### Install Project Dependencies and Test Requirements Source: https://github.com/simonw/s3-credentials/blob/main/docs/contributing.md Install s3-credentials in editable mode along with all test dependencies using pip. The '[test]' extra specifies optional test-related packages defined in setup.py. ```bash pip install -e '.[test]' ``` -------------------------------- ### Clone and Setup Python Virtual Environment Source: https://github.com/simonw/s3-credentials/blob/main/docs/contributing.md Clone the s3-credentials repository and create a Python virtual environment using venv. This isolates project dependencies from the system Python installation. ```bash cd s3-credentials python -m venv venv source venv/bin/activate ``` -------------------------------- ### Setup Python Virtual Environment with pipenv Source: https://github.com/simonw/s3-credentials/blob/main/docs/contributing.md Alternative method to set up a Python virtual environment using pipenv, which provides dependency management and environment isolation in a single tool. ```bash pipenv shell ``` -------------------------------- ### Update Generated Documentation with Cog Source: https://github.com/simonw/s3-credentials/blob/main/docs/contributing.md Regenerate README.md documentation using Cog when policy definitions change. The -r flag rewrites the file in place with updated content from code examples. ```bash cog -r README.md ``` -------------------------------- ### Apply Custom S3 Policy via File (CLI) Source: https://github.com/simonw/s3-credentials/blob/main/docs/create.md Command-line example demonstrating how to create S3 credentials using a custom policy defined in a JSON file. The `--policy` option takes the path to the policy file. ```bash % s3-credentials create my-s3-bucket \ --policy custom-policy.json ``` -------------------------------- ### Add Extra Statement to S3 Policy (CLI) Source: https://github.com/simonw/s3-credentials/blob/main/docs/create.md Command-line example for creating S3 credentials while adding an extra IAM policy statement. This example enables AWS Textract APIs, useful for OCR tasks with S3 objects. ```bash % s3-credentials create my-s3-bucket --statement '{ "Effect": "Allow", "Action": "textract:*", "Resource": "*" }' ``` -------------------------------- ### Apply Custom S3 Policy via String (CLI) Source: https://github.com/simonw/s3-credentials/blob/main/docs/create.md Command-line example showing how to create S3 credentials by providing a custom policy directly as a JSON string to the `--policy` option. This is useful for inline policy definitions. ```bash % s3-credentials create my-s3-bucket --policy '{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": ["s3:GetObject*", "s3:ListBucket"], "Resource": [ "arn:aws:s3:::$!BUCKET_NAME!$", "arn:aws:s3:::$!BUCKET_NAME!$/*" ] } ] }' ``` -------------------------------- ### Get S3 Bucket Policy Source: https://github.com/simonw/s3-credentials/blob/main/docs/other-commands.md Retrieves and displays the current bucket policy for a specified S3 bucket. Returns the policy document in JSON format showing permissions and principals. ```bash s3-credentials get-bucket-policy my-bucket ``` -------------------------------- ### Set S3 Bucket Policy with s3-credentials Source: https://github.com/simonw/s3-credentials/blob/main/docs/help.md Sets a policy for an S3 bucket using a JSON policy file or a predefined option to allow all GET requests. Supports custom endpoint URLs and authentication via files. ```bash s3-credentials set-bucket-policy my-bucket --policy-file policy.json s3-credentials set-bucket-policy my-bucket --allow-all-get ``` -------------------------------- ### Get S3 Bucket Policy Source: https://context7.com/simonw/s3-credentials/llms.txt Displays the bucket policy document for a given S3 bucket. This command is useful for inspecting access control and permissions set on the bucket. It takes the bucket name as an argument and outputs the policy in JSON format. ```bash s3-credentials get-bucket-policy my-public-bucket ``` -------------------------------- ### Set Default CORS Policy on S3 Bucket Source: https://github.com/simonw/s3-credentials/blob/main/docs/other-commands.md Sets a default CORS policy on an S3 bucket that allows GET requests from any origin. The policy is bucket-level and cannot be applied to individual objects. ```bash s3-credentials set-cors-policy my-cors-bucket ``` -------------------------------- ### Get Current CORS Policy from S3 Bucket Source: https://github.com/simonw/s3-credentials/blob/main/docs/other-commands.md Retrieves and displays the current CORS policy configuration for a specified S3 bucket. Returns policy details in JSON format including allowed methods, origins, and headers. ```bash s3-credentials get-cors-policy my-cors-bucket ``` -------------------------------- ### Get S3 Public Access Block Configuration Source: https://context7.com/simonw/s3-credentials/llms.txt Retrieves the public access block settings for an S3 bucket. This helps in understanding the current restrictions preventing public access to the bucket and its objects. The command requires the bucket name and outputs the configuration as a JSON object. ```bash s3-credentials get-public-access-block my-bucket ``` -------------------------------- ### Python API: Generate Public S3 Bucket Policy Source: https://context7.com/simonw/s3-credentials/llms.txt Demonstrates using the s3_credentials Python library to create a bucket policy document that allows public read access to an S3 bucket. This snippet is a starting point for generating policies that grant broader access, requiring the `json` library for output formatting. ```python from s3_credentials import policies import json ``` -------------------------------- ### Get CORS Policy for S3 Bucket Source: https://context7.com/simonw/s3-credentials/llms.txt Retrieves the current Cross-Origin Resource Sharing (CORS) configuration for a specified S3 bucket. This operation requires the