or run

npx @tessl/cli init
Log in

Version

Tile

Overview

Evals

Files

docs

bucket-access-control.mdbucket-features.mdbucket-operations.mdclient-config.mdindex.mdlist-operations.mdmultipart-upload.mdobject-operations.mdpaginators-waiters.mdpresigned-urls.mdtypes.md
tile.json

bucket-operations.mddocs/

S3 Bucket Operations - AWS SDK for Go v2

This document provides comprehensive API documentation for AWS SDK for Go v2 S3 bucket operations.

Package Information

  • Package: github.com/aws/aws-sdk-go-v2/service/s3
  • Types Package: github.com/aws/aws-sdk-go-v2/service/s3/types

Table of Contents

  1. CreateBucket
  2. DeleteBucket
  3. HeadBucket
  4. ListBuckets
  5. ListDirectoryBuckets
  6. GetBucketLocation
  7. CreateSession

CreateBucket

Creates a new S3 bucket. Supports both general purpose buckets and directory buckets (S3 Express One Zone).

Client Method

func (c *Client) CreateBucket(ctx context.Context, params *CreateBucketInput, optFns ...func(*Options)) (*CreateBucketOutput, error)

{ .api }

Input Type - CreateBucketInput

type CreateBucketInput struct {
    // The name of the bucket to create.
    // REQUIRED
    Bucket *string

    // The canned ACL to apply to the bucket.
    // Not supported for directory buckets.
    ACL types.BucketCannedACL

    // The configuration information for the bucket.
    CreateBucketConfiguration *types.CreateBucketConfiguration

    // Allows grantee the read, write, read ACP, and write ACP permissions on the bucket.
    // Not supported for directory buckets.
    GrantFullControl *string

    // Allows grantee to list the objects in the bucket.
    // Not supported for directory buckets.
    GrantRead *string

    // Allows grantee to read the bucket ACL.
    // Not supported for directory buckets.
    GrantReadACP *string

    // Allows grantee to create new objects in the bucket.
    // Not supported for directory buckets.
    GrantWrite *string

    // Allows grantee to write the ACL for the applicable bucket.
    // Not supported for directory buckets.
    GrantWriteACP *string

    // Specifies whether you want S3 Object Lock to be enabled for the new bucket.
    // Not supported for directory buckets.
    ObjectLockEnabledForBucket *bool

    // The container element for object ownership for a bucket's ownership controls.
    // Values: BucketOwnerPreferred, ObjectWriter, BucketOwnerEnforced
    // Not supported for directory buckets (automatically set to BucketOwnerEnforced).
    ObjectOwnership types.ObjectOwnership
}

{ .api }

Output Type - CreateBucketOutput

type CreateBucketOutput struct {
    // The Amazon Resource Name (ARN) of the S3 bucket.
    // Only supported for directory buckets.
    BucketArn *string

    // A forward slash followed by the name of the bucket.
    Location *string

    // Metadata pertaining to the operation's result.
    ResultMetadata middleware.Metadata
}

{ .api }

Supporting Types

CreateBucketConfiguration

type CreateBucketConfiguration struct {
    // Specifies the information about the bucket that will be created.
    // Only supported by directory buckets.
    Bucket *BucketInfo

    // Specifies the location where the bucket will be created.
    // For directory buckets: Availability Zone or Local Zone.
    // Only supported by directory buckets.
    Location *LocationInfo

    // Specifies the Region where the bucket will be created.
    // For general purpose buckets.
    LocationConstraint types.BucketLocationConstraint
}

{ .api }

BucketInfo

type BucketInfo struct {
    // The number of Zone (Availability Zone or Local Zone) used for redundancy.
    DataRedundancy types.DataRedundancy

    // The type of bucket.
    Type types.BucketType
}

{ .api }

BucketCannedACL (Enum)

type BucketCannedACL string

const (
    BucketCannedACLPrivate           BucketCannedACL = "private"
    BucketCannedACLPublicRead        BucketCannedACL = "public-read"
    BucketCannedACLPublicReadWrite   BucketCannedACL = "public-read-write"
    BucketCannedACLAuthenticatedRead BucketCannedACL = "authenticated-read"
)

