get-bucket-policy and set-bucket-policy, closes #91

simonw · simonw · commit ac428b76c846 · 2024-12-18T21:47:41.000-08:00
diff --git a/docs/help.md b/docs/help.md
@@ -37,6 +37,7 @@ Commands:
   debug-bucket        Run a bunch of diagnostics to help debug a bucket
   delete-objects      Delete one or more object from an S3 bucket
   delete-user         Delete specified users, their access keys and their...
+  get-bucket-policy   Get bucket policy for a bucket
   get-cors-policy     Get CORS policy for a bucket
   get-object          Download an object from an S3 bucket
   get-objects         Download multiple objects from an S3 bucket
@@ -48,6 +49,7 @@ Commands:
   policy              Output generated JSON policy for one or more buckets
   put-object          Upload an object to an S3 bucket
   put-objects         Upload multiple objects to an S3 bucket
+  set-bucket-policy   Set bucket policy for a bucket
   set-cors-policy     Set CORS policy for a bucket
   whoami              Identify currently authenticated user
 ```
@@ -156,6 +158,25 @@ Usage: s3-credentials delete-user [OPTIONS] USERNAMES...
 
       s3-credentials delete-user username1 username2
 
+Options:
+  --access-key TEXT     AWS access key ID
+  --secret-key TEXT     AWS secret access key
+  --session-token TEXT  AWS session token
+  --endpoint-url TEXT   Custom endpoint URL
+  -a, --auth FILENAME   Path to JSON/INI file containing credentials
+  --help                Show this message and exit.
+```
+## s3-credentials get-bucket-policy --help
+
+```
+Usage: s3-credentials get-bucket-policy [OPTIONS] BUCKET
+
+  Get bucket policy for a bucket
+
+     s3-credentials get-bucket-policy my-bucket
+
+  Returns the bucket policy for this bucket, if set, as JSON
+
 Options:
   --access-key TEXT     AWS access key ID
   --secret-key TEXT     AWS secret access key
@@ -464,6 +485,29 @@ Options:
   -a, --auth FILENAME   Path to JSON/INI file containing credentials
   --help                Show this message and exit.
 ```
+## s3-credentials set-bucket-policy --help
+
+```
+Usage: s3-credentials set-bucket-policy [OPTIONS] BUCKET
+
+  Set bucket policy for a bucket
+
+      s3-credentials set-bucket-policy my-bucket --policy-file policy.json
+
+  Or to set a policy that allows GET requests from all:
+
+      s3-credentials set-bucket-policy my-bucket --allow-all-get
+
+Options:
+  --policy-file FILENAME
+  --allow-all-get         Allow GET requests from all
+  --access-key TEXT       AWS access key ID
+  --secret-key TEXT       AWS secret access key
+  --session-token TEXT    AWS session token
+  --endpoint-url TEXT     Custom endpoint URL
+  -a, --auth FILENAME     Path to JSON/INI file containing credentials
+  --help                  Show this message and exit.
+```
 ## s3-credentials set-cors-policy --help
 
 ```
diff --git a/docs/other-commands.md b/docs/other-commands.md
@@ -570,3 +570,36 @@ Bucket public access block:
     }
 }
 ```
+## get-bucket-policy
+
+The `get-bucket-policy` command displays the current bucket policy for a bucket:
+```bash
+s3-credentials get-bucket-policy my-bucket
+```
+Example output:
+
+```json
+{
+    "Version": "2012-10-17",
+    "Statement": [
+        {
+            "Sid": "AllowAllGetObject",
+            "Effect": "Allow",
+            "Principal": "*",
+            "Action": "s3:GetObject",
+            "Resource": "arn:aws:s3:::my-bucket/*"
+        }
+    ]
+}
+```
+
+## set-bucket-policy
+
+The `set-bucket-policy` command can be used to set a bucket policy for a bucket:
+```bash
+s3-credentials set-bucket-policy my-bucket --policy-file policy.json
+```
+Or for the common case of setting a policy to allow GET access to all buckets:
+```bash
+s3-credentials set-bucket-policy my-bucket --allow-all-get
+```
diff --git a/s3_credentials/cli.py b/s3_credentials/cli.py
@@ -1365,6 +1365,54 @@ def get_cors_policy(bucket, **boto_options):
     click.echo(json.dumps(response["CORSRules"], indent=4, default=str))
 
 
+@cli.command()
+@click.argument("bucket")
+@common_boto3_options
+def get_bucket_policy(bucket, **boto_options):
+    """
+    Get bucket policy for a bucket
+
+       s3-credentials get-bucket-policy my-bucket
+
+    Returns the bucket policy for this bucket, if set, as JSON
+    """
+    s3 = make_client("s3", **boto_options)
+    try:
+        response = s3.get_bucket_policy(Bucket=bucket)
+    except botocore.exceptions.ClientError as e:
+        raise click.ClickException(e)
+    click.echo(json.dumps(json.loads(response["Policy"]), indent=4, default=str))
+
+
+@cli.command()
+@click.argument("bucket")
+@click.option("--policy-file", type=click.File("r"))
+@click.option("--allow-all-get", is_flag=True, help="Allow GET requests from all")
+@common_boto3_options
+def set_bucket_policy(bucket, policy_file, allow_all_get, **boto_options):
+    """
+    Set bucket policy for a bucket
+
+        s3-credentials set-bucket-policy my-bucket --policy-file policy.json
+
+    Or to set a policy that allows GET requests from all:
+
+        s3-credentials set-bucket-policy my-bucket --allow-all-get
+    """
+    s3 = make_client("s3", **boto_options)
+    if allow_all_get and policy_file:
+        raise click.ClickException("Cannot pass both --allow-all-get and --policy-file")
+    if allow_all_get:
+        policy = policies.bucket_policy_allow_all_get(bucket)
+    else:
+        policy = json.load(policy_file)
+    try:
+        s3.put_bucket_policy(Bucket=bucket, Policy=json.dumps(policy))
+    except botocore.exceptions.ClientError as e:
+        raise click.ClickException(e)
+    click.echo("Policy set:\n" + json.dumps(policy, indent=4), err=True)
+
+
 def without_response_metadata(data):
     return dict(
         (key, value) for key, value in data.items() if key != "ResponseMetadata"
