazon S3 returns 200
OK
and copies the data:
x-amz-copy-source-if-match
condition evaluates to true
x-amz-copy-source-if-unmodified-since
condition evaluates to false
x-amz-copy-source-if-none-match
and x-amz-copy-source-if-modified-since
headers are present in the request and evaluate as follows, Amazon S3 returns the
412 Precondition Failed
response code:
x-amz-copy-source-if-none-match
condition evaluates to false
x-amz-copy-source-if-modified-since
condition evaluates to true
x-amz-
prefix, including x-amz-copy-source
,
must be signed.
bucket-owner-full-control
canned ACL or an equivalent form of this ACL expressed in the XML format.
x-amz-checksum-algorithm
header.
CopyObject
action to change the storage class of an object
that is already stored in Amazon S3 using the StorageClass
parameter.
For more information, see Storage
Classes in the Amazon S3 User Guide.
x-amz-copy-source
identifies the current version of an object
to copy. If the current version is a delete marker, Amazon S3 behaves as if the object
was deleted. To copy a different version, use the versionId
subresource.
x-amz-version-id
response header in the response.
CopyObject
:
s3:PutAnalyticsConfiguration
action. The bucket owner has this permission by default. The bucket owner can grant
this permission to others. For more information about permissions, see Permissions
Related to Bucket Subresource Operations and Managing
Access Permissions to Your Amazon S3 Resources.
DeleteBucketAnalyticsConfiguration
:
DeleteBucketIntelligentTieringConfiguration
include:
s3:PutInventoryConfiguration
action. The bucket owner has this permission by default. The bucket owner can grant
this permission to others. For more information about permissions, see Permissions
Related to Bucket Subresource Operations and Managing
Access Permissions to Your Amazon S3 Resources.
DeleteBucketInventoryConfiguration
include:
s3:PutMetricsConfiguration
action. The bucket owner has this permission by default. The bucket owner can grant
this permission to others. For more information about permissions, see Permissions
Related to Bucket Subresource Operations and Managing
Access Permissions to Your Amazon S3 Resources.
DeleteBucketMetricsConfiguration
:
OwnershipControls
for an Amazon S3 bucket. To use this operation,
you must have the s3:PutBucketOwnershipControls
permission. For more
information about Amazon S3 permissions, see Specifying
Permissions in a Policy.
DeleteBucketOwnershipControls
:
DeleteBucketPolicy
permissions on the specified bucket and belong
to the bucket owner's account to use this operation.
DeleteBucketPolicy
permissions, Amazon S3 returns a
403 Access Denied
error. If you have the correct permissions, but you're
not using an identity that belongs to the bucket owner's account, Amazon S3 returns
a 405 Method Not Allowed
error.
DeleteBucketPolicy
DeleteBucketPolicy
permissions on the specified bucket and belong
to the bucket owner's account to use this operation.
DeleteBucketPolicy
permissions, Amazon S3 returns a
403 Access Denied
error. If you have the correct permissions, but you're
not using an identity that belongs to the bucket owner's account, Amazon S3 returns
a 405 Method Not Allowed
error.
DeleteBucketPolicy
s3:PutReplicationConfiguration
action. The bucket owner has these permissions by default and can grant it to others.
For more information about permissions, see Permissions
Related to Bucket Subresource Operations and Managing
Access Permissions to Your Amazon S3 Resources.
DeleteBucketReplication
:
s3:PutBucketTagging
action. By default, the bucket owner has this permission and can grant this permission
to others.
DeleteBucketTagging
:
s3:PutBucketTagging
action. By default, the bucket owner has this permission and can grant this permission
to others.
DeleteBucketTagging
:
200
OK
response upon successfully deleting a website configuration on the specified
bucket. You will get a 200 OK
response if the website configuration you
are trying to delete does not exist on the bucket. Amazon S3 returns a 404
response if the bucket specified in the request does not exist.
S3:DeleteBucketWebsite
permission. By
default, only the bucket owner can delete the website configuration attached to a
bucket. However, bucket owners can grant other users permission to delete the website
configuration by writing a bucket policy granting them the S3:DeleteBucketWebsite
permission.
DeleteBucketWebsite
:
200
OK
response upon successfully deleting a website configuration on the specified
bucket. You will get a 200 OK
response if the website configuration you
are trying to delete does not exist on the bucket. Amazon S3 returns a 404
response if the bucket specified in the request does not exist.
S3:DeleteBucketWebsite
permission. By
default, only the bucket owner can delete the website configuration attached to a
bucket. However, bucket owners can grant other users permission to delete the website
configuration by writing a bucket policy granting them the S3:DeleteBucketWebsite
permission.
DeleteBucketWebsite
:
s3:PutLifecycleConfiguration
action. By default, the bucket owner has this permission and the bucket owner can
grant this permission to others.
s3:PutLifecycleConfiguration
action. By default, the bucket owner has this permission and the bucket owner can
grant this permission to others.
x-amz-delete-marker
,
to true.
x-amz-mfa
request header
in the DELETE versionId
request. Requests that include x-amz-mfa
must use HTTPS.
s3:DeleteObject
,
s3:DeleteObjectVersion
, and s3:PutLifeCycleConfiguration
actions.
DeleteObject
:
AccessPointName-AccountId.outpostID.s3-outposts.Region.amazonaws.com
. When using this action with S3 on Outposts through the Amazon Web Services SDKs, you provide the Outposts bucket ARN in place of the bucket name. For more information about S3 on Outposts ARNs, see Using Amazon S3 on Outposts in the Amazon S3 User Guide.
Key name of the object to delete.
x-amz-delete-marker
,
to true.
x-amz-mfa
request header
in the DELETE versionId
request. Requests that include x-amz-mfa
must use HTTPS.
s3:DeleteObject
,
s3:DeleteObjectVersion
, and s3:PutLifeCycleConfiguration
actions.
DeleteObject
:
AccessPointName-AccountId.outpostID.s3-outposts.Region.amazonaws.com
. When using this action with S3 on Outposts through the Amazon Web Services SDKs, you provide the Outposts bucket ARN in place of the bucket name. For more information about S3 on Outposts ARNs, see Using Amazon S3 on Outposts in the Amazon S3 User Guide.
Key name of the object to delete.
VersionId used to reference a specific version of the object.
x-amz-delete-marker
,
to true.
x-amz-mfa
request header
in the DELETE versionId
request. Requests that include x-amz-mfa
must use HTTPS.
s3:DeleteObject
,
s3:DeleteObjectVersion
, and s3:PutLifeCycleConfiguration
actions.
DeleteObject
:
DeleteObjects
:
s3:DeleteObjectTagging
action.
versionId
query
parameter in the request. You will need permission for the s3:DeleteObjectVersionTagging
action.
DeleteBucketMetricsConfiguration
:
PublicAccessBlock
configuration for an Amazon S3 bucket.
To use this operation, you must have the s3:PutBucketPublicAccessBlock
permission. For more information about permissions, see Permissions
Related to Bucket Subresource Operations and Managing
Access Permissions to Your Amazon S3 Resources.
DeletePublicAccessBlock
:
ServerSideEncryptionConfigurationNotFoundError
.
s3:GetEncryptionConfiguration
action. The bucket owner has this permission by default. The bucket owner can grant
this permission to others. For more information about permissions, see Permissions
Related to Bucket Subresource Operations and Managing
Access Permissions to Your Amazon S3 Resources.
GetBucketEncryption
:
GetBucketIntelligentTieringConfiguration
include:
s3:GetInventoryConfiguration
action. The bucket owner has this permission by default and can grant this permission
to others. For more information about permissions, see Permissions
Related to Bucket Subresource Operations and Managing
Access Permissions to Your Amazon S3 Resources.
GetBucketInventoryConfiguration
:
LocationConstraint
request parameter in a CreateBucket
request. For more information, see
CreateBucket.
GetBucketLocation
:
LocationConstraint
request parameter in a CreateBucket
request. For more information, see
CreateBucket.
GetBucketLocation
:
GetBucketLogging
:
GetBucketLogging
:
s3:GetMetricsConfiguration
action. The bucket owner has this permission by default. The bucket owner can grant
this permission to others. For more information about permissions, see Permissions
Related to Bucket Subresource Operations and Managing
Access Permissions to Your Amazon S3 Resources.
GetBucketMetricsConfiguration
:
NotificationConfiguration
element.
s3:GetBucketNotification
permission.
GetBucketNotification
:
NotificationConfiguration
element.
s3:GetBucketNotification
permission.
GetBucketNotification
:
OwnershipControls
for an Amazon S3 bucket. To use this operation,
you must have the s3:GetBucketOwnershipControls
permission. For more
information about Amazon S3 permissions, see Specifying
permissions in a policy.
GetBucketOwnershipControls
:
GetBucketPolicy
permissions on the specified bucket
and belong to the bucket owner's account in order to use this operation.
GetBucketPolicy
permissions, Amazon S3 returns a 403
Access Denied
error. If you have the correct permissions, but you're not using
an identity that belongs to the bucket owner's account, Amazon S3 returns a 405
Method Not Allowed
error.
GetBucketPolicy
:
GetBucketPolicy
permissions on the specified bucket
and belong to the bucket owner's account in order to use this operation.
GetBucketPolicy
permissions, Amazon S3 returns a 403
Access Denied
error. If you have the correct permissions, but you're not using
an identity that belongs to the bucket owner's account, Amazon S3 returns a 405
Method Not Allowed
error.
GetBucketPolicy
:
s3:GetBucketPolicyStatus
permission. For more information about Amazon S3 permissions, see Specifying
Permissions in a Policy.
GetBucketPolicyStatus
:
GetBucketRequestPayment
:
GetBucketRequestPayment
:
s3:GetBucketTagging
action. By default, the bucket owner has this permission and can grant this permission
to others.
GetBucketTagging
has the following special error:
NoSuchTagSet
GetBucketTagging
:
enabled
, the bucket owner must use an authentication
device to change the versioning state of the bucket.
GetBucketVersioning
:
enabled
, the bucket owner must use an authentication
device to change the versioning state of the bucket.
GetBucketVersioning
:
S3:GetBucketWebsite
permission. By default,
only the bucket owner can read the bucket website configuration. However, bucket owners
can allow other users to read the website configuration by writing a bucket policy
granting them the S3:GetBucketWebsite
permission.
DeleteBucketWebsite
:
S3:GetBucketWebsite
permission. By default,
only the bucket owner can read the bucket website configuration. However, bucket owners
can allow other users to read the website configuration by writing a bucket policy
granting them the S3:GetBucketWebsite
permission.
DeleteBucketWebsite
:
s3:GetBucketCORS
action. By default, the bucket owner has this permission and can grant it to others.