{ .api }

ObjectOwnership (Enum)

type ObjectOwnership string

const (
    ObjectOwnershipBucketOwnerPreferred ObjectOwnership = "BucketOwnerPreferred"
    ObjectOwnershipObjectWriter         ObjectOwnership = "ObjectWriter"
    ObjectOwnershipBucketOwnerEnforced  ObjectOwnership = "BucketOwnerEnforced"
)

{ .api }

BucketType (Enum)

type BucketType string

const (
    BucketTypeDirectory BucketType = "Directory"
)

{ .api }

DataRedundancy (Enum)

type DataRedundancy string

const (
    DataRedundancySingleAvailabilityZone DataRedundancy = "SingleAvailabilityZone"
    DataRedundancySingleLocalZone        DataRedundancy = "SingleLocalZone"
)

{ .api }

Description

Creates an Amazon S3 bucket. To create a bucket, you must set up Amazon S3 and have a valid Amazon Web Services Access Key ID to authenticate requests.

Bucket Types:

  • General purpose buckets: Standard S3 buckets for most use cases
  • Directory buckets: S3 Express One Zone buckets for high-performance, single-zone storage

Permissions:

  • General purpose buckets: Requires s3:CreateBucket permission. Additional permissions may be required for ACLs, Object Lock, or Object Ownership settings.
  • Directory buckets: Requires s3express:CreateBucket permission in an IAM identity-based policy.

HTTP Host Header Syntax:

  • Directory buckets: s3express-control.region-code.amazonaws.com

DeleteBucket

Deletes an S3 bucket. All objects must be deleted before the bucket can be deleted.

Client Method

func (c *Client) DeleteBucket(ctx context.Context, params *DeleteBucketInput, optFns ...func(*Options)) (*DeleteBucketOutput, error)

{ .api }

Input Type - DeleteBucketInput

type DeleteBucketInput struct {
    // Specifies the bucket being deleted.
    // REQUIRED
    Bucket *string

    // The account ID of the expected bucket owner.
    // Not supported for directory buckets.
    ExpectedBucketOwner *string
}

{ .api }

Output Type - DeleteBucketOutput

type DeleteBucketOutput struct {
    // Metadata pertaining to the operation's result.
    ResultMetadata middleware.Metadata
}

{ .api }

Description

Deletes the S3 bucket. All objects (including all object versions and delete markers) in the bucket must be deleted before the bucket itself can be deleted.

Special Considerations:

  • Directory buckets: If multipart uploads are in progress, you can't delete the bucket until all uploads are aborted or completed.

Permissions:

  • General purpose buckets: Requires s3:DeleteBucket permission
  • Directory buckets: Requires s3express:DeleteBucket permission in an IAM identity-based policy

HTTP Host Header Syntax:

  • Directory buckets: s3express-control.region-code.amazonaws.com

HeadBucket

Determines if a bucket exists and you have permission to access it.

Client Method

func (c *Client) HeadBucket(ctx context.Context, params *HeadBucketInput, optFns ...func(*Options)) (*HeadBucketOutput, error)

{ .api }

Input Type - HeadBucketInput

type HeadBucketInput struct {
    // The bucket name.
    // REQUIRED
    Bucket *string

    // The account ID of the expected bucket owner.
    ExpectedBucketOwner *string
}

{ .api }

Output Type - HeadBucketOutput

type HeadBucketOutput struct {
    // Indicates whether the bucket name used in the request is an access point alias.
    // For directory buckets, this value is false.
    AccessPointAlias *bool

    // The Amazon Resource Name (ARN) of the S3 bucket.
    // Only supported for directory buckets.
    BucketArn *string

    // The name of the location where the bucket will be created.
    // For directory buckets: Zone ID of the Availability Zone or Local Zone.
    // Only supported by directory buckets.
    BucketLocationName *string

    // The type of location where the bucket is created.
    // Only supported by directory buckets.
    BucketLocationType types.LocationType

    // The Region that the bucket is located.
    BucketRegion *string

    // Metadata pertaining to the operation's result.
    ResultMetadata middleware.Metadata
}

{ .api }

Supporting Types

LocationType (Enum)

type LocationType string

const (
    LocationTypeAvailabilityZone LocationType = "AvailabilityZone"
    LocationTypeLocalZone        LocationType = "LocalZone"
)

{ .api }

Description

Determines if a bucket exists and if you have permission to access it. The action returns a 200 OK HTTP status code if the bucket exists and you have permission to access it.

