Manage bucket policies
Learn how to use the Storage Access API to manage bucket policies for the InsuranceSuite applications. For details about bucket policies, see Storage access to AWS S3 buckets in the Cloud Platform documentation.
To manage bucket policies, you need to authenticate with Guidewire Hub and obtain an access token with the following scopes:
-
For the
GETmethod:storage.bucketpolicy.readstorage.bucketpolicy.writetenant.{TENANT_ID}
-
For the
POST,PUT,DELETEmethods:storage.bucketpolicy.writetenant.{TENANT_ID}
Users with the write scope have the read scope granted automatically.
All sample requests in this guide include the following path parameters:
| Parameter name | Description |
|---|---|
tenantId | Your tenant ID. |
projectId | ID of the star system for which you modify user access keys. |
storageId | Type of S3 bucket: - storage for InsuranceSuite. - cda for Cloud Data Access. |
Create a bucket access policy
To create a bucket access policy, send the following POST request:
curl -X 'POST' \
'{baseUrl}/api/v2/tenants/{tenantId}/projects/{projectId}/s3-buckets/{storageId}/policies/access' \
-H 'accept: application/json' \
-H 'Authorization: Bearer ${ACCESS_TOKEN}' \
-d '${BODY}'
Where ${BODY} contains the provided bucket policy data. For example, to create a bucket access policy,
use the following:
{
"principal": "arn:aws:iam::123456789:role/some-aws-principal",
"allowedIPs": ["70.22.22.22/24", "66.22.22.22/32"],
"allowedVPCEs": ["vpce-0dbabcd", "vpce-0dbabcdfgh"]
}
Where:
-
principalis the AWS principal that can access the bucket. -
allowedIPsandallowedVPCesare optional parameters to provide the following additional data:allowedIPswith a list of allowed IP addresses that can access an S3 bucket.allowedVPCeswith a list of allowed VPC (Virtual Private Cloud) endpoints that can access an S3 bucket.
Response contains a JSON object with details of the created policy, for example:
{
"principals": [
"arn:aws:iam::123456789:role/some-aws-principal"
],
"allowedIPs": ["70.22.22.22/24", "66.22.22.22/32"],
"allowedVPCEs": ["vpce-0dbabcd", "vpce-0dbabcdfgh"],
"bucketName": "abcdef-{tenantId}-{projectId}-{storageId}-123xyz",
"storageId": "{storageId}"
}
Get bucket access policy details
To get the details of the bucket access policy, use the following GET request:
curl -X 'GET' \
'{baseUrl}/api/v2/tenants/{tenantId}/projects/{projectId}/s3-buckets/{storageId}/policies/access' \
-H 'accept: application/json' \
-H 'Authorization: Bearer ${ACCESS_TOKEN}'
Response contains a JSON object with details of the created policy, for example:
{
"principals": [
"arn:aws:iam::123456789:role/some-aws-principal"
],
"allowedIPs": ["70.22.22.22/24", "66.22.22.22/32"],
"allowedVPCEs": ["vpce-0dbabcd", "vpce-0dbabcdfgh"],
"bucketName": "abcdef-{tenantId}-{projectId}-{storageId}-123xyz",
"storageId": "{storageId}"
}
Update a bucket access policy
To update a bucket access policy, send the following PUT request:
curl -X 'PUT' \
'{baseUrl}/api/v2/tenants/{tenantId}/projects/{projectId}/s3-buckets/{storageId}/policies/access' \
-H 'accept: application/json' \
-H 'Authorization: Bearer ${ACCESS_TOKEN}' \
-d '${BODY}'
Where ${BODY} contains the provided bucket policy data. For example, to delete a VPC endpoint from a bucket access
policy, use the following:
{
"principal": "arn:aws:iam::123456789:role/some-aws-principal",
"allowedIPs": ["70.22.22.22/24", "66.22.22.22/32"],
"allowedVPCEs": ["vpce-0dbabcd"]
}
Response contains a JSON object with details of the updated policy, for example:
{
"principals": [
"arn:aws:iam::123456789:role/some-aws-principal"
],
"allowedIPs": ["70.22.22.22/24", "66.22.22.22/32"],
"allowedVPCEs": ["vpce-0dbabcd"],
"bucketName": "abcdef-{tenantId}-{projectId}-{storageId}-123xyz",
"storageId": "{storageId}"
}
Delete a bucket access policy
To delete a bucket access policy, send the following DELETE request without a request body:
curl -X 'DELETE' \
'{baseUrl}/api/v2/tenants/{tenantId}/projects/{projectId}/s3-buckets/{storageId}/policies/access' \
-H 'accept: application/json' \
-H 'Authorization: Bearer ${ACCESS_TOKEN}'
For a successful request, you'll receive the 204 status code.