bucket name as input and returns a JSON array detailing the CORS rules. ```bash s3-credentials get-cors-policy my-bucket ``` -------------------------------- ### Set Custom CORS Policy with Multiple Methods and Headers Source: https://github.com/simonw/s3-credentials/blob/main/docs/other-commands.md Configures a custom CORS policy allowing GET and PUT methods from a specific origin, with custom headers and preflight caching. Supports options for allowed methods, headers, origins, exposed headers, and max-age. ```bash s3-credentials set-cors-policy my-cors-bucket2 \ --allowed-method GET \ --allowed-method PUT \ --allowed-origin https://www.example.com/ \ --expose-header ETag \ --max-age-seconds 60 ``` -------------------------------- ### Set S3 Bucket Policy for Public Access Source: https://context7.com/simonw/s3-credentials/llms.txt Applies a bucket policy that allows public GET requests for all objects within a specified S3 bucket. This command simplifies the process of making bucket contents publicly readable. It requires the bucket name and uses a flag to enable public access. ```bash s3-credentials set-bucket-policy my-bucket --allow-all-get ``` -------------------------------- ### Generate Public S3 Bucket Policy (Python) Source: https://context7.com/simonw/s3-credentials/llms.txt This snippet demonstrates how to generate a public S3 bucket policy using the policies.bucket_policy_allow_all_get function. It takes a bucket name as input and outputs a JSON policy allowing all GET object requests. This is useful for making buckets publicly readable. ```python import json # Assuming 'policies' is an imported module with the necessary function # For demonstration, we'll simulate the output of policies.bucket_policy_allow_all_get def generate_public_policy(bucket_name): return { "Version": "2012-10-17", "Statement": [ { "Sid": "AllowAllGetObject", "Effect": "Allow", "Principal": "*", "Action": ["s3:GetObject"], "Resource": [f"arn:aws:s3:::{bucket_name}/*"] } ] } public_policy = generate_public_policy("my-public-bucket") print(json.dumps(public_policy, indent=2)) ``` ```json { "Version": "2012-10-17", "Statement": [ { "Sid": "AllowAllGetObject", "Effect": "Allow", "Principal": "*", "Action": ["s3:GetObject"], "Resource": ["arn:aws:s3:::my-public-bucket/*"] } ] } ``` -------------------------------- ### s3-credentials create --help Output Source: https://github.com/simonw/s3-credentials/blob/main/docs/help.md Displays help information specifically for the `create` command within the s3-credentials CLI. It details the usage and any specific options or arguments required for creating credentials. ```bash Usage: s3-credentials create [OPTIONS] Create and return new AWS credentials for the current user Options: --profile TEXT The AWS profile to use --help Show this message and exit. ``` -------------------------------- ### s3-credentials Main Help Output Source: https://github.com/simonw/s3-credentials/blob/main/docs/help.md Shows the primary usage, general options, and a list of available commands for the s3-credentials CLI. This output is typically displayed when running `s3-credentials --help`. ```bash Usage: s3-credentials [OPTIONS] COMMAND [ARGS]... A tool for creating credentials for accessing S3 buckets Documentation: https://s3-credentials.readthedocs.io/ Options: --version Show the version and exit. --help Show this message and exit. Commands: create Create and return new AWS credentials for... debug-bucket Run a bunch of diagnostics to help debug a bucket delete-objects Delete one or more object from an S3 bucket delete-user Delete specified users, their access keys and... get-bucket-policy Get bucket policy for a bucket get-cors-policy Get CORS policy for a bucket get-object Download an object from an S3 bucket get-objects Download multiple objects from an S3 bucket get-public-access-block Get the public access settings for an S3 bucket list-bucket List contents of bucket list-buckets List buckets list-roles List roles list-user-policies List inline policies for specified users list-users List all users for this account policy Output generated JSON policy for one or more... put-object Upload an object to an S3 bucket put-objects Upload multiple objects to an S3 bucket set-bucket-policy Set bucket policy for a bucket set-cors-policy Set CORS policy for a bucket set-public-access-block Configure public access settings for an S3 bucket. whoami Identify currently authenticated user ``` -------------------------------- ### s3-credentials list-roles --help Output Source: https://github.com/simonw/s3-credentials/blob/main/docs/help.md Shows help for the `list-roles` command, which lists the available IAM roles. This command usually does not require any arguments. ```bash Usage: s3-credentials list-roles [OPTIONS] List roles Options: --help Show this message and exit. ``` -------------------------------- ### s3-credentials debug-bucket --help Output Source: https://github.com/simonw/s3-credentials/blob/main/docs/help.md Provides help for the `debug-bucket` command in s3-credentials, outlining how to run diagnostics on an S3 bucket. It specifies the required arguments and any available options. ```bash Usage: s3-credentials debug-bucket [OPTIONS] Run a bunch of diagnostics to help debug a bucket Options: --bucket TEXT The name of the bucket to debug --help Show this message and exit. ``` -------------------------------- ### s3-credentials get-objects --help Output Source: https://github.com/simonw/s3-credentials/blob/main/docs/help.md Provides help for the `get-objects` command, used to download multiple objects from an S3 bucket. It details options for specifying the bucket, keys, and recursive downloads. ```bash Usage: s3-credentials get-objects [OPTIONS] Download multiple objects from an S3 bucket Options: --bucket TEXT The name of the bucket --key TEXT The key of the object to download --output TEXT The path to save the downloaded objects to --recursive / --no-recursive Recursively