Response Codes:

  • 200 OK: Bucket exists and you have access
  • 400 Bad Request: Generic error (bucket doesn't exist or no permission)
  • 403 Forbidden: No permission
  • 404 Not Found: Bucket doesn't exist

Permissions:

  • General purpose buckets: Requires s3:ListBucket permission
  • Directory buckets: Requires s3express:CreateSession permission

HTTP Host Header Syntax:

  • Directory buckets: Bucket-name.s3express-zone-id.region-code.amazonaws.com

Waiters

BucketExistsWaiter

Waits until a bucket exists.

type BucketExistsWaiter struct {
    client  HeadBucketAPIClient
    options BucketExistsWaiterOptions
}

{ .api }

Constructor:

func NewBucketExistsWaiter(client HeadBucketAPIClient, optFns ...func(*BucketExistsWaiterOptions)) *BucketExistsWaiter

{ .api }

Waiter Options:

type BucketExistsWaiterOptions struct {
    // Set of options to modify how an operation is invoked.
    APIOptions []func(*middleware.Stack) error

    // Functional options to be passed to all operations invoked by this client.
    ClientOptions []func(*Options)

    // MinDelay is the minimum amount of time to delay between retries.
    // Default: 5 seconds
    MinDelay time.Duration

    // MaxDelay is the maximum amount of time to delay between retries.
    // Default: 120 seconds
    MaxDelay time.Duration

    // LogWaitAttempts enables logging for waiter retry attempts.
    LogWaitAttempts bool

    // Retryable is a function to override the service-defined waiter behavior.
    Retryable func(context.Context, *HeadBucketInput, *HeadBucketOutput, error) (bool, error)
}

{ .api }

Methods:

// Wait calls the waiter function. The maxWaitDur is required and must be greater than zero.
func (w *BucketExistsWaiter) Wait(ctx context.Context, params *HeadBucketInput, maxWaitDur time.Duration, optFns ...func(*BucketExistsWaiterOptions)) error

// WaitForOutput calls the waiter function and returns the output of the successful operation.
func (w *BucketExistsWaiter) WaitForOutput(ctx context.Context, params *HeadBucketInput, maxWaitDur time.Duration, optFns ...func(*BucketExistsWaiterOptions)) (*HeadBucketOutput, error)

{ .api }

Example Usage:

waiter := s3.NewBucketExistsWaiter(client)
err := waiter.Wait(context.TODO(), &s3.HeadBucketInput{
    Bucket: aws.String("my-bucket"),
}, 2*time.Minute)

BucketNotExistsWaiter

Waits until a bucket does not exist.

type BucketNotExistsWaiter struct {
    client  HeadBucketAPIClient
    options BucketNotExistsWaiterOptions
}

{ .api }

Constructor:

func NewBucketNotExistsWaiter(client HeadBucketAPIClient, optFns ...func(*BucketNotExistsWaiterOptions)) *BucketNotExistsWaiter

{ .api }

Waiter Options:

type BucketNotExistsWaiterOptions struct {
    // Set of options to modify how an operation is invoked.
    APIOptions []func(*middleware.Stack) error

    // Functional options to be passed to all operations invoked by this client.
    ClientOptions []func(*Options)

    // MinDelay is the minimum amount of time to delay between retries.
    // Default: 5 seconds
    MinDelay time.Duration

    // MaxDelay is the maximum amount of time to delay between retries.
    // Default: 120 seconds
    MaxDelay time.Duration

    // LogWaitAttempts enables logging for waiter retry attempts.
    LogWaitAttempts bool

    // Retryable is a function to override the service-defined waiter behavior.
    Retryable func(context.Context, *HeadBucketInput, *HeadBucketOutput, error) (bool, error)
}

{ .api }

Methods:

// Wait calls the waiter function. The maxWaitDur is required and must be greater than zero.
func (w *BucketNotExistsWaiter) Wait(ctx context.Context, params *HeadBucketInput, maxWaitDur time.Duration, optFns ...func(*BucketNotExistsWaiterOptions)) error

// WaitForOutput calls the waiter function and returns the output of the successful operation.
func (w *BucketNotExistsWaiter) WaitForOutput(ctx context.Context, params *HeadBucketInput, maxWaitDur time.Duration, optFns ...func(*BucketNotExistsWaiterOptions)) (*HeadBucketOutput, error)

{ .api }

Example Usage:

waiter := s3.NewBucketNotExistsWaiter(client)
err := waiter.Wait(context.TODO(), &s3.HeadBucketInput{
    Bucket: aws.String("my-bucket"),
}, 2*time.Minute)

ListBuckets

Returns a list of all buckets owned by the authenticated sender of the request.

