import type { GrantReplicationPermissionProps } from './bucket';
import type { IBucketRef } from './s3.generated';
import type { IGrantable } from '../../aws-iam';
import { Grant } from '../../aws-iam';
import type * as iam from '../../aws-iam/lib/grant';
/**
 * Collection of grant methods for a Bucket
 */
export declare class BucketGrants {
    private readonly bucket;
    private readonly encryptedResource?;
    private readonly policyResource?;
    /**
     * Creates grants for an IBucketRef
     */
    static fromBucket(bucket: IBucketRef): BucketGrants;
    private constructor();
    /**
     * Grant read permissions for this bucket and its contents to an IAM
     * principal (Role/Group/User).
     *
     * If encryption is used, permission to use the key to decrypt the contents
     * of the bucket will also be granted to the same principal.
     *
     * @param identity The principal
     * @param objectsKeyPattern Restrict the permission to a certain key pattern (default '*'). Parameter type is `any` but `string` should be passed in.
     */
    read(identity: IGrantable, objectsKeyPattern?: any): Grant;
    /**
     * Grant write permissions for this bucket and its contents to an IAM
     * principal (Role/Group/User).
     *
     * If encryption is used, permission to use the key to decrypt the contents
     * of the bucket will also be granted to the same principal.
     *
     * @param identity The principal
     * @param objectsKeyPattern Restrict the permission to a certain key pattern (default '*'). Parameter type is `any` but `string` should be passed in.
     */
    write(identity: IGrantable, objectsKeyPattern?: any, allowedActionPatterns?: string[]): Grant;
    /**
     * Grants s3:DeleteObject* permission to an IAM principal for objects
     * in this bucket.
     *
     * @param grantee The principal
     * @param objectsKeyPattern Restrict the permission to a certain key pattern (default '*'). Parameter type is `any` but `string` should be passed in.
     */
    delete(grantee: IGrantable, objectsKeyPattern?: any): Grant;
    /**
     * Allows unrestricted access to objects from this bucket.
     *
     * IMPORTANT: This permission allows anyone to perform actions on S3 objects
     * in this bucket, which is useful for when you configure your bucket as a
     * website and want everyone to be able to read objects in the bucket without
     * needing to authenticate.
     *
     * Without arguments, this method will grant read ("s3:GetObject") access to
     * all objects ("*") in the bucket.
     *
     * The method returns the `iam.Grant` object, which can then be modified
     * as needed. For example, you can add a condition that will restrict access only
     * to an IPv4 range like this:
     *
     *     const grant = bucket.grantPublicAccess();
     *     grant.resourceStatement!.addCondition(‘IpAddress’, { “aws:SourceIp”: “54.240.143.0/24” });
     *
     * Note that if this `IBucket` refers to an existing bucket, possibly not
     * managed by CloudFormation, this method will have no effect, since it's
     * impossible to modify the policy of an existing bucket.
     *
     * @param keyPrefix the prefix of S3 object keys (e.g. `home/*`). Default is "*".
     * @param allowedActions the set of S3 actions to allow. Default is "s3:GetObject".
     */
    publicAccess(keyPrefix?: string, ...allowedActions: string[]): Grant;
    /**
     * Grants s3:PutObject* and s3:Abort* permissions for this bucket to an IAM principal.
     *
     * If encryption is used, permission to use the key to encrypt the contents
     * of written files will also be granted to the same principal.
     * @param identity The principal
     * @param objectsKeyPattern Restrict the permission to a certain key pattern (default '*'). Parameter type is `any` but `string` should be passed in.
     */
    put(identity: IGrantable, objectsKeyPattern?: any): Grant;
    /**
     * Grants s3:PutObjectAcl and s3:PutObjectVersionAcl permissions for this bucket to an IAM principal.
     *
     * If encryption is used, permission to use the key to encrypt the contents
     * of written files will also be granted to the same principal.
     * @param identity The principal
     * @param objectsKeyPattern Restrict the permission to a certain key pattern (default '*'). Parameter type is `any` but `string` should be passed in.
     */
    putAcl(identity: IGrantable, objectsKeyPattern?: string): Grant;
    /**
     * Grants the given actions on the bucket's objects to the given principal.
     *
     * KMS actions (prefixed with `kms:`) are automatically separated and granted on the encryption key.
     *
     * @param identity The principal to grant permissions to.
     * @param objectsKeyPattern Restrict the permission to a certain key pattern (default '*').
     * @param actions The S3 and/or KMS actions to grant.
     */
    actionsOnObjectKeys(identity: IGrantable, objectsKeyPattern?: string, ...actions: string[]): Grant;
    /**
     * Grants the given actions on both the bucket and the bucket's objects to the given principal.
     *
     * KMS actions (prefixed with `kms:`) are automatically separated and granted on the encryption key.
     *
     * @param identity The principal to grant permissions to.
     * @param objectsKeyPattern Restrict the permission to a certain key pattern (default '*').
     * @param actions The S3 and/or KMS actions to grant.
     */
    actionsOnBucketAndObjectKeys(identity: IGrantable, objectsKeyPattern?: string, ...actions: string[]): Grant;
    /**
     * Grant read and write permissions for this bucket and its contents to an IAM
     * principal (Role/Group/User).
     *
     * If encryption is used, permission to use the key to decrypt the contents
     * of the bucket will also be granted to the same principal.
     *
     * @param identity The principal
     * @param objectsKeyPattern Restrict the permission to a certain key pattern (default '*'). Parameter type is `any` but `string` should be passed in.
     */
    readWrite(identity: IGrantable, objectsKeyPattern?: any): Grant;
    private get putActions();
    private get writeActions();
    /**
     * Grant replication permission to a principal.
     * This method allows the principal to perform replication operations on this bucket.
     *
     * Note that when calling this function for source or destination buckets that support KMS encryption,
     * you need to specify the KMS key for encryption and the KMS key for decryption, respectively.
     *
     * @param identity The principal to grant replication permission to.
     * @param props The properties of the replication source and destination buckets.
     */
    replicationPermission(identity: IGrantable, props: GrantReplicationPermissionProps): iam.Grant;
    private grantActions;
    private grant;
    private arnForObjects;
}