GetBucketCors
:
s3:GetBucketCORS
action. By default, the bucket owner has this permission and can grant it to others.
GetBucketCors
:
s3:GetLifecycleConfiguration
action. The bucket owner has this permission, by default. The bucket owner can grant
this permission to others. For more information about permissions, see Permissions
Related to Bucket Subresource Operations and Managing
Access Permissions to Your Amazon S3 Resources.
GetBucketLifecycleConfiguration
has the following special error:
NoSuchLifecycleConfiguration
GetBucketLifecycleConfiguration
:
s3:GetLifecycleConfiguration
action. The bucket owner has this permission, by default. The bucket owner can grant
this permission to others. For more information about permissions, see Permissions
Related to Bucket Subresource Operations and Managing
Access Permissions to Your Amazon S3 Resources.
GetBucketLifecycleConfiguration
has the following special error:
NoSuchLifecycleConfiguration
GetBucketLifecycleConfiguration
:
GET
, you must have READ
access to the object. If you grant READ
access to the anonymous user,
you can return the object without using an authorization header.
sample.jpg
, you can name it photos/2006/February/sample.jpg
.
GET
operation. For a virtual hosted-style request example,
if you have the object photos/2006/February/sample.jpg
, specify the resource
as /photos/2006/February/sample.jpg
. For a path-style request example,
if you have the object photos/2006/February/sample.jpg
in the bucket
named examplebucket
, specify the resource as /examplebucket/photos/2006/February/sample.jpg
.
For more information about request types, see HTTP
Host Header Bucket Specification.
InvalidObjectStateError
error. For
information about restoring archived objects, see Restoring
Archived Objects.
x-amz-server-side-encryption
, should
not be sent for GET requests if your object uses server-side encryption with KMS keys
(SSE-KMS) or server-side encryption with Amazon S3–managed encryption keys (SSE-S3).
If your object does use these types of keys, you’ll get an HTTP 400 BadRequest error.
x-amz-tagging-count
header that provides the count of number of tags
associated with the object. You can use GetObjectTagging
to retrieve the tag set associated with an object.
s3:ListBucket
permission.
s3:ListBucket
permission on the bucket, Amazon S3 will
return an HTTP status code 404 ("no such key") error.
s3:ListBucket
permission, Amazon S3 will return
an HTTP status code 403 ("access denied") error.
versionId
subresource.
versionId
, you need the s3:GetObjectVersion
permission to access a specific version of an object. If you request a specific version,
you do not need to have the s3:GetObject
permission.
x-amz-delete-marker: true
in the response.
Content-Disposition
response
header value in your GET request.
Content-Type
,
Content-Language
, Expires
, Cache-Control
, Content-Disposition
,
and Content-Encoding
. To override these header values in the GET response,
you use the following request parameters.
response-content-type
response-content-language
response-expires
response-cache-control
response-content-disposition
response-content-encoding
If-Match
and If-Unmodified-Since
headers
are present in the request as follows: If-Match
condition evaluates to
true
, and; If-Unmodified-Since
condition evaluates to false
;
then, S3 returns 200 OK and the data requested.
If-None-Match
and If-Modified-Since
headers
are present in the request as follows: If-None-Match
condition evaluates
to false
, and; If-Modified-Since
condition evaluates to
true
; then, S3 returns 304 Not Modified response code.
GetObject
:
AccessPointName-AccountId.outpostID.s3-outposts.Region.amazonaws.com
. When using this action with S3 on Outposts through the Amazon Web Services SDKs, you provide the Outposts bucket ARN in place of the bucket name. For more information about S3 on Outposts ARNs, see Using Amazon S3 on Outposts in the Amazon S3 User Guide.
Key of the object to get.
GET
, you must have READ
access to the object. If you grant READ
access to the anonymous user,
you can return the object without using an authorization header.
sample.jpg
, you can name it photos/2006/February/sample.jpg
.
GET
operation. For a virtual hosted-style request example,
if you have the object photos/2006/February/sample.jpg
, specify the resource
as /photos/2006/February/sample.jpg
. For a path-style request example,
if you have the object photos/2006/February/sample.jpg
in the bucket
named examplebucket
, specify the resource as /examplebucket/photos/2006/February/sample.jpg
.
For more information about request types, see HTTP
Host Header Bucket Specification.
InvalidObjectStateError
error. For
information about restoring archived objects, see Restoring
Archived Objects.
x-amz-server-side-encryption
, should
not be sent for GET requests if your object uses server-side encryption with KMS keys
(SSE-KMS) or server-side encryption with Amazon S3–managed encryption keys (SSE-S3).
If your object does use these types of keys, you’ll get an HTTP 400 BadRequest error.
x-amz-tagging-count
header that provides the count of number of tags
associated with the object. You can use GetObjectTagging
to retrieve the tag set associated with an object.
s3:ListBucket
permission.
s3:ListBucket
permission on the bucket, Amazon S3 will
return an HTTP status code 404 ("no such key") error.
s3:ListBucket
permission, Amazon S3 will return
an HTTP status code 403 ("access denied") error.
versionId
subresource.
versionId
, you need the s3:GetObjectVersion
permission to access a specific version of an object. If you request a specific version,
you do not need to have the s3:GetObject
permission.
x-amz-delete-marker: true
in the response.
Content-Disposition
response
header value in your GET request.
Content-Type
,
Content-Language
, Expires
, Cache-Control
, Content-Disposition
,
and Content-Encoding
. To override these header values in the GET response,
you use the following request parameters.
response-content-type
response-content-language
response-expires
response-cache-control
response-content-disposition
response-content-encoding
If-Match
and If-Unmodified-Since
headers
are present in the request as follows: If-Match
condition evaluates to
true
, and; If-Unmodified-Since
condition evaluates to false
;
then, S3 returns 200 OK and the data requested.
If-None-Match
and If-Modified-Since
headers
are present in the request as follows: If-None-Match
condition evaluates
to false
, and; If-Modified-Since
condition evaluates to
true
; then, S3 returns 304 Not Modified response code.
GetObject
:
AccessPointName-AccountId.outpostID.s3-outposts.Region.amazonaws.com
. When using this action with S3 on Outposts through the Amazon Web Services SDKs, you provide the Outposts bucket ARN in place of the bucket name. For more information about S3 on Outposts ARNs, see Using Amazon S3 on Outposts in the Amazon S3 User Guide.
Key of the object to get.
VersionId used to reference a specific version of the object.
GET
, you must have READ
access to the object. If you grant READ
access to the anonymous user,
you can return the object without using an authorization header.
sample.jpg
, you can name it photos/2006/February/sample.jpg
.
GET
operation. For a virtual hosted-style request example,
if you have the object photos/2006/February/sample.jpg
, specify the resource
as /photos/2006/February/sample.jpg
. For a path-style request example,
if you have the object photos/2006/February/sample.jpg
in the bucket
named examplebucket
, specify the resource as /examplebucket/photos/2006/February/sample.jpg
.
For more information about request types, see HTTP
Host Header Bucket Specification.
InvalidObjectStateError
error. For
information about restoring archived objects, see Restoring
Archived Objects.
x-amz-server-side-encryption
, should
not be sent for GET requests if your object uses server-side encryption with KMS keys
(SSE-KMS) or server-side encryption with Amazon S3–managed encryption keys (SSE-S3).
If your object does use these types of keys, you’ll get an HTTP 400 BadRequest error.
x-amz-tagging-count
header that provides the count of number of tags
associated with the object. You can use GetObjectTagging
to retrieve the tag set associated with an object.
s3:ListBucket
permission.
s3:ListBucket
permission on the bucket, Amazon S3 will
return an HTTP status code 404 ("no such key") error.
s3:ListBucket
permission, Amazon S3 will return
an HTTP status code 403 ("access denied") error.
versionId
subresource.
versionId
, you need the s3:GetObjectVersion
permission to access a specific version of an object. If you request a specific version,
you do not need to have the s3:GetObject
permission.
x-amz-delete-marker: true
in the response.
Content-Disposition
response
header value in your GET request.
Content-Type
,
Content-Language
, Expires
, Cache-Control
, Content-Disposition
,
and Content-Encoding
. To override these header values in the GET response,
you use the following request parameters.
response-content-type
response-content-language
response-expires
response-cache-control
response-content-disposition
response-content-encoding
If-Match
and If-Unmodified-Since
headers
are present in the request as follows: If-Match
condition evaluates to
true
, and; If-Unmodified-Since
condition evaluates to false
;
then, S3 returns 200 OK and the data requested.
If-None-Match
and If-Modified-Since
headers
are present in the request as follows: If-None-Match
condition evaluates
to false
, and; If-Modified-Since
condition evaluates to
true
; then, S3 returns 304 Not Modified response code.
GetObject
:
GetObjectAttributes
,
you must have READ access to the object.
GetObjectAttributes
combines the functionality of GetObjectAcl
,
GetObjectLegalHold
, GetObjectLockConfiguration
, GetObjectRetention
,
GetObjectTagging
, HeadObject
, and ListParts
.
All of the data returned with each of those individual calls can be returned with
a single call to GetObjectAttributes
.
x-amz-server-side-encryption-customer-algorithm
x-amz-server-side-encryption-customer-key
x-amz-server-side-encryption-customer-key-MD5
x-amz-server-side-encryption
, should
not be sent for GET requests if your object uses server-side encryption with Amazon
Web Services KMS keys stored in Amazon Web Services Key Management Service (SSE-KMS)
or server-side encryption with Amazon S3 managed encryption keys (SSE-S3). If your
object does use these types of keys, you'll get an HTTP 400 Bad Request
error.
If-Match
and If-Unmodified-Since
headers
are present in the request as follows, then Amazon S3 returns the HTTP status code
200 OK
and the data requested:
If-Match
condition evaluates to true
.
If-Unmodified-Since
condition evaluates to false
.
If-None-Match
and If-Modified-Since
headers
are present in the request as follows, then Amazon S3 returns the HTTP status code
304 Not Modified
:
If-None-Match
condition evaluates to false
.
If-Modified-Since
condition evaluates to true
.
s3:GetObjectVersion
and s3:GetObjectVersionAttributes
permissions for this operation. If
the bucket is not versioned, you need the s3:GetObject
and s3:GetObjectAttributes
permissions. For more information, see Specifying
Permissions in a Policy in the Amazon S3 User Guide. If the object that
you request does not exist, the error Amazon S3 returns depends on whether you also
have the s3:ListBucket
permission.
s3:ListBucket
permission on the bucket, Amazon S3 returns
an HTTP status code 404 Not Found
("no such key") error.
s3:ListBucket
permission, Amazon S3 returns an
HTTP status code 403 Forbidden
("access denied") error.