Client Method

func (c *Client) ListBuckets(ctx context.Context, params *ListBucketsInput, optFns ...func(*Options)) (*ListBucketsOutput, error)

{ .api }

Input Type - ListBucketsInput

type ListBucketsInput struct {
    // Limits the response to buckets that are located in the specified AWS Region.
    BucketRegion *string

    // ContinuationToken indicates to Amazon S3 that the list is being continued.
    // Length Constraints: Minimum 0, Maximum 1024.
    ContinuationToken *string

    // Maximum number of buckets to be returned in response.
    MaxBuckets *int32

    // Limits the response to bucket names that begin with the specified prefix.
    Prefix *string
}

{ .api }

Output Type - ListBucketsOutput

type ListBucketsOutput struct {
    // The list of buckets owned by the requester.
    Buckets []types.Bucket

    // ContinuationToken is included when there are more buckets that can be listed.
    ContinuationToken *string

    // The owner of the buckets listed.
    Owner *types.Owner

    // If Prefix was sent with the request, it is included in the response.
    Prefix *string

    // Metadata pertaining to the operation's result.
    ResultMetadata middleware.Metadata
}

{ .api }

Supporting Types

Bucket

type Bucket struct {
    // The Amazon Resource Name (ARN) of the S3 bucket.
    // Only supported for directory buckets.
    BucketArn *string

    // The AWS region where the bucket is located.
    BucketRegion *string

    // Date the bucket was created.
    CreationDate *time.Time

    // The name of the bucket.
    Name *string
}

{ .api }

Owner

type Owner struct {
    // Container for the display name of the owner.
    // Only supported in specific regions (US East, US West, AP regions, EU Ireland, SA Sao Paulo).
    // Not supported for directory buckets.
    DisplayName *string

    // Container for the ID of the owner.
    ID *string
}

{ .api }

Description

Returns a list of all buckets owned by the authenticated sender of the request. Not supported for directory buckets.

Important Notes:

  • Strongly recommend using paginated requests: Unpaginated requests are only supported for AWS accounts with the default 10,000 bucket quota.
  • Accounts with approved quotas above 10,000 must use paginated requests.

Permissions:

  • Requires s3:ListAllMyBuckets policy action

Paginator

ListBucketsPaginator

Provides automatic pagination for ListBuckets operation.

type ListBucketsPaginator struct {
    options   ListBucketsPaginatorOptions
    client    ListBucketsAPIClient
    params    *ListBucketsInput
    nextToken *string
    firstPage bool
}

{ .api }

Constructor:

func NewListBucketsPaginator(client ListBucketsAPIClient, params *ListBucketsInput, optFns ...func(*ListBucketsPaginatorOptions)) *ListBucketsPaginator

{ .api }

Paginator Options:

type ListBucketsPaginatorOptions struct {
    // Maximum number of buckets to be returned in response.
    Limit int32

    // Set to true if pagination should stop when service returns a duplicate token.
    StopOnDuplicateToken bool
}

{ .api }

Methods:

// HasMorePages returns a boolean indicating whether more pages are available.
func (p *ListBucketsPaginator) HasMorePages() bool

// NextPage retrieves the next ListBuckets page.
func (p *ListBucketsPaginator) NextPage(ctx context.Context, optFns ...func(*Options)) (*ListBucketsOutput, error)

{ .api }

Example Usage:

paginator := s3.NewListBucketsPaginator(client, &s3.ListBucketsInput{
    Prefix: aws.String("my-prefix-"),
})

for paginator.HasMorePages() {
    page, err := paginator.NextPage(context.TODO())
    if err != nil {
        // Handle error
    }
    // Process page.Buckets
}

ListDirectoryBuckets

Returns a list of all Amazon S3 directory buckets owned by the authenticated sender of the request.

