Access S3 data through an access grant

After a grantee obtains temporary credentials through their access grant, they can use these temporary credentials to call Amazon S3 API operations to access your data.

Grantees can access S3 data by using the AWS Command Line Interface (AWS CLI), the AWS SDKs, and the Amazon S3 REST API.

After the grantee obtains their temporary credentials from S3 Access Grants, they can set up a profile with these credentials to retrieve the data.

To install the AWS CLI, see Installing the AWS CLI in the AWS Command Line Interface User Guide.

To use the following example commands, replace the user input placeholders with your own information.

Example – Set up a profile


aws configure set aws_access_key_id "$accessKey" --profile access-grants-consumer-access-profile
aws configure set aws_secret_access_key "$secretKey" --profile access-grants-consumer-access-profile
aws configure set aws_session_token "$sessionToken" --profile access-grants-consumer-access-profile

To use the following example command, replace the user input placeholders with your own information.

Example – Get the S3 data

The grantee can use the get-object AWS CLI command to access the data. The grantee can also use put-object, ls, and other S3 AWS CLI commands.


aws s3api get-object \
--bucket DOC-EXAMPLE-BUCKET1 \
--key myprefix \
--region us-east-2 \
--profile access-grants-consumer-access-profile

This section provides examples of how grantees can access your S3 data by using the AWS SDKs.

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Request access to Amazon S3 data through S3 Access Grants

S3 Access Grants cross-account access