download objects --help Show this message and exit. ``` -------------------------------- ### List S3 Buckets with Details Source: https://context7.com/simonw/s3-credentials/llms.txt Shows detailed configuration information for specified S3 buckets, including creation date, region, ACLs, and public access block settings. Requires the bucket name as an argument. ```bash s3-credentials list-buckets my-bucket --details ``` -------------------------------- ### s3-credentials list-buckets --help Output Source: https://github.com/simonw/s3-credentials/blob/main/docs/help.md Provides help for the `list-buckets` command, which lists all S3 buckets accessible by the current credentials. This command typically takes no arguments. ```bash Usage: s3-credentials list-buckets [OPTIONS] List buckets Options: --help Show this message and exit. ``` -------------------------------- ### s3-credentials list-bucket --help Output Source: https://github.com/simonw/s3-credentials/blob/main/docs/help.md Displays help for the `list-bucket` command, which lists the contents (objects) of a specified S3 bucket. It requires the `--bucket` argument. ```bash Usage: s3-credentials list-bucket [OPTIONS] List contents of bucket Options: --bucket TEXT The name of the bucket --prefix TEXT Only show objects with this prefix --help Show this message and exit. ``` -------------------------------- ### s3-credentials get-object --help Output Source: https://github.com/simonw/s3-credentials/blob/main/docs/help.md Displays help for the `get-object` command, used to download a single object from an S3 bucket. It requires specifying the bucket and the object's key. ```bash Usage: s3-credentials get-object [OPTIONS] Download an object from an S3 bucket Options: --bucket TEXT The name of the bucket --key TEXT The key of the object to download --output TEXT The path to save the downloaded object to --help Show this message and exit. ``` -------------------------------- ### s3-credentials get-bucket-policy --help Output Source: https://github.com/simonw/s3-credentials/blob/main/docs/help.md Provides help for the `get-bucket-policy` command, which retrieves the bucket policy for a specified S3 bucket. It details the necessary `--bucket` argument. ```bash Usage: s3-credentials get-bucket-policy [OPTIONS] Get bucket policy for a bucket Options: --bucket TEXT The name of the bucket --help Show this message and exit. ``` -------------------------------- ### s3-credentials list-user-policies --help Output Source: https://github.com/simonw/s3-credentials/blob/main/docs/help.md Displays help for the `list-user-policies` command, used to list the inline policies attached to specified IAM users. It requires the `--user` argument. ```bash Usage: s3-credentials list-user-policies [OPTIONS] List inline policies for specified users Options: --user TEXT The username to list policies for --help Show this message and exit. ``` -------------------------------- ### s3-credentials policy --help Output Source: https://github.com/simonw/s3-credentials/blob/main/docs/help.md Shows help for the `policy` command, used to generate JSON policies for IAM users or roles. It details the options for specifying users/roles and policy types. ```bash Usage: s3-credentials policy [OPTIONS] Output generated JSON policy for one or more users or roles Options: --user TEXT The username to generate a policy for --role TEXT The role name to generate a policy for --policy-type TEXT The type of policy to generate (e.g., read-only, read-write) --help Show this message and exit. ``` -------------------------------- ### s3-credentials whoami --help Output Source: https://github.com/simonw/s3-credentials/blob/main/docs/help.md Shows help for the `whoami` command, which identifies the currently authenticated IAM user. This command typically takes no arguments. ```bash Usage: s3-credentials whoami [OPTIONS] Identify currently authenticated user Options: --help Show this message and exit. ``` -------------------------------- ### s3-credentials set-bucket-policy --help Output Source: https://github.com/simonw/s3-credentials/blob/main/docs/help.md Shows help for the `set-bucket-policy` command, used to set the bucket policy for an S3 bucket. It requires specifying the bucket and the path to the policy JSON file. ```bash Usage: s3-credentials set-bucket-policy [OPTIONS] Set bucket policy for a bucket Options: --bucket TEXT The name of the bucket --policy TEXT The path to the JSON policy file --help Show this message and exit. ``` -------------------------------- ### s3-credentials put-objects --help Output Source: https://github.com/simonw/s3-credentials/blob/main/docs/help.md Provides help for the `put-objects` command, used to upload multiple objects to an S3 bucket. It details options for specifying the bucket, source directory, and recursive uploads. ```bash Usage: s3-credentials put-objects [OPTIONS] Upload multiple objects to an S3 bucket Options: --bucket TEXT The name of the bucket --source TEXT The path to the directory containing objects to upload --recursive / --no-recursive Recursively upload objects --help Show this message and exit. ``` -------------------------------- ### s3-credentials put-object --help Output Source: https://github.com/simonw/s3-credentials/blob/main/docs/help.md Displays help for the `put-object` command, used to upload a single object to an S3 bucket. It requires specifying the bucket, the object key, and the source file path. ```bash Usage: s3-credentials put-object [OPTIONS] Upload an object to an S3 bucket Options: --bucket TEXT The name of the bucket --key TEXT The key of the object to upload --source TEXT The path to the file to upload --help Show this message and exit. ``` -------------------------------- ### Run Integration Tests Against AWS Source: https://github.com/simonw/s3-credentials/blob/main/docs/contributing.md Execute integration tests that make actual API calls to AWS using credentials from environment variables or ~/.aws/credentials file. Tests require AWS account permissions to create users, roles, and buckets, which are cleaned up after execution. ```bash pytest --integration ``` -------------------------------- ### s3-credentials list-users --help Output Source: https://github.com/simonw/s3-credentials/blob/main/docs/help.md Provides help for the `list-users` command, which lists all IAM users within the AWS account. This command typically requires no arguments. ```bash Usage: s3-credentials list-users [OPTIONS] List all users for this account Options: --help Show this message and exit. ``` -------------------------------- ### Download Multiple Objects from S3 Source: https://context7.com/simonw/s3-credentials/llms.txt Downloads multiple S3 objects that match specified patterns to a local directory. Multiple '-p' flags can be used for different patterns. ```bash s3-credentials get-objects my-bucket -p "*.jpg" -p "docs/*.pdf" -o ./downloads ``` -------------------------------- ### s3-credentials get-public-access-block --help Output Source: https://github.com/simonw/s3-credentials/blob/main/docs/help.md Shows help for the `get-public-access-block` command, which retrieves the public access block configuration for an S3 bucket. It requires the `--bucket` option. ```bash Usage: s3-credentials get-public-access-block [OPTIONS] Get the public access settings for an S3 bucket Options: --bucket TEXT The name of the bucket --help Show this message and exit. ``` -------------------------------- ### s3-credentials get-cors-policy --help Output Source: https://github.com/simonw/s3-credentials/blob/main/docs/help.md Shows help for the `get-cors-policy` command, used to retrieve the CORS (Cross-Origin Resource Sharing) policy for an S3 bucket. It requires the `--bucket` option. ```bash Usage: s3-credentials get-cors-policy [OPTIONS] Get CORS policy for a bucket Options: --bucket TEXT The name of the bucket --help Show this message and exit. ``` -------------------------------- ### Run Unit Tests with pytest Source: https://github.com/simonw/s3-credentials/blob/main/docs/contributing.md Execute the test suite using pytest to verify code functionality. Unit tests use stubbed AWS interfaces and do not make actual API calls. ```bash pytest ``` -------------------------------- ### s3-credentials set-cors-policy --help Output Source: https://github.com/simonw/s3-credentials/blob/main/docs/help.md Displays help for the `set-cors-policy` command, used to set the CORS policy for an S3 bucket. It requires specifying the bucket and the path to the CORS policy JSON file. ```bash Usage: s3-credentials set-cors-policy [OPTIONS] Set CORS policy for a bucket Options: --bucket TEXT The name of the bucket --policy TEXT The path to the JSON CORS policy file --help Show this message and exit. ``` -------------------------------- ### s3-credentials set-public-access-block --help Output Source: https://github.com/simonw/s3-credentials/blob/main/docs/help.md Provides help for the `set-public-access-block` command, used to configure public access settings for an S3 bucket. It details the options for blocking public access. ```bash Usage: s3-credentials set-public-access-block [OPTIONS] Configure public access settings for an S3 bucket. Options: --bucket TEXT The name of the bucket --block-public-acls / --no-block-public-acls Set BlockPublicAcls --ignore-public-acls / --no-ignore-public-acls Set IgnorePublicAcls --block-public-policy / --no-block-public-policy Set BlockPublicPolicy --restrict-public-buckets / --no-restrict-public-buckets Set RestrictPublicBuckets --help Show this message and exit. ``` -------------------------------- ### Create Public S3 Bucket with s3-credentials Source: https://github.com/simonw/s3-credentials/blob/main/docs/other-commands.md Creates a new S3 bucket with public access enabled. The -c flag enables CORS by default. This is a prerequisite for setting CORS policies on the bucket. ```bash s3-credentials create my-cors-bucket --public -c ``` -------------------------------- ### Download Single Object from S3 Source: https://context7.com/simonw/s3-credentials/llms.txt Retrieves a single file from an S3 bucket and saves it to the local filesystem. Use the '-o' flag to specify the output file path. ```bash s3-credentials get-object my-bucket data/report.pdf -o ./report.pdf ``` -------------------------------- ### Upload Multiple Objects to S3 Bucket Source: https://github.com/simonw/s3-credentials/blob/main/docs/other-commands.md Uploads multiple files or the contents of directories to an S3 bucket. Files can be uploaded to the root or a specified prefix. Directories are uploaded recursively. Supports dry-run mode to preview uploads. A progress bar is shown by default, which can be hidden with -s or --silent. ```bash s3-credentials put-objects my-bucket one.txt two.txt three.txt ``` ```bash s3-credentials put-objects my-bucket one.txt --prefix my-prefix ``` ```bash s3-credentials put-objects my-bucket . ``` ```bash s3-credentials put-objects my-bucket my-directory ``` ```bash s3-credentials put-objects my-bucket . --dry-run ``` -------------------------------- ### Create Custom S3 Policy Document (JSON) Source: https://github.com/simonw/s3-credentials/blob/main/docs/create.md Defines a JSON structure for a custom IAM policy to grant S3 permissions. It uses placeholders like '$!BUCKET_NAME!$' which are dynamically replaced by the tool. This policy allows for 'GetObject*' and 'ListBucket' actions on specified buckets. ```json { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": ["s3:GetObject*", "s3:ListBucket"], "Resource": [ "arn:aws:s3:::$!BUCKET_NAME!$", "arn:aws:s3:::$!BUCKET_NAME!