Client Method

func (c *Client) ListDirectoryBuckets(ctx context.Context, params *ListDirectoryBucketsInput, optFns ...func(*Options)) (*ListDirectoryBucketsOutput, error)

{ .api }

Input Type - ListDirectoryBucketsInput

type ListDirectoryBucketsInput struct {
    // ContinuationToken indicates to Amazon S3 that the list is being continued.
    // Length Constraints: Minimum 0, Maximum 1024.
    ContinuationToken *string

    // Maximum number of buckets to be returned in response.
    MaxDirectoryBuckets *int32
}

{ .api }

Output Type - ListDirectoryBucketsOutput

type ListDirectoryBucketsOutput struct {
    // The list of buckets owned by the requester.
    Buckets []types.Bucket

    // If ContinuationToken was sent with the request, it is included in the response.
    ContinuationToken *string

    // Metadata pertaining to the operation's result.
    ResultMetadata middleware.Metadata
}

{ .api }

Description

Returns a list of all Amazon S3 directory buckets owned by the authenticated sender of the request. For more information about directory buckets, see Directory buckets in the Amazon S3 User Guide.

Permissions:

  • Requires s3express:ListAllMyDirectoryBuckets permission in an IAM identity-based policy

HTTP Host Header Syntax:

  • s3express-control.region.amazonaws.com

Note: The BucketRegion response element is not part of the ListDirectoryBuckets Response Syntax.

Paginator

ListDirectoryBucketsPaginator

Provides automatic pagination for ListDirectoryBuckets operation.

type ListDirectoryBucketsPaginator struct {
    options   ListDirectoryBucketsPaginatorOptions
    client    ListDirectoryBucketsAPIClient
    params    *ListDirectoryBucketsInput
    nextToken *string
    firstPage bool
}

{ .api }

Constructor:

func NewListDirectoryBucketsPaginator(client ListDirectoryBucketsAPIClient, params *ListDirectoryBucketsInput, optFns ...func(*ListDirectoryBucketsPaginatorOptions)) *ListDirectoryBucketsPaginator

{ .api }

Paginator Options:

type ListDirectoryBucketsPaginatorOptions struct {
    // Maximum number of buckets to be returned in response.
    Limit int32

    // Set to true if pagination should stop when service returns a duplicate token.
    StopOnDuplicateToken bool
}

{ .api }

Methods:

// HasMorePages returns a boolean indicating whether more pages are available.
func (p *ListDirectoryBucketsPaginator) HasMorePages() bool

// NextPage retrieves the next ListDirectoryBuckets page.
func (p *ListDirectoryBucketsPaginator) NextPage(ctx context.Context, optFns ...func(*Options)) (*ListDirectoryBucketsOutput, error)

{ .api }

Example Usage:

paginator := s3.NewListDirectoryBucketsPaginator(client, &s3.ListDirectoryBucketsInput{})

for paginator.HasMorePages() {
    page, err := paginator.NextPage(context.TODO())
    if err != nil {
        // Handle error
    }
    // Process page.Buckets
}

GetBucketLocation

Returns the Region where a bucket resides.

Note: Using this operation is no longer a best practice. AWS recommends using HeadBucket instead, which returns the bucket location through an HTTP response header whether access is authorized or not.

Client Method

func (c *Client) GetBucketLocation(ctx context.Context, params *GetBucketLocationInput, optFns ...func(*Options)) (*GetBucketLocationOutput, error)

{ .api }

Input Type - GetBucketLocationInput

type GetBucketLocationInput struct {
    // The name of the bucket for which to get the location.
    // REQUIRED
    Bucket *string

    // The account ID of the expected bucket owner.
    ExpectedBucketOwner *string
}

{ .api }

Output Type - GetBucketLocationOutput

type GetBucketLocationOutput struct {
    // Specifies the Region where the bucket resides.
    // Buckets in us-east-1 have a LocationConstraint of null.
    // Buckets with LocationConstraint of EU reside in eu-west-1.
    LocationConstraint types.BucketLocationConstraint

    // Metadata pertaining to the operation's result.
    ResultMetadata middleware.Metadata
}

