S3Control / Client / list_caller_access_grants

list_caller_access_grants#

S3Control.Client.list_caller_access_grants(**kwargs)#

Use this API to list the access grants that grant the caller access to Amazon S3 data through S3 Access Grants. The caller (grantee) can be an Identity and Access Management (IAM) identity or Amazon Web Services Identity Center corporate directory identity. You must pass the Amazon Web Services account of the S3 data owner (grantor) in the request. You can, optionally, narrow the results by GrantScope, using a fragment of the data’s S3 path, and S3 Access Grants will return only the grants with a path that contains the path fragment. You can also pass the AllowedByApplication filter in the request, which returns only the grants authorized for applications, whether the application is the caller’s Identity Center application or any other application ( ALL). For more information, see List the caller’s access grants in the Amazon S3 User Guide.

Permissions

You must have the s3:ListCallerAccessGrants permission to use this operation.

See also: AWS API Documentation

Request Syntax

response = client.list_caller_access_grants(
    AccountId='string',
    GrantScope='string',
    NextToken='string',
    MaxResults=123,
    AllowedByApplication=True|False
)
Parameters:
  • AccountId (string) –

    [REQUIRED]

    The Amazon Web Services account ID of the S3 Access Grants instance.

  • GrantScope (string) – The S3 path of the data that you would like to access. Must start with s3://. You can optionally pass only the beginning characters of a path, and S3 Access Grants will search for all applicable grants for the path fragment.

  • NextToken (string) – A pagination token to request the next page of results. Pass this value into a subsequent List Caller Access Grants request in order to retrieve the next page of results.

  • MaxResults (integer) – The maximum number of access grants that you would like returned in the List Caller Access Grants response. If the results include the pagination token NextToken, make another call using the NextToken to determine if there are more results.

  • AllowedByApplication (boolean) – If this optional parameter is passed in the request, a filter is applied to the results. The results will include only the access grants for the caller’s Identity Center application or for any other applications ( ALL).

Return type:

dict

Returns:

Response Syntax

{
    'NextToken': 'string',
    'CallerAccessGrantsList': [
        {
            'Permission': 'READ'|'WRITE'|'READWRITE',
            'GrantScope': 'string',
            'ApplicationArn': 'string'
        },
    ]
}

Response Structure

  • (dict) –

    • NextToken (string) –

      A pagination token that you can use to request the next page of results. Pass this value into a subsequent List Caller Access Grants request in order to retrieve the next page of results.

    • CallerAccessGrantsList (list) –

      A list of the caller’s access grants that were created using S3 Access Grants and that grant the caller access to the S3 data of the Amazon Web Services account ID that was specified in the request.

      • (dict) –

        Part of ListCallerAccessGrantsResult. Each entry includes the permission level (READ, WRITE, or READWRITE) and the grant scope of the access grant. If the grant also includes an application ARN, the grantee can only access the S3 data through this application.

        • Permission (string) –

          The type of permission granted, which can be one of the following values:

          • READ - Grants read-only access to the S3 data.

          • WRITE - Grants write-only access to the S3 data.

          • READWRITE - Grants both read and write access to the S3 data.

        • GrantScope (string) –

          The S3 path of the data to which you have been granted access.

        • ApplicationArn (string) –

          The Amazon Resource Name (ARN) of an Amazon Web Services IAM Identity Center application associated with your Identity Center instance. If the grant includes an application ARN, the grantee can only access the S3 data through this application.