GetObjectAttributes
:
GetObjectLegalHold
:
GetObjectLockConfiguration
:
HEAD
request has the same options as a GET
action on an
object. The response is identical to the GET
response except that there
is no response body. Because of this, if the HEAD
request generates an
error, it returns a generic 404 Not Found
or 403 Forbidden
code. It is not possible to retrieve the exact exception beyond these error codes.
x-amz-server-side-encryption
, should
not be sent for GET requests if your object uses server-side encryption with KMS keys
(SSE-KMS) or server-side encryption with Amazon S3–managed encryption keys (SSE-S3).
If your object does use these types of keys, you’ll get an HTTP 400 BadRequest error.
If-Match
and If-Unmodified-Since
headers are present in the request as follows:
If-Match
condition evaluates to true
, and;
If-Unmodified-Since
condition evaluates to false
;
200 OK
and the data requested.
If-None-Match
and If-Modified-Since
headers are present in the request as follows:
If-None-Match
condition evaluates to false
, and;
If-Modified-Since
condition evaluates to true
;
304 Not Modified
response code.
s3:ListBucket
permission on the bucket, Amazon S3 returns
an HTTP status code 404 ("no such key") error.
s3:ListBucket
permission, Amazon S3 returns an
HTTP status code 403 ("access denied") error.
HeadObject
:
AccessPointName-AccountId.outpostID.s3-outposts.Region.amazonaws.com
. When using this action with S3 on Outposts through the Amazon Web Services SDKs, you provide the Outposts bucket ARN in place of the bucket name. For more information about S3 on Outposts ARNs, see Using Amazon S3 on Outposts in the Amazon S3 User Guide.
The object key.
HEAD
request has the same options as a GET
action on an
object. The response is identical to the GET
response except that there
is no response body. Because of this, if the HEAD
request generates an
error, it returns a generic 404 Not Found
or 403 Forbidden
code. It is not possible to retrieve the exact exception beyond these error codes.
x-amz-server-side-encryption
, should
not be sent for GET requests if your object uses server-side encryption with KMS keys
(SSE-KMS) or server-side encryption with Amazon S3–managed encryption keys (SSE-S3).
If your object does use these types of keys, you’ll get an HTTP 400 BadRequest error.
If-Match
and If-Unmodified-Since
headers are present in the request as follows:
If-Match
condition evaluates to true
, and;
If-Unmodified-Since
condition evaluates to false
;
200 OK
and the data requested.
If-None-Match
and If-Modified-Since
headers are present in the request as follows:
If-None-Match
condition evaluates to false
, and;
If-Modified-Since
condition evaluates to true
;
304 Not Modified
response code.
s3:ListBucket
permission on the bucket, Amazon S3 returns
an HTTP status code 404 ("no such key") error.
s3:ListBucket
permission, Amazon S3 returns an
HTTP status code 403 ("access denied") error.
HeadObject
:
AccessPointName-AccountId.outpostID.s3-outposts.Region.amazonaws.com
. When using this action with S3 on Outposts through the Amazon Web Services SDKs, you provide the Outposts bucket ARN in place of the bucket name. For more information about S3 on Outposts ARNs, see Using Amazon S3 on Outposts in the Amazon S3 User Guide.
The object key.
VersionId used to reference a specific version of the object.
HEAD
request has the same options as a GET
action on an
object. The response is identical to the GET
response except that there
is no response body. Because of this, if the HEAD
request generates an
error, it returns a generic 404 Not Found
or 403 Forbidden
code. It is not possible to retrieve the exact exception beyond these error codes.
x-amz-server-side-encryption
, should
not be sent for GET requests if your object uses server-side encryption with KMS keys
(SSE-KMS) or server-side encryption with Amazon S3–managed encryption keys (SSE-S3).
If your object does use these types of keys, you’ll get an HTTP 400 BadRequest error.
If-Match
and If-Unmodified-Since
headers are present in the request as follows:
If-Match
condition evaluates to true
, and;
If-Unmodified-Since
condition evaluates to false
;
200 OK
and the data requested.
If-None-Match
and If-Modified-Since
headers are present in the request as follows:
If-None-Match
condition evaluates to false
, and;
If-Modified-Since
condition evaluates to true
;
304 Not Modified
response code.
s3:ListBucket
permission on the bucket, Amazon S3 returns
an HTTP status code 404 ("no such key") error.
s3:ListBucket
permission, Amazon S3 returns an
HTTP status code 403 ("access denied") error.
HeadObject
:
GetObjectRetention
:
s3:GetObjectTagging
action. By default, the GET action returns information about current version of an
object. For a versioned bucket, you can have multiple versions of an object in your
bucket. To retrieve tags of any other version, use the versionId query parameter.
You also need permission for the s3:GetObjectVersionTagging
action.
GetObjectTagging
:
GetObjectTorrent
:
GetObjectTorrent
:
PublicAccessBlock
configuration for an Amazon S3 bucket.
To use this operation, you must have the s3:GetBucketPublicAccessBlock
permission. For more information about Amazon S3 permissions, see Specifying
Permissions in a Policy.
PublicAccessBlock
configuration for a bucket
or an object, it checks the PublicAccessBlock
configuration for both
the bucket (or the bucket that contains the object) and the bucket owner's account.
If the PublicAccessBlock
settings are different between the bucket and
the account, Amazon S3 uses the most restrictive combination of the bucket-level and
account-level settings.
GetPublicAccessBlock
:
CreateMultipartUpload
.
kms:Decrypt
and kms:GenerateDataKey*
actions on the key. These permissions are required because Amazon S3 must decrypt
and read data from the encrypted file parts before it completes the multipart upload.
For more information, see Multipart
upload API and permissions in the Amazon S3 User Guide.
x-amz-acl
request header. For more information,
see Canned
ACL.
x-amz-grant-read
, x-amz-grant-read-acp
,
x-amz-grant-write-acp
, and x-amz-grant-full-control
headers.
These parameters map to the set of permissions that Amazon S3 supports in an ACL.
For more information, see Access
Control List (ACL) Overview.
x-amz-server-side-encryption
x-amz-server-side-encryption-aws-kms-key-id
x-amz-server-side-encryption-context
x-amz-server-side-encryption:aws:kms
, but don't provide
x-amz-server-side-encryption-aws-kms-key-id
, Amazon S3 uses the Amazon
Web Services managed key in Amazon Web Services KMS to protect the data.
x-amz-server-side-encryption-customer-algorithm
x-amz-server-side-encryption-customer-key
x-amz-server-side-encryption-customer-key-MD5
x-amz-acl
) — Amazon S3 supports a set of predefined
ACLs, known as canned ACLs. Each canned ACL has a predefined set of grantees
and permissions. For more information, see Canned
ACL.
x-amz-grant-read
x-amz-grant-write
x-amz-grant-read-acp
x-amz-grant-write-acp
x-amz-grant-full-control
id
– if the value specified is the canonical user ID of an Amazon Web
Services account
uri
– if you are granting permissions to a predefined group
emailAddress
– if the value specified is the email address of an Amazon
Web Services account
x-amz-grant-read
header grants the Amazon
Web Services accounts identified by account IDs permissions to read object data and
its metadata:
x-amz-grant-read: id="11112222333", id="444455556666"
CreateMultipartUpload
:
AccessPointName-AccountId.outpostID.s3-outposts.Region.amazonaws.com
. When using this action with S3 on Outposts through the Amazon Web Services SDKs, you provide the Outposts bucket ARN in place of the bucket name. For more information about S3 on Outposts ARNs, see Using Amazon S3 on Outposts in the Amazon S3 User Guide.
Object key for which the multipart upload is to be initiated.
CreateMultipartUpload
.
kms:Decrypt
and kms:GenerateDataKey*
actions on the key. These permissions are required because Amazon S3 must decrypt
and read data from the encrypted file parts before it completes the multipart upload.
For more information, see Multipart
upload API and permissions in the Amazon S3 User Guide.
x-amz-acl
request header. For more information,
see Canned
ACL.
x-amz-grant-read
, x-amz-grant-read-acp
,
x-amz-grant-write-acp
, and x-amz-grant-full-control
headers.
These parameters map to the set of permissions that Amazon S3 supports in an ACL.
For more information, see Access
Control List (ACL) Overview.
x-amz-server-side-encryption
x-amz-server-side-encryption-aws-kms-key-id
x-amz-server-side-encryption-context
x-amz-server-side-encryption:aws:kms
, but don't provide
x-amz-server-side-encryption-aws-kms-key-id
, Amazon S3 uses the Amazon
Web Services managed key in Amazon Web Services KMS to protect the data.
x-amz-server-side-encryption-customer-algorithm
x-amz-server-side-encryption-customer-key
x-amz-server-side-encryption-customer-key-MD5
x-amz-acl
) — Amazon S3 supports a set of predefined
ACLs, known as canned ACLs. Each canned ACL has a predefined set of grantees
and permissions. For more information, see Canned
ACL.
x-amz-grant-read
x-amz-grant-write
x-amz-grant-read-acp
x-amz-grant-write-acp
x-amz-grant-full-control
id
– if the value specified is the canonical user ID of an Amazon Web
Services account
uri
– if you are granting permissions to a predefined group
emailAddress
– if the value specified is the email address of an Amazon
Web Services account
x-amz-grant-read
header grants the Amazon
Web Services accounts identified by account IDs permissions to read object data and
its metadata:
x-amz-grant-read: id="11112222333", id="444455556666"
CreateMultipartUpload
:
IsTruncated
element in the response.
If there are no more configurations to list, IsTruncated
is set to false.
If there are more configurations to list, IsTruncated
is set to true,
and there will be a value in NextContinuationToken
. You use the NextContinuationToken
value to continue the pagination of the list by passing the value in continuation-token
in the request to GET
the next page.
s3:GetAnalyticsConfiguration
action. The bucket owner has this permission by default. The bucket owner can grant
this permission to others. For more information about permissions, see Permissions
Related to Bucket Subresource Operations and Managing
Access Permissions to Your Amazon S3 Resources.
ListBucketAnalyticsConfigurations
:
ListBucketIntelligentTieringConfigurations
include:
IsTruncated
element in the response. If there
are no more configurations to list, IsTruncated
is set to false. If there
are more configurations to list, IsTruncated
is set to true, and there
is a value in NextContinuationToken
. You use the NextContinuationToken
value to continue the pagination of the list by passing the value in continuation-token
in the request to GET
the next page.
s3:GetInventoryConfiguration
action. The bucket owner has this permission by default. The bucket owner can grant
this permission to others. For more information about permissions, see Permissions
Related to Bucket Subresource Operations and Managing
Access Permissions to Your Amazon S3 Resources.