{ .api }

Supporting Types

BucketLocationConstraint (Enum)

type BucketLocationConstraint string

const (
    BucketLocationConstraintAfSouth1     BucketLocationConstraint = "af-south-1"
    BucketLocationConstraintApEast1      BucketLocationConstraint = "ap-east-1"
    BucketLocationConstraintApNortheast1 BucketLocationConstraint = "ap-northeast-1"
    BucketLocationConstraintApNortheast2 BucketLocationConstraint = "ap-northeast-2"
    BucketLocationConstraintApNortheast3 BucketLocationConstraint = "ap-northeast-3"
    BucketLocationConstraintApSouth1     BucketLocationConstraint = "ap-south-1"
    BucketLocationConstraintApSouth2     BucketLocationConstraint = "ap-south-2"
    BucketLocationConstraintApSoutheast1 BucketLocationConstraint = "ap-southeast-1"
    BucketLocationConstraintApSoutheast2 BucketLocationConstraint = "ap-southeast-2"
    BucketLocationConstraintApSoutheast3 BucketLocationConstraint = "ap-southeast-3"
    BucketLocationConstraintApSoutheast4 BucketLocationConstraint = "ap-southeast-4"
    BucketLocationConstraintApSoutheast5 BucketLocationConstraint = "ap-southeast-5"
    BucketLocationConstraintCaCentral1   BucketLocationConstraint = "ca-central-1"
    BucketLocationConstraintCaWest1      BucketLocationConstraint = "ca-west-1"
    BucketLocationConstraintCnNorth1     BucketLocationConstraint = "cn-north-1"
    BucketLocationConstraintCnNorthwest1 BucketLocationConstraint = "cn-northwest-1"
    BucketLocationConstraintEU           BucketLocationConstraint = "EU"
    BucketLocationConstraintEuCentral1   BucketLocationConstraint = "eu-central-1"
    BucketLocationConstraintEuCentral2   BucketLocationConstraint = "eu-central-2"
    BucketLocationConstraintEuNorth1     BucketLocationConstraint = "eu-north-1"
    BucketLocationConstraintEuSouth1     BucketLocationConstraint = "eu-south-1"
    BucketLocationConstraintEuSouth2     BucketLocationConstraint = "eu-south-2"
    BucketLocationConstraintEuWest1      BucketLocationConstraint = "eu-west-1"
    BucketLocationConstraintEuWest2      BucketLocationConstraint = "eu-west-2"
    BucketLocationConstraintEuWest3      BucketLocationConstraint = "eu-west-3"
    BucketLocationConstraintIlCentral1   BucketLocationConstraint = "il-central-1"
    BucketLocationConstraintMeCentral1   BucketLocationConstraint = "me-central-1"
    BucketLocationConstraintMeSouth1     BucketLocationConstraint = "me-south-1"
    BucketLocationConstraintSaEast1      BucketLocationConstraint = "sa-east-1"
    BucketLocationConstraintUsEast2      BucketLocationConstraint = "us-east-2"
    BucketLocationConstraintUsGovEast1   BucketLocationConstraint = "us-gov-east-1"
    BucketLocationConstraintUsGovWest1   BucketLocationConstraint = "us-gov-west-1"
    BucketLocationConstraintUsWest1      BucketLocationConstraint = "us-west-1"
    BucketLocationConstraintUsWest2      BucketLocationConstraint = "us-west-2"
)

{ .api }

Description

Returns the Region where the bucket resides. This operation is not supported for directory buckets.

Important Notes:

  • In a bucket's home Region, calls to GetBucketLocation are governed by the bucket's policy
  • In other Regions, the bucket policy doesn't apply (cross-account access won't be authorized)
  • HeadBucket always returns the bucket's location through an HTTP response header, making it the recommended approach

Special Values:

  • Buckets in Region us-east-1 have a LocationConstraint of null
  • Buckets with LocationConstraint EU reside in eu-west-1

CreateSession

Creates a session that establishes temporary security credentials for Zonal endpoint API operations on directory buckets (S3 Express One Zone).

Client Method

func (c *Client) CreateSession(ctx context.Context, params *CreateSessionInput, optFns ...func(*Options)) (*CreateSessionOutput, error)

{ .api }

Input Type - CreateSessionInput

type CreateSessionInput struct {
    // The name of the bucket that you create a session for.
    // REQUIRED
    Bucket *string

    // Specifies whether Amazon S3 should use an S3 Bucket Key for object encryption.
    // S3 Bucket Keys are always enabled for GET and PUT operations in directory buckets.
    BucketKeyEnabled *bool

    // Specifies the AWS KMS Encryption Context as an additional encryption context.
    // Base64 encoded string of UTF-8 encoded JSON with encryption context key-value pairs.
    SSEKMSEncryptionContext *string