$/*" ] } ] } ``` -------------------------------- ### Debug S3 Bucket Configuration Source: https://context7.com/simonw/s3-credentials/llms.txt Runs comprehensive diagnostics on an S3 bucket to check its ACL, policy status, and public access block configuration. This utility helps in identifying and resolving configuration issues. It requires the bucket name and provides detailed output on various configuration aspects. ```bash s3-credentials debug-bucket my-bucket ``` -------------------------------- ### s3-credentials delete-objects --help Output Source: https://github.com/simonw/s3-credentials/blob/main/docs/help.md Shows help for the `delete-objects` command, which is used to remove objects from an S3 bucket. It details the necessary parameters for specifying the bucket and the objects to delete. ```bash Usage: s3-credentials delete-objects [OPTIONS] Delete one or more object from an S3 bucket Options: --bucket TEXT The name of the bucket --key TEXT The key of the object to delete --recursive / --no-recursive Recursively delete objects --help Show this message and exit. ``` -------------------------------- ### Upload Multiple Objects to S3 Source: https://context7.com/simonw/s3-credentials/llms.txt Performs a bulk upload of files and directories to an S3 bucket. Supports specifying a prefix to organize uploaded content within the bucket. ```bash s3-credentials put-objects my-bucket ./website --prefix public/ ``` -------------------------------- ### Debug Bucket Output Format Source: https://github.com/simonw/s3-credentials/blob/main/docs/other-commands.md Shows the output structure from the debug-bucket command, including bucket ACL configuration, policy status, and public access block settings in JSON format. ```json { "Owner": { "DisplayName": "username", "ID": "cc8ca3a037c6a7c1fa7580076bf7cd1949b3f2f58f01c9df9e53c51f6a249910" }, "Grants": [ { "Grantee": { "DisplayName": "username", "ID": "cc8ca3a037c6a7c1fa7580076bf7cd1949b3f2f58f01c9df9e53c51f6a249910", "Type": "CanonicalUser" }, "Permission": "FULL_CONTROL" } ] } ``` -------------------------------- ### s3-credentials delete-user --help Output Source: https://github.com/simonw/s3-credentials/blob/main/docs/help.md Displays help for the `delete-user` command, which is used to remove specified IAM users, their access keys, and associated policies. It outlines the options for identifying the user(s) to delete. ```bash Usage: s3-credentials delete-user [OPTIONS] Delete specified users, their access keys and associated policies Options: --user TEXT The username to delete --help Show this message and exit. ``` -------------------------------- ### Configure S3 Bucket CORS Policy with s3-credentials Source: https://github.com/simonw/s3-credentials/blob/main/docs/help.md Sets the Cross-Origin Resource Sharing (CORS) policy for an S3 bucket. Allows specifying allowed methods, origins, headers, and max age for preflight requests. Supports custom endpoints and authentication. ```bash s3-credentials set-cors-policy my-bucket s3-credentials set-cors-policy my-bucket \ --allowed-method GET \ --allowed-method PUT \ --allowed-origin https://www.example.com/ \ --expose-header ETag ``` -------------------------------- ### Set S3 Bucket Policy from File Source: https://github.com/simonw/s3-credentials/blob/main/docs/other-commands.md Applies a custom bucket policy from a JSON file to an S3 bucket. Allows fine-grained control over bucket permissions by referencing an external policy document. ```bash s3-credentials set-bucket-policy my-bucket --policy-file policy.json ``` -------------------------------- ### Upload Objects to S3 Bucket with s3-credentials Source: https://github.com/simonw/s3-credentials/blob/main/docs/help.md Uploads one or more files to an S3 bucket, optionally to a specific prefix or recursively from a directory. Supports silent mode, dry runs, and various AWS credential configurations. ```bash s3-credentials put-objects my-bucket one.txt two.txt s3-credentials put-objects my-bucket one.txt two.txt --prefix my-folder s3-credentials put-objects my-bucket my-folder s3-credentials put-objects my-bucket my-folder/* s3-credentials put-objects my-bucket one.txt --silent s3-credentials put-objects my-bucket one.txt --dry-run ``` -------------------------------- ### Configure S3 Public Access Block with s3-credentials Source: https://github.com/simonw/s3-credentials/blob/main/docs/help.md Configures public access settings for an S3 bucket, allowing granular control over blocking public ACLs, ignoring public ACLs, blocking public policies, and restricting public buckets. Can also be used to allow full public access. ```bash s3-credentials set-public-access-block my-bucket --block-public-acls false s3-credentials set-public-access-block my-bucket --allow-public-access ``` -------------------------------- ### Upload from Standard Input to S3 Source: https://context7.com/simonw/s3-credentials/llms.txt Streams data directly from standard input to an S3 object. Useful for uploading dynamically generated content. Requires specifying the bucket, object key, and content type. ```bash echo "

Hello World

" | s3-credentials put-object my-bucket hello.html - --content-type "text/html" ``` -------------------------------- ### Download Multiple Objects from S3 Bucket Source: https://github.com/simonw/s3-credentials/blob/main/docs/other-commands.md Downloads multiple files from an S3 bucket, preserving directory structure in the current or a specified output directory. Supports downloading all objects, specific files, or files matching wildcard patterns. A progress bar is shown by default, which can be hidden with -s or --silent. ```bash s3-credentials get-objects my-bucket ``` ```bash s3-credentials get-objects my-bucket -o /path/to/output ``` ```bash s3-credentials get-objects my-bucket one.txt two.txt path/to/three.txt ``` ```bash s3-credentials get-objects my-bucket -p "*.txt" -p "static/*.css" ``` -------------------------------- ### View IAM User Policies Source: https://context7.com/simonw/s3-credentials/llms.txt Retrieves and displays the inline policies attached to a specific IAM user. This command helps in understanding the permissions granted to a user. ```bash s3-credentials list-user-policies s3.read-write.my-bucket ``` -------------------------------- ### Public