ListBucketInventoryConfigurations
:
IsTruncated
element in the response. If there
are no more configurations to list, IsTruncated
is set to false. If there
are more configurations to list, IsTruncated
is set to true, and there
is a value in NextContinuationToken
. You use the NextContinuationToken
value to continue the pagination of the list by passing the value in continuation-token
in the request to GET
the next page.
s3:GetMetricsConfiguration
action. The bucket owner has this permission by default. The bucket owner can grant
this permission to others. For more information about permissions, see Permissions
Related to Bucket Subresource Operations and Managing
Access Permissions to Your Amazon S3 Resources.
ListBucketMetricsConfigurations
:
s3:ListAllMyBuckets
permission.
s3:ListAllMyBuckets
permission.
max-uploads
parameter in the response. If additional multipart uploads
satisfy the list criteria, the response will contain an IsTruncated
element
with the value true. To list the additional multipart uploads, use the key-marker
and upload-id-marker
request parameters.
ListMultipartUploads
:
AccessPointName-AccountId.outpostID.s3-outposts.Region.amazonaws.com
. When using this action with S3 on Outposts through the Amazon Web Services SDKs, you provide the Outposts bucket ARN in place of the bucket name. For more information about S3 on Outposts ARNs, see Using Amazon S3 on Outposts in the Amazon S3 User Guide.
max-uploads
parameter in the response. If additional multipart uploads
satisfy the list criteria, the response will contain an IsTruncated
element
with the value true. To list the additional multipart uploads, use the key-marker
and upload-id-marker
request parameters.
ListMultipartUploads
:
AccessPointName-AccountId.outpostID.s3-outposts.Region.amazonaws.com
. When using this action with S3 on Outposts through the Amazon Web Services SDKs, you provide the Outposts bucket ARN in place of the bucket name. For more information about S3 on Outposts ARNs, see Using Amazon S3 on Outposts in the Amazon S3 User Guide.
Lists in-progress uploads only for those keys that begin with the specified prefix. You can use prefixes to separate a bucket into different grouping of keys. (You can think of using prefix to make groups in the same way you'd use a folder in a file system.)
max-uploads
parameter in the response. If additional multipart uploads
satisfy the list criteria, the response will contain an IsTruncated
element
with the value true. To list the additional multipart uploads, use the key-marker
and upload-id-marker
request parameters.
ListMultipartUploads
:
ListObjects
.
ListObjects
:
AccessPointName-AccountId.outpostID.s3-outposts.Region.amazonaws.com
. When using this action with S3 on Outposts through the Amazon Web Services SDKs, you provide the Outposts bucket ARN in place of the bucket name. For more information about S3 on Outposts ARNs, see Using Amazon S3 on Outposts in the Amazon S3 User Guide.
ListObjects
.
ListObjects
:
AccessPointName-AccountId.outpostID.s3-outposts.Region.amazonaws.com
. When using this action with S3 on Outposts through the Amazon Web Services SDKs, you provide the Outposts bucket ARN in place of the bucket name. For more information about S3 on Outposts ARNs, see Using Amazon S3 on Outposts in the Amazon S3 User Guide.
Limits the response to keys that begin with the specified prefix.
ListObjects
.
ListObjects
:
200 OK
response can contain valid or invalid XML. Make
sure to design your application to parse the contents of the response and handle it
appropriately. Objects are returned sorted in an ascending order of the respective
key names in the list. For more information about listing objects, see Listing
object keys programmatically
s3:ListBucket
action. The bucket owner has
this permission by default and can grant this permission to others. For more information
about permissions, see Permissions
Related to Bucket Subresource Operations and Managing
Access Permissions to Your Amazon S3 Resources.
ListObjectsV2
:
max-parts
request parameter. If your multipart upload consists of
more than 1,000 parts, the response returns an IsTruncated
field with
the value of true, and a NextPartNumberMarker
element. In subsequent
ListParts
requests you can include the part-number-marker query string
parameter and set its value to the NextPartNumberMarker
field value from
the previous response.
kms:Decrypt
action for the request to succeed.
ListParts
:
AccessPointName-AccountId.outpostID.s3-outposts.Region.amazonaws.com
. When using this action with S3 on Outposts through the Amazon Web Services SDKs, you provide the Outposts bucket ARN in place of the bucket name. For more information about S3 on Outposts ARNs, see Using Amazon S3 on Outposts in the Amazon S3 User Guide.
Object key for which the multipart upload was initiated.
Upload ID identifying the multipart upload whose parts are being listed.
max-parts
request parameter. If your multipart upload consists of
more than 1,000 parts, the response returns an IsTruncated
field with
the value of true, and a NextPartNumberMarker
element. In subsequent
ListParts
requests you can include the part-number-marker query string
parameter and set its value to the NextPartNumberMarker
field value from
the previous response.
kms:Decrypt
action for the request to succeed.
ListParts
:
s3:ListBucketVersions
action. Be aware of the name difference.
ListObjectVersions
:
s3:ListBucketVersions
action. Be aware of the name difference.
ListObjectVersions
:
s3:ListBucketVersions
action. Be aware of the name difference.
ListObjectVersions
:
s3.amazonaws.com
endpoint,
the request goes to the us-east-1 Region. Accordingly, the signature calculations
in Signature Version 4 must use us-east-1 as the Region, even if the location constraint
in the request specifies another Region where the bucket is to be created. If you
create a bucket in a Region other than US East (N. Virginia), your application must
be able to handle 307 redirect. For more information, see Virtual
hosting of buckets.
400
error and returns the InvalidBucketAclWithObjectOwnership
error code. For more information, see Controlling
object ownership in the Amazon S3 User Guide.
x-amz-acl
request header. Amazon S3 supports
a set of predefined ACLs, known as canned ACLs. Each canned ACL has a predefined
set of grantees and permissions. For more information, see Canned
ACL.
x-amz-grant-read
, x-amz-grant-write
,
x-amz-grant-read-acp
, x-amz-grant-write-acp
, and x-amz-grant-full-control
headers. These headers map to the set of permissions Amazon S3 supports in an ACL.
For more information, see Access
control list (ACL) overview.
id
– if the value specified is the canonical user ID of an Amazon Web
Services account
uri
– if you are granting permissions to a predefined group
emailAddress
– if the value specified is the email address of an Amazon
Web Services account
x-amz-grant-read
header grants the Amazon
Web Services accounts identified by account IDs permissions to read object data and
its metadata:
x-amz-grant-read: id="11112222333", id="444455556666"
s3:CreateBucket
, the following permissions are required
when your CreateBucket includes specific headers:
CreateBucket
request specifies ACL permissions
and the ACL is public-read, public-read-write, authenticated-read, or if you specify
access permissions explicitly through any other ACL, both s3:CreateBucket
and s3:PutBucketAcl
permissions are needed. If the ACL the CreateBucket
request is private or doesn't specify any ACLs, only s3:CreateBucket
permission is needed.
ObjectLockEnabledForBucket
is set to true in
your CreateBucket
request, s3:PutBucketObjectLockConfiguration
and s3:PutBucketVersioning
permissions are required.
x-amz-object-ownership
header, s3:PutBucketOwnershipControls
permission is required.
CreateBucket
:
s3.amazonaws.com
endpoint,
the request goes to the us-east-1 Region. Accordingly, the signature calculations
in Signature Version 4 must use us-east-1 as the Region, even if the location constraint
in the request specifies another Region where the bucket is to be created. If you
create a bucket in a Region other than US East (N. Virginia), your application must
be able to handle 307 redirect. For more information, see Virtual
hosting of buckets.
400
error and returns the InvalidBucketAclWithObjectOwnership
error code. For more information, see Controlling
object ownership in the Amazon S3 User Guide.
x-amz-acl
request header. Amazon S3 supports
a set of predefined ACLs, known as canned ACLs. Each canned ACL has a predefined
set of grantees and permissions. For more information, see Canned
ACL.
x-amz-grant-read
, x-amz-grant-write
,
x-amz-grant-read-acp
, x-amz-grant-write-acp
, and x-amz-grant-full-control
headers. These headers map to the set of permissions Amazon S3 supports in an ACL.
For more information, see Access
control list (ACL) overview.
id
– if the value specified is the canonical user ID of an Amazon Web
Services account
uri
– if you are granting permissions to a predefined group
emailAddress
– if the value specified is the email address of an Amazon
Web Services account
x-amz-grant-read
header grants the Amazon
Web Services accounts identified by account IDs permissions to read object data and
its metadata:
x-amz-grant-read: id="11112222333", id="444455556666"
s3:CreateBucket
, the following permissions are required
when your CreateBucket includes specific headers:
CreateBucket
request specifies ACL permissions
and the ACL is public-read, public-read-write, authenticated-read, or if you specify
access permissions explicitly through any other ACL, both s3:CreateBucket
and s3:PutBucketAcl
permissions are needed. If the ACL the CreateBucket
request is private or doesn't specify any ACLs, only s3:CreateBucket
permission is needed.
ObjectLockEnabledForBucket
is set to true in
your CreateBucket
request, s3:PutBucketObjectLockConfiguration
and s3:PutBucketVersioning
permissions are required.
x-amz-object-ownership
header, s3:PutBucketOwnershipControls
permission is required.
CreateBucket
:
s3:PutAccelerateConfiguration
action. The bucket owner has this permission by default. The bucket owner can grant
this permission to others. For more information about permissions, see Permissions
Related to Bucket Subresource Operations and Managing
Access Permissions to Your Amazon S3 Resources.
PutBucketAccelerateConfiguration
:
Grantee
request element to grant access to other people. The Permissions
request
element specifies the kind of access the grantee has to the logs.
Grantee
request element to grant
access to others. Permissions can only be granted using policies. For more information,
see Permissions
for server access log delivery in the Amazon S3 User Guide.
<Grantee xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="CanonicalUser"><ID><>ID<></ID><DisplayName><>GranteesEmail<></DisplayName>
</Grantee>
<Grantee xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="AmazonCustomerByEmail"><EmailAddress><>Grantees@email.com<></EmailAddress></Grantee>
<Grantee xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="Group"><URI><>http://acs.amazonaws.com/groups/global/AuthenticatedUsers<></URI></Grantee>
<BucketLoggingStatus xmlns="http://doc.s3.amazonaws.com/2006-03-01" />
PutBucketLogging
:
s3:PutMetricsConfiguration
action. The bucket owner has this permission by default. The bucket owner can grant
this permission to others. For more information about permissions, see Permissions
Related to Bucket Subresource Operations and Managing
Access Permissions to Your Amazon S3 Resources.
PutBucketMetricsConfiguration
:
GetBucketLifecycle
has the following special error:
TooManyConfigurations
NotificationConfiguration
.
<NotificationConfiguration>
</NotificationConfiguration>
s3:PutBucketNotification
permission.