    // The ID (Key ID or Key ARN) of the KMS symmetric encryption customer managed key.
    // Required if ServerSideEncryption is aws:kms.
    // Only 1 customer managed key is supported per directory bucket lifetime.
    SSEKMSKeyId *string

    // The server-side encryption algorithm to use when storing objects.
    // Options: AES256 (SSE-S3) or aws:kms (SSE-KMS)
    // For FSx access points: aws:fsx
    ServerSideEncryption types.ServerSideEncryption

    // Specifies the mode of the session: ReadWrite or ReadOnly.
    // Default: ReadWrite
    SessionMode types.SessionMode
}

{ .api }

Output Type - CreateSessionOutput

type CreateSessionOutput struct {
    // The established temporary security credentials for the created session.
    // REQUIRED
    Credentials *types.SessionCredentials

    // Indicates whether to use an S3 Bucket Key for SSE-KMS.
    BucketKeyEnabled *bool

    // The AWS KMS Encryption Context used for object encryption.
    SSEKMSEncryptionContext *string

    // The ID of the KMS symmetric encryption customer managed key used.
    SSEKMSKeyId *string

    // The server-side encryption algorithm used.
    ServerSideEncryption types.ServerSideEncryption

    // Metadata pertaining to the operation's result.
    ResultMetadata middleware.Metadata
}

{ .api }

Supporting Types

SessionCredentials

type SessionCredentials struct {
    // A unique identifier associated with a secret access key.
    // REQUIRED
    AccessKeyId *string

    // Temporary security credentials expire after a specified interval.
    // After expiration, any calls with those credentials will fail.
    // REQUIRED
    Expiration *time.Time

    // A key used to cryptographically sign programmatic AWS requests.
    // REQUIRED
    SecretAccessKey *string

    // A part of the temporary security credentials used to validate them.
    // REQUIRED
    SessionToken *string
}

{ .api }

ServerSideEncryption (Enum)

type ServerSideEncryption string

const (
    ServerSideEncryptionAes256     ServerSideEncryption = "AES256"
    ServerSideEncryptionAwsFsx     ServerSideEncryption = "aws:fsx"
    ServerSideEncryptionAwsKms     ServerSideEncryption = "aws:kms"
    ServerSideEncryptionAwsKmsDsse ServerSideEncryption = "aws:kms:dsse"
)

{ .api }

SessionMode (Enum)

type SessionMode string

const (
    SessionModeReadOnly  SessionMode = "ReadOnly"
    SessionModeReadWrite SessionMode = "ReadWrite"
)

{ .api }

Description

Creates a session that establishes temporary security credentials to support fast authentication and authorization for Zonal endpoint API operations on directory buckets. Sessions enable low-latency access to directory buckets.

Session Characteristics:

  • Temporary security credentials expire after 5 minutes
  • Credentials cannot be extended or refreshed beyond the original interval
  • AWS SDKs handle automatic session token refreshes to avoid service interruptions
  • Sessions are scoped to a specific bucket

Session Modes:

  • ReadWrite: Can execute all Zonal endpoint API operations
  • ReadOnly: Limited to GetObject, HeadObject, ListObjectsV2, GetObjectAttributes, ListParts, and ListMultipartUploads

Encryption: For directory buckets, two server-side encryption options are supported:

  • SSE-S3 (AES256): Amazon S3 managed keys
  • SSE-KMS (aws:kms): KMS keys (customer managed keys only, not AWS managed keys)

Important Notes:

  • Only 1 customer managed key is supported per directory bucket for its lifetime
  • In Zonal endpoint API calls (except CopyObject and UploadPartCopy), you cannot override encryption settings from the CreateSession request
  • The AWS managed key (aws/s3) is not supported

Permissions:

  • Requires s3express:CreateSession permission in a bucket policy or IAM identity-based policy
  • Can use s3express:SessionMode condition key to control ReadWrite or ReadOnly session creation
  • For SSE-KMS encryption: Also requires kms:GenerateDataKey and kms:Decrypt permissions

HTTP Host Header Syntax:

  • Bucket-name.s3express-zone-id.region-code.amazonaws.com

Authentication:

  • Unlike other Zonal endpoint operations, CopyObject and HeadBucket don't use session credentials
  • All other Zonal endpoint operations use session credentials for authentication and authorization