Access Block JSON Response Format Source: https://github.com/simonw/s3-credentials/blob/main/docs/other-commands.md Shows the structure of public access block configuration, including four boolean flags that control different aspects of public access to the bucket. ```json { "BlockPublicAcls": false, "IgnorePublicAcls": false, "BlockPublicPolicy": false, "RestrictPublicBuckets": false } ``` -------------------------------- ### Upload Single Object to S3 Source: https://context7.com/simonw/s3-credentials/llms.txt Uploads a single file to an S3 bucket, automatically detecting the content type. Specify the bucket name, object key, and local file path. ```bash s3-credentials put-object my-bucket index.html /path/to/index.html ``` -------------------------------- ### Create Permanent S3 Credentials (JSON Output) Source: https://github.com/simonw/s3-credentials/blob/main/docs/create.md This command creates permanent AWS credentials for read-write access to a specified S3 bucket. It outputs the credentials in JSON format, including the UserName, AccessKeyId, Status, SecretAccessKey, and CreateDate. The SecretAccessKey is only displayed once. ```bash % s3-credentials create static.niche-museums.com Created user: s3.read-write.static.niche-museums.com with permissions boundary: arn:aws:iam::aws:policy/AmazonS3FullAccess Attached policy s3.read-write.static.niche-museums.com to user s3.read-write.static.niche-museums.com Created access key for user: s3.read-write.static.niche-museums.com { "UserName": "s3.read-write.static.niche-museums.com", "AccessKeyId": "AKIAWXFXAIOZOYLZAEW5", "Status": "Active", "SecretAccessKey": "...", "CreateDate": "2021-11-03 01:38:24+00:00" } ``` -------------------------------- ### Create Temporary S3 Credentials Source: https://github.com/simonw/s3-credentials/blob/main/docs/create.md This command generates temporary AWS credentials for accessing S3 buckets. The duration can be specified in seconds, minutes, or hours, and must be between 15 minutes and 12 hours. The output includes an AccessKeyId, SecretAccessKey, SessionToken, and Expiration date. The SessionToken must be used along with the other credentials. ```bash % s3-credentials create static.niche-museums.com --duration 15m Assume role against arn:aws:iam::462092780466:role/s3-credentials.AmazonS3FullAccess for 900s { "AccessKeyId": "ASIAWXFXAIOZPAHAYHUG", "SecretAccessKey": "Nrnoc...", "SessionToken": "FwoGZXIvYXd...mr9Fjs=", "Expiration": "2021-11-11 03:24:07+00:00" } ``` -------------------------------- ### Upload Single Object to S3 Bucket Source: https://github.com/simonw/s3-credentials/blob/main/docs/other-commands.md Uploads a single file to a specified key in an S3 bucket. Supports uploading from standard input and overriding the Content-Type. A progress bar is shown by default, which can be hidden with the -s or --silent option. ```bash s3-credentials put-object my-bucket my-key.txt /path/to/file.txt ``` ```bash echo "Hello" | s3-credentials put-object my-bucket hello.txt - ``` ```bash echo "

Hello World

" | \ s3-credentials put-object my-bucket hello.html - --content-type "text/html" ``` -------------------------------- ### Create Permanent S3 Credentials (INI Output) Source: https://github.com/simonw/s3-credentials/blob/main/docs/create.md This command creates permanent AWS credentials for read-write access to a specified S3 bucket and outputs them in INI format, suitable for pasting into a `~/.aws/credentials` file. It includes the AWS access key ID and secret access key. ```bash % s3-credentials create static.niche-museums.com --format ini > ini.txt Created user: s3.read-write.static.niche-museums.com with permissions boundary: arn:aws:iam::aws:policy/AmazonS3FullAccess Attached policy s3.read-write.static.niche-museums.com to user s3.read-write.static.niche-museums.com Created access key for user: s3.read-write.static.niche-museums.com % cat ini.txt [default] aws_access_key_id=AKIAWXFXAIOZKGXI4PVO aws_secret_access_key=... ``` -------------------------------- ### List S3 Bucket Contents with URLs Source: https://context7.com/simonw/s3-credentials/llms.txt Displays the objects within an S3 bucket, including their keys, last modified dates, sizes, and direct URLs. Supports filtering by prefix and outputs in CSV format. ```bash s3-credentials list-bucket my-bucket --prefix images/ --urls --csv ``` -------------------------------- ### List IAM Roles with s3-credentials Source: https://github.com/simonw/s3-credentials/blob/main/docs/other-commands.md The `list-roles` command retrieves a list of available IAM roles for the authenticated AWS account. It can optionally fetch detailed policy information for each role and filter by specific role names. Output can be formatted as JSON, newline-delimited JSON, CSV, or TSV. ```bash s3-credentials list-roles AWSServiceRoleForLightsail --details ``` -------------------------------- ### Set S3 Public Access Block with Individual Flags Source: https://github.com/simonw/s3-credentials/blob/main/docs/other-commands.md Configures the public access block settings for a bucket by setting individual boolean flags. Controls whether public ACLs, policies, and access are blocked for the bucket. ```bash s3-credentials set-public-access-block my-bucket \ --block-public-acls true \ --ignore-public-acls true \ --block-public-policy true \ --restrict-public-buckets true ``` -------------------------------- ### Allow Public Access to S3 Bucket Source: https://github.com/simonw/s3-credentials/blob/main/docs/other-commands.md Convenience command that disables all public access block restrictions in one operation. Sets all four public access block flags to false, allowing public access. ```bash s3-credentials set-public-access-block my-bucket \ --allow-public-access ``` -------------------------------- ### Bucket Policy JSON Response Format Source: https://github.com/simonw/s3-credentials/blob/main/docs/other-commands.md Shows the structure of a