TopicConfiguration
specifying only the s3:ReducedRedundancyLostObject
event type, the response
will also include the x-amz-sns-test-message-id
header containing the
message ID of the test notification sent to the topic.
PutBucketNotificationConfiguration
:
OwnershipControls
for an Amazon S3 bucket. To use
this operation, you must have the s3:PutBucketOwnershipControls
permission.
For more information about Amazon S3 permissions, see Specifying
permissions in a policy.
PutBucketOwnershipControls
:
PutBucketPolicy
permissions on the
specified bucket and belong to the bucket owner's account in order to use this operation.
PutBucketPolicy
permissions, Amazon S3 returns a 403
Access Denied
error. If you have the correct permissions, but you're not using
an identity that belongs to the bucket owner's account, Amazon S3 returns a 405
Method Not Allowed
error.
PutBucketPolicy
:
PutBucketPolicy
permissions on the
specified bucket and belong to the bucket owner's account in order to use this operation.
PutBucketPolicy
permissions, Amazon S3 returns a 403
Access Denied
error. If you have the correct permissions, but you're not using
an identity that belongs to the bucket owner's account, Amazon S3 returns a 405
Method Not Allowed
error.
PutBucketPolicy
:
PutBucketPolicy
permissions on the
specified bucket and belong to the bucket owner's account in order to use this operation.
PutBucketPolicy
permissions, Amazon S3 returns a 403
Access Denied
error. If you have the correct permissions, but you're not using
an identity that belongs to the bucket owner's account, Amazon S3 returns a 405
Method Not Allowed
error.
PutBucketPolicy
:
DeleteMarkerReplication
,
Status
, and Priority
.
SourceSelectionCriteria
, SseKmsEncryptedObjects
,
Status
, EncryptionConfiguration
, and ReplicaKmsKeyID
.
For information about replication configuration, see Replicating
Objects Created with SSE Using KMS keys.
PutBucketReplication
errors, see List
of replication-related error codes
PutBucketReplication
request, you must have s3:PutReplicationConfiguration
permissions for the bucket.
PutBucketReplication
:
PutBucketRequestPayment
:
PutBucketRequestPayment
:
s3:PutBucketTagging
action. The bucket owner has this permission by default and can grant this permission
to others. For more information about permissions, see Permissions
Related to Bucket Subresource Operations and Managing
Access Permissions to Your Amazon S3 Resources.
PutBucketTagging
has the following special errors:
InvalidTagError
MalformedXMLError
OperationAbortedError
InternalError
PutBucketTagging
:
s3:PutBucketTagging
action. The bucket owner has this permission by default and can grant this permission
to others. For more information about permissions, see Permissions
Related to Bucket Subresource Operations and Managing
Access Permissions to Your Amazon S3 Resources.
PutBucketTagging
has the following special errors:
InvalidTagError
MalformedXMLError
OperationAbortedError
InternalError
PutBucketTagging
:
website
subresource. To configure a bucket as a website, you can add this subresource on the
bucket with website configuration information such as the file name of the index document
and any redirect rules. For more information, see Hosting
Websites on Amazon S3.
S3:PutBucketWebsite
permission. By default,
only the bucket owner can configure the website attached to a bucket; however, bucket
owners can allow other users to set the website configuration by writing a bucket
policy that grants them the S3:PutBucketWebsite
permission.
WebsiteConfiguration
RedirectAllRequestsTo
HostName
Protocol
WebsiteConfiguration
IndexDocument
Suffix
ErrorDocument
Key
RoutingRules
RoutingRule
Condition
HttpErrorCodeReturnedEquals
KeyPrefixEquals
Redirect
Protocol
HostName
ReplaceKeyPrefixWith
ReplaceKeyWith
HttpRedirectCode
website
subresource. To configure a bucket as a website, you can add this subresource on the
bucket with website configuration information such as the file name of the index document
and any redirect rules. For more information, see Hosting
Websites on Amazon S3.
S3:PutBucketWebsite
permission. By default,
only the bucket owner can configure the website attached to a bucket; however, bucket
owners can allow other users to set the website configuration by writing a bucket
policy that grants them the S3:PutBucketWebsite
permission.
WebsiteConfiguration
RedirectAllRequestsTo
HostName
Protocol
WebsiteConfiguration
IndexDocument
Suffix
ErrorDocument
Key
RoutingRules
RoutingRule
Condition
HttpErrorCodeReturnedEquals
KeyPrefixEquals
Redirect
Protocol
HostName
ReplaceKeyPrefixWith
ReplaceKeyWith
HttpRedirectCode
s3:PutLifecycleConfiguration
permission.
s3:DeleteObject
s3:DeleteObjectVersion
s3:PutLifecycleConfiguration
PutBucketLifecycleConfiguration
:
s3:PutLifecycleConfiguration
permission.
s3:DeleteObject
s3:DeleteObjectVersion
s3:PutLifecycleConfiguration
PutBucketLifecycleConfiguration
:
DefaultRetention
settings require both a mode and a period.
DefaultRetention
period can be either Days
or Years
but you must select one. You cannot specify Days
and Years
at the same time.
s3:PutObjectRetention
permission in order
to place an Object Retention configuration on objects. Bypassing a Governance Retention
configuration requires the s3:BypassGovernanceRetention
permission.
GetObject
operation when using Object
Lambda access points. For information about Object Lambda access points, see Transforming
objects with Object Lambda access points in the Amazon S3 User Guide.
RequestRoute
, RequestToken
, StatusCode
,
ErrorCode
, and ErrorMessage
. The GetObject
response metadata is supported so that the WriteGetObjectResponse
caller,
typically an Lambda function, can provide the same metadata when it internally invokes
GetObject
. When WriteGetObjectResponse
is called by a customer-owned
Lambda function, the metadata returned to the end user GetObject
call
might differ from what Amazon S3 would normally return.
x-amz-meta
. For example, x-amz-meta-my-custom-header:
MyCustomValue
. The primary use case for this is to forward GetObject
metadata.
AbortMultipartUpload
:
403 (Access Denied)
error.
ETag
value, returned after that part was uploaded.
CompleteMultipartUpload
fails, applications should be prepared
to retry the failed requests. For more information, see Amazon
S3 Error Best Practices.
Content-Type: application/x-www-form-urlencode
with Complete
Multipart Upload requests. It is not allowed by the Amazon S3. Also, if
you do not provide a Content-Type
header, CompleteMultipartUpload
returns a 200 OK response.
CompleteMultipartUpload
has the following special errors:
EntityTooSmall
InvalidPart
InvalidPartOrder
NoSuchUpload
CompleteMultipartUpload
:
200 OK
response. This means that
a 200 OK
response can contain either a success or an error. Design your
application to parse the contents of the response and handle it appropriately.
Bad
Request
error. For more information, see Transfer
Acceleration.
x-amz-metadata-directive
header. When you grant permissions, you can use the s3:x-amz-metadata-directive
condition key to enforce certain metadata behavior when objects are uploaded. For
more information, see Specifying
Conditions in a Policy in the Amazon S3 User Guide. For a complete list
of Amazon S3-specific condition keys, see Actions,
Resources, and Condition Keys for Amazon S3.
x-amz-copy-source-if
Headers
Etag
matches or whether the object was modified before or after a specified date, use the
following request parameters:
x-amz-copy-source-if-match
x-amz-copy-source-if-none-match
x-amz-copy-source-if-unmodified-since
x-amz-copy-source-if-modified-since
x-amz-copy-source-if-match
and x-amz-copy-source-if-unmodified-since
headers are present in the request and evaluate as follows, Amazon S3 returns 200
OK
and copies the data:
x-amz-copy-source-if-match
condition evaluates to true
x-amz-copy-source-if-unmodified-since
condition evaluates to false
x-amz-copy-source-if-none-match
and x-amz-copy-source-if-modified-since
headers are present in the request and evaluate as follows, Amazon S3 returns the
412 Precondition Failed
response code:
x-amz-copy-source-if-none-match
condition evaluates to false
x-amz-copy-source-if-modified-since
condition evaluates to true
x-amz-
prefix, including x-amz-copy-source
,
must be signed.
bucket-owner-full-control
canned ACL or an equivalent form of this ACL expressed in the XML format.
CopyObject
action to change the storage class of an object
that is already stored in Amazon S3 using the StorageClass
parameter.
For more information, see Storage
Classes in the Amazon S3 User Guide.
x-amz-copy-source
identifies the current version of an object
to copy. If the current version is a delete marker, Amazon S3 behaves as if the object
was deleted. To copy a different version, use the versionId
subresource.
x-amz-version-id
response header in the response.
CopyObject
:
true
causes Amazon S3 to use an S3 Bucket Key for object encryption with SSE-KMS.
403 (Access
Denied)
error.
403 (Access Denied)
error.
Unique identifier for the rule. The value cannot be longer than 255 characters.
DeleteBucketIntelligentTieringConfiguration
include:
403 (Access Denied)
error.DeleteBucketPolicy
permissions on the specified bucket and belong
to the bucket owner's account to use this operation.
DeleteBucketPolicy
permissions, Amazon S3 returns a
403 Access Denied
error. If you have the correct permissions, but you're
not using an identity that belongs to the bucket owner's account, Amazon S3 returns
a 405 Method Not Allowed
error.
DeleteBucketPolicy
s3:PutReplicationConfiguration
action. The bucket owner has these permissions by default and can grant it to others.
For more information about permissions, see Permissions
Related to Bucket Subresource Operations and Managing
Access Permissions to Your Amazon S3 Resources.
DeleteBucketReplication
:
403 (Access Denied)
error.
Filter
in your replication configuration,
you must also include a DeleteMarkerReplication
element.
If your Filter
includes a Tag
element,
the DeleteMarkerReplication
Status
must be set to Disabled,
because Amazon S3 does not support replicating delete markers for tag-based rules.
For an example configuration,
see Basic Rule Configuration.
x-amz-delete-marker
,
to true.
x-amz-mfa
request header
in the DELETE versionId
request. Requests that include x-amz-mfa
must use HTTPS.
s3:DeleteObject
,
s3:DeleteObjectVersion
, and s3:PutLifeCycleConfiguration
actions.
DeleteObject
:
s3:PutBucketPublicAccessBlock
permission.
403 (Access Denied)
error.
DeleteObjects
:
s3:PutBucketPublicAccessBlock
permission.
403 (Access Denied)
error.
s3:DeleteObjectTagging
action.
versionId
query
parameter in the request. You will need permission for the s3:DeleteObjectVersionTagging
action.
DeleteBucketMetricsConfiguration
:
403 (Access Denied)
error.