bucket policy response, including policy version, statements with SID, effect, principal, actions, and resources. Standard AWS IAM policy format. ```json { "Version": "2012-10-17", "Statement": [ { "Sid": "AllowAllGetObject", "Effect": "Allow", "Principal": "*", "Action": "s3:GetObject", "Resource": "arn:aws:s3:::my-bucket/*" } ] } ``` -------------------------------- ### Download Single Object from S3 Bucket Source: https://github.com/simonw/s3-credentials/blob/main/docs/other-commands.md Downloads a single file from an S3 bucket. By default, outputs the file content to the terminal. Can save the output to a specified file using the -o or --output option. ```bash s3-credentials get-object my-bucket hello.txt ``` ```bash s3-credentials get-object my-bucket hello.txt -o /path/to/hello.txt ``` -------------------------------- ### Python API: Generate S3 Read-Write Policy Source: https://context7.com/simonw/s3-credentials/llms.txt Uses the s3_credentials Python library to programmatically generate an IAM policy document that grants read and write permissions for objects within a specified S3 bucket and an optional prefix. This is useful for creating granular access policies. ```python from s3_credentials import policies # Generate read-write policy for a bucket policy = policies.read_write("my-bucket", prefix="data/") print(policy) ``` -------------------------------- ### Set S3 Public Access Block Configuration Source: https://context7.com/simonw/s3-credentials/llms.txt Configures the public access block settings for an S3 bucket, allowing or restricting public access. This command is used to manage security settings that prevent accidental exposure of data. It takes the bucket name and a flag to control public access. ```bash s3-credentials set-public-access-block my-bucket --allow-public-access ``` -------------------------------- ### Identify Authenticated User with s3-credentials Source: https://github.com/simonw/s3-credentials/blob/main/docs/help.md Identifies the currently authenticated user in AWS. Supports specifying credentials via access key, secret key, session token, or an authentication file, and allows for custom endpoint URLs. ```bash s3-credentials whoami s3-credentials whoami --access-key AKIAIOSFODNN7EXAMPLE --secret-key wJalrXUtnFEMI/K7MDENG/bPxRfiCYzEXAMPLEKEY ``` -------------------------------- ### List All IAM Users Source: https://context7.com/simonw/s3-credentials/llms.txt Retrieves a list of all IAM users within the AWS account, output in CSV format. This is useful for auditing and managing user accounts. ```bash s3-credentials list-users --csv ``` -------------------------------- ### JSON Credentials File Format for s3-credentials Source: https://github.com/simonw/s3-credentials/blob/main/docs/configuration.md Specifies the structure for a JSON file containing AWS credentials. It must include 'AccessKeyId' and 'SecretAccessKey'. Optionally, 'SessionToken' can be included for temporary credentials. This format is used with the --auth option. ```json { "AccessKeyId": "AKIAWXFXAIOZA5IR5PY4", "SecretAccessKey": "g63..." } ``` -------------------------------- ### Set Bucket CORS Policy Source: https://context7.com/simonw/s3-credentials/llms.txt Configures the Cross-Origin Resource Sharing (CORS) policy for an S3 bucket. Allows specifying allowed methods, origins, exposed headers, and max age. ```bash s3-credentials set-cors-policy my-bucket \ --allowed-method GET \ --allowed-method PUT \ --allowed-origin https://www.example.com/ \ --expose-header ETag \ --max-age-seconds 3600 ``` -------------------------------- ### Verify Current AWS Identity Source: https://context7.com/simonw/s3-credentials/llms.txt Checks the currently authenticated AWS user and displays their user ID, account, and ARN. This command helps confirm your active AWS credentials. ```bash s3-credentials whoami ``` -------------------------------- ### CORS Policy JSON Response Format Source: https://github.com/simonw/s3-credentials/blob/main/docs/other-commands.md Shows the structure of a CORS policy response from S3, including the policy ID, allowed HTTP methods, and allowed origins. This is the standard format returned by get-cors-policy. ```json [ { "ID": "set-by-s3-credentials", "AllowedMethods": [ "GET" ], "AllowedOrigins": [ "*" ] } ] ``` -------------------------------- ### INI Credentials File Format for s3-credentials Source: https://github.com/simonw/s3-credentials/blob/main/docs/configuration.md Defines the INI file format for providing AWS credentials to the s3-credentials tool via the --auth option. The tool reads the first section containing 'aws_access_key_id' and 'aws_secret_access_key'. ```ini [default] aws_access_key_id=AKIAWXFXAIOZNCR2ST7S aws_secret_access_key=g63... ``` -------------------------------- ### Delete Objects by Prefix from S3 Source: https://context7.com/simonw/s3-credentials/llms.txt Removes all objects within an S3 bucket that match a given prefix. Includes a '--dry-run' option to preview which objects would be deleted without actually removing them. ```bash s3-credentials delete-objects my-bucket --prefix temp/ --dry-run ``` -------------------------------- ### Delete Objects from S3 Bucket Source: https://github.com/simonw/s3-credentials/blob/main/docs/other-commands.md Deletes one or more objects from an S3 bucket. Supports deleting specific keys or all keys matching a prefix. Includes a dry-run option to list keys that would be deleted without actually deleting them. ```bash s3-credentials delete-objects my-bucket one.txt two.txt three.txt ``` ```bash s3-credentials delete-objects my-bucket --prefix my-prefix ``` ```bash s3-credentials delete-objects my-bucket --prefix my-prefix --dry-run ``` -------------------------------- ### Delete AWS User with s3-credentials Source: https://github.com/simonw/s3-credentials/blob/main/docs/other-commands.md The `delete-user` command automates the process of deleting AWS users. It handles the prerequisite steps of deleting access keys and inline policies before removing the user account. Multiple usernames can be provided to delete several users concurrently. ```bash s3-credentials delete-user s3.read-write.simonw-test-bucket-10 ``` -------------------------------- ### Delete Objects from S3 Source: https://context7.com/simonw/s3-credentials/llms.txt Removes one or more specified objects from an S3 bucket. This is a permanent deletion. ```bash s3-credentials delete-objects my-bucket old-file1.txt old-file2.txt ``` -------------------------------- ### Generate Public Bucket Read-Only S3 Policy Source: https://github.com/simonw/s3-credentials/blob/main/docs/policy-documents.md Creates an AWS IAM bucket policy allowing public read access (GetObject) to all objects in an S3 bucket. This policy enables anonymous users to download any file from the bucket using the principal '*', making the bucket publicly readable. Suitable for hosting static content or public datasets. ```json { "Version": "2012-10-17", "Statement": [ { "Sid": "AllowAllGetObject", "Effect": "Allow", "Principal": "*", "Action": [ "s3:GetObject" ], "Resource": [ "arn:aws:s3:::my-s3-bucket/*" ] } ] } ``` -------------------------------- ### AWS IAM Policy - S3 Read-Write Access (Default) Source: https://github.com/simonw/s3-credentials/blob/main/docs/policy-documents.md Default IAM policy for read-write access to an S3 bucket. Grants permissions to list bucket contents, retrieve objects with metadata, and perform put/delete operations on all objects in the bucket. ```json { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "s3:ListBucket", "s3:GetBucketLocation" ], "Resource": [ "arn:aws:s3:::my-s3-bucket" ] }, { "Effect": "Allow", "Action": [ "s3:GetObject", "s3:GetObjectAcl", "s3:GetObjectLegalHold", "s3:GetObjectRetention", "s3:GetObjectTagging" ], "Resource": [ "arn:aws:s3:::my-s3-bucket/*" ] }, { "Effect": "Allow", "Action": [ "s3:PutObject", "s3:DeleteObject" ], "Resource": [ "arn:aws:s3:::my-s3-bucket/*" ] } ] } ``` -------------------------------- ### AWS IAM Policy - S3 Read-Write with Prefix Restriction Source: https://github.com/simonw/s3-credentials/blob/main/docs/policy-documents.md IAM policy for read-write access limited to a specific prefix path within an S3 bucket. Uses StringLike condition to restrict ListBucket operations to objects matching the specified prefix pattern. ```json { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "s3:GetBucketLocation" ], "Resource": [ "arn:aws:s3:::my-s3-bucket" ] }, { "Effect": "Allow", "Action": [ "s3:ListBucket" ], "Resource": [ "arn:aws:s3:::my-s3-bucket" ], "Condition": { "StringLike": { "s3:prefix": [ "my-prefix/*" ] } } }, { "Effect": "Allow", "Action": [ "s3:GetObject", "s3:GetObjectAcl", "s3:GetObjectLegalHold", "s3:GetObjectRetention", "s3:GetObjectTagging" ], "Resource": [ "arn:aws:s3:::my-s3-bucket/my-prefix/*" ] }, { "Effect": "Allow", "Action": [ "s3:PutObject", "s3:DeleteObject" ], "Resource": [ "arn:aws:s3:::my-s3-bucket/my-prefix/*" ] } ] } ``` -------------------------------- ### Generate Write-Only S3 Policy with Prefix Filter Source: https://github.com/simonw/s3-credentials/blob/main/docs/policy-documents.md Creates an AWS IAM policy that grants write-only access (PutObject) to a specific S3 bucket prefix. This policy restricts uploads to objects under 'my-prefix/' path, preventing read access and deletions. Useful for limiting credential scope to specific directories within a bucket. ```json { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "s3:PutObject" ], "Resource": [ "arn:aws:s3:::my-s3-bucket/my-prefix/*" ] } ] } ``` -------------------------------- ### AWS IAM Policy - S3 Read-Only with Prefix Restriction Source: https://github.com/simonw/s3-credentials/blob/main/docs/policy-documents.md IAM policy for read-only access limited to a specific prefix path within an S3 bucket. Combines prefix-based conditions with read-only permissions for controlled access to a bucket subdirectory. ```json { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "s3:GetBucketLocation" ], "Resource": [ "arn:aws:s3:::my-s3-bucket" ] }, { "Effect": "Allow", "Action": [ "s3:ListBucket" ], "Resource": [ "arn:aws:s3:::my-s3-bucket" ], "Condition": { "StringLike": { "s3:prefix": [ "my-prefix/*" ] } } }, { "Effect": "Allow", "Action": [ "s3:GetObject", "s3:GetObjectAcl", "s3:GetObjectLegalHold", "s3:GetObjectRetention", "s3:GetObjectTagging" ], "Resource": [ "arn:aws:s3:::my-s3-bucket/my-prefix/*" ] } ] } ``` -------------------------------- ### AWS IAM Policy - S3 Write-Only Access Source: https://github.com/simonw/s3-credentials/blob/main/docs/policy-documents.md Minimal IAM policy granting only write permissions to an S3 bucket. Allows putting objects but denies read, list, and delete operations, suitable for upload-only use cases. ```json { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "s3:PutObject" ], "Resource": [ "arn:aws:s3:::my-s3-bucket/*" ] } ] } ``` -------------------------------- ### Delete IAM User Source: https://context7.com/simonw/s3-credentials/llms.txt Removes an IAM user from the AWS account, including all associated policies and access keys. This is a destructive operation and should be used with caution. ```bash s3-credentials delete-user s3.read-write.my-old-bucket ``` -------------------------------- ### AWS IAM Policy - S3 Read-Only Access Source: https://github.com/simonw/s3-credentials/blob/main/docs/policy-documents.md Restrictive IAM policy limiting access to read operations only. Allows listing bucket contents and retrieving objects with their metadata, but denies any write or delete operations. ```json { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "s3:ListBucket", "s3:GetBucketLocation" ], "Resource": [ "arn:aws:s3:::my-s3-bucket" ] }, { "Effect": "Allow", "Action": [ "s3:GetObject", "s3:GetObjectAcl", "s3:GetObjectLegalHold", "s3:GetObjectRetention", "s3:GetObjectTagging" ], "Resource": [ "arn:aws:s3:::my-s3-bucket/*" ] } ] } ```