GET
action uses the acl
subresource
to return the access control list (ACL) of a bucket. To use GET
to return
the ACL of the bucket, you must have READ_ACP
access to the bucket. If
READ_ACP
permission is granted to the anonymous user, you can return
the ACL of the bucket without using an authorization header.
bucket-owner-full-control
ACL with the owner being the account that created the bucket. For more information,
see
Controlling object ownership and disabling ACLs in the Amazon S3 User Guide.
GetBucketIntelligentTieringConfiguration
include:
LocationConstraint
request parameter in a CreateBucket
request. For more information, see
CreateBucket.
GetBucketLocation
:
OwnershipControls
for an Amazon S3 bucket. To use this operation,
you must have the s3:GetBucketOwnershipControls
permission. For more
information about Amazon S3 permissions, see Specifying
permissions in a policy.
GetBucketOwnershipControls
:
The account ID of the expected bucket owner. If the bucket is owned by a different account,
the request will fail with an HTTP 403 (Access Denied)
error.
OwnershipControls
(BucketOwnerEnforced, BucketOwnerPreferred, or
ObjectWriter) currently in effect for this Amazon S3 bucket.
GetBucketPolicy
permissions on the specified bucket
and belong to the bucket owner's account in order to use this operation.
GetBucketPolicy
permissions, Amazon S3 returns a 403
Access Denied
error. If you have the correct permissions, but you're not using
an identity that belongs to the bucket owner's account, Amazon S3 returns a 405
Method Not Allowed
error.
GetBucketPolicy
:
MaxParts
element.
Parts
elements.
GetObjectAttributes
,
you must have READ access to the object.
GetObjectAttributes
combines the functionality of GetObjectAcl
,
GetObjectLegelHold
, GetObjectLockConfiguration
, GetObjectRetention
,
GetObjectTagging
, HeadObject
, and ListParts
.
All of the data returned with each of those individual calls can be returned with
a single call to GetObjectAttributes
.
x-amz-server-side-encryption
, should
not be sent for GET requests if your object uses server-side encryption with CMKs
stored in Amazon Web Services KMS (SSE-KMS) or server-side encryption with Amazon
S3–managed encryption keys (SSE-S3). If your object does use these types of keys,
you'll get an HTTP 400 BadRequest error.
If-Match
and If-Unmodified-Since
headers are present in the request as follows:
If-Match
condition evaluates to true
, and;
If-Unmodified-Since
condition evaluates to false
;
200 OK
and the data requested.
If-None-Match
and If-Modified-Since
headers are present in the request as follows:
If-None-Match
condition evaluates to false
, and;
If-Modified-Since
condition evaluates to true
;
304 Not Modified
response code.
s3:GetObjectVersion
and s3:GetObjectVersionAttributes
permissions for this operation. If
the bucket is not versioned, you need the s3:GetObject
and s3:GetObjectAttributes
permissions. For more information, see Specifying
Permissions in a Policy. If the object you request does not exist, the error Amazon
S3 returns depends on whether you also have the s3:ListBucket
permission.
s3:ListBucket
permission on the bucket, Amazon S3 returns
an HTTP status code 404 ("no such key") error.
s3:ListBucket
permission, Amazon S3 returns an
HTTP status code 403 ("access denied") error.
GetObjectAttributes
:
403 (Access Denied)
error.
x-amz-server-side-encryption-customer-algorithm
header.
GetObjectLegalHold
:
403 (Access Denied)
error.
GetObjectLockConfiguration
:
403 (Access Denied)
error.
HEAD
request has the same options as a GET
action on an
object. The response is identical to the GET
response except that there
is no response body. Because of this, if the HEAD
request generates an
error, it returns a generic 404 Not Found
or 403 Forbidden
code. It is not possible to retrieve the exact exception beyond these error codes.
x-amz-server-side-encryption
, should
not be sent for GET requests if your object uses server-side encryption with CMKs
stored in Amazon Web Services KMS (SSE-KMS) or server-side encryption with Amazon
S3–managed encryption keys (SSE-S3). If your object does use these types of keys,
you’ll get an HTTP 400 BadRequest error.
If-Match
and If-Unmodified-Since
headers are present in the request as follows:
If-Match
condition evaluates to true
, and;
If-Unmodified-Since
condition evaluates to false
;
200 OK
and the data requested.
If-None-Match
and If-Modified-Since
headers are present in the request as follows:
If-None-Match
condition evaluates to false
, and;
If-Modified-Since
condition evaluates to true
;
304 Not Modified
response code.
s3:ListBucket
permission on the bucket, Amazon S3 returns
an HTTP status code 404 ("no such key") error.
s3:ListBucket
permission, Amazon S3 returns an
HTTP status code 403 ("access denied") error.
HeadObject
:
ChecksumMode
and the object is KMS encrypted,
you must have permission to the kms:Decrypt
action for the request to
succeed.
403 (Access Denied)
error.
Amazon S3 can return this header if your request involves a bucket that is either a source or a destination in a replication rule.
In replication,
you have a source bucket on which you configure replication and destination bucket or buckets
where Amazon S3 stores object replicas. When you request an object (GetObject
) or
object metadata (HeadObject
) from these buckets, Amazon S3 will
return the x-amz-replication-status
header in the response as follows:
If requesting an object from the source bucket — Amazon S3 will return the
x-amz-replication-status
header if the object in your request is eligible for
replication.
For example, suppose that in your replication configuration, you specify
object prefix TaxDocs
requesting Amazon S3 to replicate objects with key
prefix TaxDocs
. Any objects you upload with this key name prefix, for example
TaxDocs/document1.pdf
, are eligible for replication. For any object request with
this key name prefix, Amazon S3 will return the x-amz-replication-status
header
with value PENDING, COMPLETED or FAILED indicating object replication status.
If
requesting an object from a destination bucket — Amazon S3 will return the
x-amz-replication-status
header with value REPLICA if the object in your
request is a replica that Amazon S3 created.
When replicating objects
to multiple destination buckets the x-amz-replication-status
header acts differently.
The header of the source object will only return a value of COMPLETED when replication is
successful to all destinations. The header will remain at value PENDING until replication has
completed for all destinations. If one or more destinations fails replication the header will
return FAILED.
For more information, see Replication.
GET
, you must have READ
access to the object. If you grant READ
access to the anonymous user,
you can return the object without using an authorization header.
sample.jpg
, you can name it photos/2006/February/sample.jpg
.
GET
operation. For a virtual hosted-style request example,
if you have the object photos/2006/February/sample.jpg
, specify the resource
as /photos/2006/February/sample.jpg
. For a path-style request example,
if you have the object photos/2006/February/sample.jpg
in the bucket
named examplebucket
, specify the resource as /examplebucket/photos/2006/February/sample.jpg
.
For more information about request types, see HTTP
Host Header Bucket Specification.
InvalidObjectStateError
error. For
information about restoring archived objects, see Restoring
Archived Objects.
x-amz-server-side-encryption
, should
not be sent for GET requests if your object uses server-side encryption with KMS keys
(SSE-KMS) or server-side encryption with Amazon S3 managed encryption keys (SSE-S3).
If your object does use these types of keys, you'll get an HTTP 400 BadRequest error.
x-amz-tagging-count
header that provides the count of number of tags
associated with the object. You can use GetObjectTagging
to retrieve the tag set associated with an object.
s3:ListBucket
permission.
s3:ListBucket
permission on the bucket, Amazon S3 will
return an HTTP status code 404 ("no such key") error.
s3:ListBucket
permission, Amazon S3 will return
an HTTP status code 403 ("access denied") error.
versionId
subresource.
s3:GetObjectVersion
permission to access a specific version
of an object.
x-amz-delete-marker: true
in the response.
Content-Type
,
Content-Language
, Expires
, Cache-Control
, Content-Disposition
,
and Content-Encoding
. To override these header values in the GET response,
you use the following request parameters.
response-content-type
response-content-language
response-expires
response-cache-control
response-content-disposition
response-content-encoding
If-Match
and If-Unmodified-Since
headers
are present in the request as follows: If-Match
condition evaluates to
true
, and; If-Unmodified-Since
condition evaluates to false
;
then, S3 returns 200 OK and the data requested.
If-None-Match
and If-Modified-Since
headers
are present in the request as follows: If-None-Match
condition evaluates
to false
, and; If-Modified-Since
condition evaluates to
true
; then, S3 returns 304 Not Modified response code.
GetObject
:
403 (Access Denied)
error.
private void displayProgress(object sender, WriteObjectProgressArgs args)
{
Console.WriteLine(args);
}
2. Add this method to the Put Object Progress Event delegate's invocation list
GetObjectResponse response = s3Client.GetObject(request);
response.WriteObjectProgressEvent += displayProgress;
GetObjectRetention
:
403 (Access Denied)
error.
s3:GetObjectTagging
action. By default, the GET action returns information about current version of an
object. For a versioned bucket, you can have multiple versions of an object in your
bucket. To retrieve tags of any other version, use the versionId query parameter.
You also need permission for the s3:GetObjectVersionTagging
action.
GetObjectTagging
:
403 (Access Denied)
error.
200 OK
if the bucket exists and you have permission
to access it.
HEAD
request returns a generic 404 Not Found
or 403 Forbidden
code. A message body is not included, so you cannot determine the exception beyond
these error codes.
s3:ListBucket
action. The bucket owner has this permission by default and can grant this permission
to others. For more information about permissions, see Permissions
Related to Bucket Subresource Operations and Managing
Access Permissions to Your Amazon S3 Resources.
403 (Access Denied)
error.
CreateMultipartUpload
.
kms:Decrypt
and kms:GenerateDataKey*
actions on the key. These permissions are required because Amazon S3 must decrypt
and read data from the encrypted file parts before it completes the multipart upload.
For more information, see Multipart
upload API and permissions in the Amazon S3 User Guide.
x-amz-acl
request header. For more information,
see Canned
ACL.
x-amz-grant-read
, x-amz-grant-read-acp
,
x-amz-grant-write-acp
, and x-amz-grant-full-control
headers.
These parameters map to the set of permissions that Amazon S3 supports in an ACL.
For more information, see Access
Control List (ACL) Overview.
x-amz-server-side-encryption:aws:kms
, but don't provide
x-amz-server-side-encryption-aws-kms-key-id
, Amazon S3 uses the Amazon
Web Services managed CMK in Amazon Web Services KMS to protect the data.
x-amz-acl
) — Amazon S3 supports a set of predefined
ACLs, known as canned ACLs. Each canned ACL has a predefined set of grantees
and permissions. For more information, see Canned
ACL.
id
– if the value specified is the canonical user ID of an Amazon Web
Services account
uri
– if you are granting permissions to a predefined group
emailAddress
– if the value specified is the email address of an Amazon
Web Services account
x-amz-grant-read
header grants the Amazon
Web Services accounts identified by account IDs permissions to read object data and
its metadata:
x-amz-grant-read: id="11112222333", id="444455556666"
CreateMultipartUpload
:
true
causes Amazon S3 to use an S3 Bucket Key for object encryption with SSE-KMS.
403 (Access Denied)
error.
x-amz-abort-rule-id
header that provides
the ID of the lifecycle configuration rule that defines this action.
x-amz-abort-date
header. It identifies
the applicable lifecycle configuration rule that defines the action to abort incomplete
multipart uploads.
Filter
is used to identify objects that the
S3 Intelligent-Tiering configuration applies to.All
, the
list includes all the object versions, which adds the version-related fields VersionId
,
IsLatest
, and DeleteMarker
to the list. If set to Current
,
the list does not contain these version-related fields.
True
,
an inventory list is generated. If set to False
, no inventory list is
generated.
ListBucketIntelligentTieringConfigurations
include:
NextContinuationToken
from this response to
continue the listing in a subsequent request.
The continuation token is an opaque value that Amazon S3 understands.max-uploads
parameter in the response. If additional multipart uploads
satisfy the list criteria, the response will contain an IsTruncated
element
with the value true. To list the additional multipart uploads, use the key-marker
and upload-id-marker
request parameters.
ListMultipartUploads
:
CommonPrefixes
. If you don't specify the prefix parameter, then the substring
starts at the beginning of the key. The keys that are grouped under CommonPrefixes
result element are not returned elsewhere in the response.
403 (Access Denied)
error.
upload-id-marker
is not specified, only the keys lexicographically
greater than the specified key-marker
will be included in the list.
upload-id-marker
is specified, any multipart uploads for a key equal
to the key-marker
might also be included, provided those multipart uploads
have upload IDs lexicographically greater than the specified upload-id-marker
.
upload-id-marker
.
ListObjects
.
ListObjects
:
403 (Access Denied)
error.
200 OK
response can contain valid or invalid XML. Make
sure to design your application to parse the contents of the response and handle it
appropriately. Objects are returned sorted in an ascending order of the respective
key names in the list. For more information about listing objects, see Listing
object keys programmatically
s3:ListBucket
action. The bucket owner has
this permission by default and can grant this permission to others. For more information
about permissions, see Permissions
Related to Bucket Subresource Operations and Managing
Access Permissions to Your Amazon S3 Resources.
ListObjectsV2
:
403 (Access Denied)
error.
CommonPrefixes
only if you specify a delimiter.
CommonPrefixes
contains all (if there are any) keys between Prefix
and the next occurrence of the string specified by a delimiter.
CommonPrefixes
lists keys that act like subdirectories in the directory
specified by Prefix
.
notes/
and the delimiter is a slash (/
)
as in notes/summer/july
, the common prefix is notes/summer/
.
All of the keys that roll up into a common prefix count as a single return when calculating
the number of returns.
MaxKeys
value.
Delimiter, Prefix, Key,
and StartAfter
.
NextContinuationToken
is sent when isTruncated
is true,
which means there are more keys in the bucket that can be listed. The next list requests
to Amazon S3 can be continued with this NextContinuationToken
. NextContinuationToken
is obfuscated and is not a real key
max-parts
request parameter. If your multipart upload consists of
more than 1,000 parts, the response returns an IsTruncated
field with
the value of true, and a NextPartNumberMarker
element. In subsequent
ListParts
requests you can include the part-number-marker query string
parameter and set its value to the NextPartNumberMarker
field value from
the previous response.
kms:Decrypt
action for the request to succeed.
ListParts
:
403 (Access Denied)
error.
Owner
element. If the initiator is an IAM User, this element provides
the user ARN and display name.
s3:Replication:OperationMissedThreshold
event.
TRUE
indicates that this bucket
is public. FALSE
indicates that the bucket is not public.
aws:SourceIp
. For more
information on CIDR, see http://www.rfc-editor.org/rfc/rfc4632.txt
aws:SourceArn
aws:SourceVpc
aws:SourceVpce
aws:SourceOwner
aws:SourceAccount
s3:x-amz-server-side-encryption-aws-kms-key-id
aws:userid
outside the pattern "AROLEID:*
"
s3:Get*
, s3:List*
, s3:AbortMultipartUpload
,
s3:Delete*
, s3:Put*
, and s3:RestoreObject
.
s3:Get*
is a bad action, s3:GetObject
,
s3:GetObjectVersion
, and s3:GetObjectAcl
are all bad actions.
TRUE
causes the following behavior:
TRUE
causes Amazon S3 to ignore all public ACLs on this bucket
and any objects that it contains.
TRUE
causes Amazon S3 to reject calls to PUT Bucket policy
if the specified bucket policy allows public access.
TRUE
restricts access to this bucket to only
Amazon Web Service principals and authorized users within this account if the bucket
has a public policy.
PUT
action adds an inventory configuration
(identified by the inventory ID) to the bucket. You can have up to 1,000 inventory
configurations per bucket.
s3:PutInventoryConfiguration
action. The bucket owner has this permission by default and can grant this permission
to others. For more information about permissions, see Permissions
Related to Bucket Subresource Operations and Managing
Access Permissions to Your Amazon S3 Resources in the Amazon S3 User Guide.
s3:PutInventoryConfiguration
bucket permission to set the configuration
on the bucket.
Grantee
request element to grant access to other people. The Permissions
request
element specifies the kind of access the grantee has to the logs.
Grantee
request element to grant
access to others. Permissions can only be granted using policies. For more information,
see Permissions
for server access log delivery in the Amazon S3 User Guide.
<Grantee xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="CanonicalUser"><ID><>ID<></ID><DisplayName><>GranteesEmail<></DisplayName>
</Grantee>
<Grantee xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="AmazonCustomerByEmail"><EmailAddress><>Grantees@email.com<></EmailAddress></Grantee>
<Grantee xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="Group"><URI><>http://acs.amazonaws.com/groups/global/AuthenticatedUsers<></URI></Grantee>
<BucketLoggingStatus xmlns="http://doc.s3.amazonaws.com/2006-03-01" />
PutBucketLogging
:
s3:PutMetricsConfiguration
action. The bucket owner has this permission by default. The bucket owner can grant
this permission to others. For more information about permissions, see Permissions
Related to Bucket Subresource Operations and Managing
Access Permissions to Your Amazon S3 Resources.
PutBucketMetricsConfiguration
:
GetBucketLifecycle
has the following special error:
TooManyConfigurations
NotificationConfiguration
.
<NotificationConfiguration>
</NotificationConfiguration>
s3:PutBucketNotification
permission.
TopicConfiguration
specifying only the s3:ReducedRedundancyLostObject
event type, the response
will also include the x-amz-sns-test-message-id
header containing the
message ID of the test notification sent to the topic.
PutBucketNotificationConfiguration
:
OwnershipControls
for an Amazon S3 bucket. To use
this operation, you must have the s3:PutBucketOwnershipControls
permission.
For more information about Amazon S3 permissions, see Specifying
permissions in a policy.
PutBucketOwnershipControls
:
The account ID of the expected bucket owner. If the bucket is owned by a different account,
the request will fail with an HTTP 403 (Access Denied)
error.
OwnershipControls
(BucketOwnerEnforced, BucketOwnerPreferred, or
ObjectWriter) that you want to apply to this Amazon S3 bucket.
PutBucketPolicy
permissions on the
specified bucket and belong to the bucket owner's account in order to use this operation.
PutBucketPolicy
permissions, Amazon S3 returns a 403
Access Denied
error. If you have the correct permissions, but you're not using
an identity that belongs to the bucket owner's account, Amazon S3 returns a 405
Method Not Allowed
error.
PutBucketPolicy
:
DeleteMarkerReplication
,
Status
, and Priority
.
SourceSelectionCriteria
, SseKmsEncryptedObjects
,
Status
, EncryptionConfiguration
, and ReplicaKmsKeyID
.
For information about replication configuration, see Replicating
Objects Created with SSE Using CMKs stored in Amazon Web Services KMS.
PutBucketReplication
errors, see List
of replication-related error codes
PutBucketReplication
request, you must have s3:PutReplicationConfiguration
permissions for the bucket.
PutBucketReplication
:
403 (Access Denied)
error.
s3.amazonaws.com
endpoint,
the request goes to the us-east-1 Region. Accordingly, the signature calculations
in Signature Version 4 must use us-east-1 as the Region, even if the location constraint
in the request specifies another Region where the bucket is to be created. If you
create a bucket in a Region other than US East (N. Virginia), your application must
be able to handle 307 redirect. For more information, see Virtual
hosting of buckets.
BucketOwnerEnforced
value for
the x-amz-object-ownership
header, your request can either not specify
an ACL or specify bucket owner full control ACLs, such as the bucket-owner-full-control
canned ACL or an equivalent ACL expressed in the XML format. For more information,
see Controlling
object ownership in the Amazon S3 User Guide.
x-amz-acl
request header. Amazon S3 supports
a set of predefined ACLs, known as canned ACLs. Each canned ACL has a predefined
set of grantees and permissions. For more information, see Canned
ACL.
x-amz-grant-read
, x-amz-grant-write
,
x-amz-grant-read-acp
, x-amz-grant-write-acp
, and x-amz-grant-full-control
headers. These headers map to the set of permissions Amazon S3 supports in an ACL.
For more information, see Access
control list (ACL) overview.
id
– if the value specified is the canonical user ID of an Amazon Web
Services account
uri
– if you are granting permissions to a predefined group
emailAddress
– if the value specified is the email address of an Amazon
Web Services account
x-amz-grant-read
header grants the Amazon
Web Services accounts identified by account IDs permissions to read object data and
its metadata:
x-amz-grant-read: id="11112222333", id="444455556666"
s3:CreateBucket
, the following permissions are required
when your CreateBucket includes specific headers:
CreateBucket
request specifies ACL permissions
and the ACL is public-read, public-read-write, authenticated-read, or if you specify
access permissions explicitly through any other ACL, both s3:CreateBucket
and s3:PutBucketAcl
permissions are needed. If the ACL the CreateBucket
request is private or doesn't specify any ACLs, only s3:CreateBucket
permission is needed.
ObjectLockEnabledForBucket
is set to true in
your CreateBucket
request, s3:PutBucketObjectLockConfiguration
and s3:PutBucketVersioning
permissions are required.
x-amz-object-ownership
header, s3:PutBucketOwnershipControls
permission is required.
CreateBucket
:
s3:PutBucketTagging
action. The bucket owner has this permission by default and can grant this permission
to others. For more information about permissions, see Permissions
Related to Bucket Subresource Operations and Managing
Access Permissions to Your Amazon S3 Resources.
PutBucketTagging
has the following special errors:
InvalidTagError
MalformedXMLError
OperationAbortedError
InternalError
PutBucketTagging
:
PutBucketLifecycleConfiguration
:
403 (Access Denied)
error.
403 (Access Denied)
error.
DefaultRetention
settings require both a mode and a period.
DefaultRetention
period can be either Days
or Years
but you must select one. You cannot specify Days
and Years
at the same time.
true
causes Amazon S3 to use an S3 Bucket Key for object encryption with SSE-KMS.
x-amz-server-side-encryption
is present and has the value of aws:kms
,
this header specifies the ID of the Amazon Web Services Key Management Service (Amazon
Web Services KMS) symmetrical customer managed key that was
used for the object. If you specify x-amz-server-side-encryption:aws:kms
,
but do not provide x-amz-server-side-encryption-aws-kms-key-id
, Amazon
S3 uses the Amazon Web Services managed key to protect the
data. If the KMS key does not exist in the same account issuing the command, you must
use the full ARN and not just the ID.
x-amz-website-redirect-location: /anotherPage.html
x-amz-website-redirect-location: http://www.example.com/
ChecksumAlgorithm
.
x-amz-server-side-encryption
is present and has the value of aws:kms
,
this header specifies the ID of the Amazon Web Services Key Management Service (Amazon
Web Services KMS) symmetric customer managed key that was used for the object.
s3:PutObjectRetention
permission in order
to place an Object Retention configuration on objects. Bypassing a Governance Retention
configuration requires the s3:BypassGovernanceRetention
permission.
s3:PutObjectRetention
and s3:BypassGovernanceRetention
permissions. For other requests to PutObjectRetention
,
only s3:PutObjectRetention
permissions are required.
403 (Access Denied)
error.
403 (Access Denied)
error.
PutPublicAccessBlock
request body.
Filter
is specified), you can specify
this element and set the status to Enabled
to replicate modifications on
replicas. Filter
element, Amazon S3
assumes that the replication configuration is the earlier version, V1. In the earlier version,
this element is not allowed.AccessControlTranslation
property, this is the
account ID of the destination bucket owner. For more information, see Replication
Additional Configuration: Changing the Replica Owner in the Amazon S3 User
Guide.
SourceSelectionCriteria
is specified, you must specify this element.
Metrics
block.
StorageClass
element of the PUT
Bucket replication action in the Amazon S3 API Reference.
Filter
must specify exactly one Prefix
,
Tag
, or an And
child element.
Prefix
and a Tag
filters. Then you wrap these in an And
tag.Tag
elements in an And
tag.Metrics
block.
select
- Perform a select query on an archived object
restore an archive
- Restore an archived object
s3:RestoreObject
action. The bucket owner has this permission by default and can grant this permission
to others. For more information about permissions, see Permissions
Related to Bucket Subresource Operations and Managing
Access Permissions to Your Amazon S3 Resources in the Amazon S3 User Guide.
S3
structure in the request body, see
the following:
SELECT
type of restoration for your
query in the request body's SelectParameters
structure. You can use expressions
like the following examples.
SELECT * FROM Object
SELECT s._1, s._2 FROM Object s WHERE s._3 > 100
fileHeaderInfo
in the CSV
structure in the request body to USE
, you can specify headers in the
query. (If you set the fileHeaderInfo
field to IGNORE
, the
first row is skipped for the query.) You cannot mix ordinal positions with header
column names.
SELECT s.Id, s.FirstName, s.SSN FROM S3Object s
Expedited
tier. For more information
about tiers, see "Restoring Archives," later in this topic.
409
.
Tier
element of the
request body:
Expedited
- Expedited retrievals allow you to quickly access
your data stored in the S3 Glacier storage class or S3 Intelligent-Tiering Archive
tier when occasional urgent requests for a subset of archives are required. For all
but the largest archived objects (250 MB+), data accessed using Expedited retrievals
is typically made available within 1–5 minutes. Provisioned capacity ensures that
retrieval capacity for Expedited retrievals is available when you need it. Expedited
retrievals and provisioned capacity are not available for objects stored in the S3
Glacier Deep Archive storage class or S3 Intelligent-Tiering Deep Archive tier.
Standard
- Standard retrievals allow you to access any of your
archived objects within several hours. This is the default option for retrieval requests
that do not specify the retrieval option. Standard retrievals typically finish within
3–5 hours for objects stored in the S3 Glacier storage class or S3 Intelligent-Tiering
Archive tier. They typically finish within 12 hours for objects stored in the S3 Glacier
Deep Archive storage class or S3 Intelligent-Tiering Deep Archive tier. Standard retrievals
are free for objects stored in S3 Intelligent-Tiering.
Bulk
- Bulk retrievals are the lowest-cost retrieval option
in S3 Glacier, enabling you to retrieve large amounts, even petabytes, of data inexpensively.
Bulk retrievals typically finish within 5–12 hours for objects stored in the S3 Glacier
storage class or S3 Intelligent-Tiering Archive tier. They typically finish within
48 hours for objects stored in the S3 Glacier Deep Archive storage class or S3 Intelligent-Tiering
Deep Archive tier. Bulk retrievals are free for objects stored in S3 Intelligent-Tiering.
Expedited
data access, see Restoring
Archived Objects in the Amazon S3 User Guide.
HEAD
request.
Operations return the x-amz-restore
header, which provides information
about the restoration status, in the response. You can use Amazon S3 event notifications
to notify you when a restore is initiated or completed. For more information, see
Configuring
Amazon S3 Event Notifications in the Amazon S3 User Guide.
200 OK
or 202 Accepted
status code.
202 Accepted
in the response.
200 OK
in the
response.
OutputLocation
.403 (Access Denied)
error.
aws:kms
, this optional value
specifies the ID of the symmetric customer managed key to use for encryption
of job results. Amazon S3 only supports symmetric keys. For more information, see
Using symmetric and asymmetric keys in the Amazon Web Services Key Management Service Developer Guide.SSEAlgorithm
is set to aws:kms
.
1234abcd-12ab-34cd-56ef-1234567890ab
arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab
BucketKeyEnabled
element to true
causes Amazon S3 to use bucket key. By default,
bucket key is not enabled.SourceSelectionCriteria
in the replication configuration, this element is required.
Filter
is specified), you can
specify this element and set the status to Enabled
to replicate modifications on
replicas. Filter
element,
Amazon S3 assumes that the replication configuration is the earlier version, V1.
In the earlier version, this element is not allowedContent-MD5
header in the upload part request. Amazon S3 checks the part data against the provided
MD5 value. If they do not match, Amazon S3 returns an error.
x-amz-content-sha256
header as a checksum instead of Content-MD5
.
For more information see Authenticating
Requests: Using the Authorization Header (Amazon Web Services Signature Version 4).
ChecksumAlgorithm
.
403 (Access Denied)
error.
GetObject
operation when using Object
Lambda Access Points. For information about Object Lambda Access Points, see Transforming
objects with Object Lambda Access Points in the Amazon S3 User Guide.
RequestRoute
, RequestToken
, StatusCode
,
ErrorCode
, and ErrorMessage
. The GetObject
response metadata is supported so that the WriteGetObjectResponse
caller,
typically an Lambda function, can provide the same metadata when it internally invokes
GetObject
. When WriteGetObjectResponse
is called by a customer-owned
Lambda function, the metadata returned to the end user GetObject
call
might differ from what Amazon S3 would normally return.
x-amz-meta
. For example, x-amz-meta-my-custom-header:
MyCustomValue
. The primary use case for this is to forward GetObject
metadata.
WriteGetObjectResponse
to the end user GetObject
request.StatusCode
header or when transformed object is provided in body.StatusCode
header or when transformed object is provided in body.true
) or is not (false
) a delete marker.x-amz-meta
headers. This can happen if you create metadata using an API like SOAP that supports more flexible metadata than the REST API. For example, using SOAP, you can create metadata whose values are not legal HTTP headers.
private void displayProgress(object sender, DownloadDirectoryProgressArgs args)
{
Console.WriteLine(args);
}
2. Add this method to the DownloadedDirectoryProgressEvent delegate's invocation list
TransferUtilityDownloadDirectoryRequest request = new TransferUtilityDownloadDirectoryRequest();
request.DownloadedDirectoryProgressEvent += displayProgress;
private void displayProgress(object sender, WriteObjectProgressArgs args)
{
Console.WriteLine(args);
}
2. Add this method to the WriteObjectProgressEvent delegate's invocation list
TransferUtilityDownloadRequest request = new TransferUtilityDownloadRequest();
request.WriteObjectProgressEvent += displayProgress;
private void displayProgress(object sender, UploadDirectoryProgressArgs args)
{
Console.WriteLine(args);
}
2. Add this method to the UploadDirectoryProgressEvent delegate's invocation list
TransferUtilityUploadDirectoryRequest request = new TransferUtilityUploadDirectoryRequest();
request.UploadDirectoryProgressEvent += displayProgress;
private void displayProgress(object sender, UploadProgressArgs args)
{
Console.WriteLine(args);
}
2. Add this method to the UploadProgressEvent delegate's invocation list
TransferUtilityUploadRequest request = new TransferUtilityUploadRequest();
request.UploadProgressEvent += displayProgress;
ChecksumAlgorithm
.
The STANDARD mode provides the latest recommended default values that should be safe to run in most scenarios
Note that the default values vended from this mode might change as best practices may evolve. As a result, it is encouraged to perform tests when upgrading the SDK
The IN_REGION mode builds on the standard mode and includes optimization tailored for applications which call AWS services from within the same AWS region
Note that the default values vended from this mode might change as best practices may evolve. As a result, it is encouraged to perform tests when upgrading the SDK
The CROSS_REGION mode builds on the standard mode and includes optimization tailored for applications which call AWS services in a different region
Note that the default values vended from this mode might change as best practices may evolve. As a result, it is encouraged to perform tests when upgrading the SDK
The MOBILE mode builds on the standard mode and includes optimization tailored for mobile applications
Note that the default values vended from this mode might change as best practices may evolve. As a result, it is encouraged to perform tests when upgrading the SDK
The AUTO mode is an experimental mode that builds on the standard mode. The SDK will attempt to discover the execution environment to determine the appropriate settings automatically.
Note that the auto detection is heuristics-based and does not guarantee 100% accuracy. STANDARD mode will be used if the execution environment cannot be determined. The auto detection might query EC2 Instance Metadata service, which might introduce latency. Therefore we recommend choosing an explicit defaults_mode instead if startup latency is critical to your application
The LEGACY mode provides default settings that vary per SDK and were used prior to establishment of defaults_mode
<configSections>
<section name="aws" type="Amazon.AWSSection, AWSSDK"/>
</configSections>
<aws>
<s3 useSignatureVersion4="true" />
</aws>