# GetBucketPolicy

If you are using an identity other than the root user of the Petabox account that owns the bucket, the calling identity must have the `GetBucketPolicy` permissions on the specified bucket and belong to the bucket owner's account in order to use this operation.

If you don't have `GetBucketPolicy` permissions, Petabox returns a `403 Access Denied` error. If you have the correct permissions, but you're not using an identity that belongs to the bucket owner's account, Petabox returns a `405 Method Not Allowed` error.

{% hint style="danger" %}
**Important**

To ensure that bucket owners don't inadvertently lock themselves out of their own buckets, the root principal in a bucket owner's Petabox account can perform the `GetBucketPolicy`, `PutBucketPolicy`, and `DeleteBucketPolicy` API actions, even if their bucket policy explicitly denies the root principal's access.
{% endhint %}

## Request Syntax <a href="#api_getbucketpolicy_requestsyntax" id="api_getbucketpolicy_requestsyntax"></a>

```http
GET /?policy HTTP/1.1
Host: Bucket.s3.petabox.io
x-amz-expected-bucket-owner: ExpectedBucketOwner
```

## URI Request Parameters <a href="#api_getbucketpolicy_requestparameters" id="api_getbucketpolicy_requestparameters"></a>

The request uses the following URI parameters.

#### Bucket

The bucket name for which to get the bucket policy.

Required: Yes

#### x-amz-expected-bucket-owner

The account ID of the expected bucket owner. If the bucket is owned by a different account, the request fails with the HTTP status code `403 Forbidden` (access denied).

## Request Body <a href="#api_getbucketpolicy_requestbody" id="api_getbucketpolicy_requestbody"></a>

The request does not have a request body.

## Response Syntax <a href="#api_getbucketpolicy_responsesyntax" id="api_getbucketpolicy_responsesyntax"></a>

```http
HTTP/1.1 200

{ Policy in JSON format }
```

## Response Elements <a href="#api_getbucketpolicy_responseelements" id="api_getbucketpolicy_responseelements"></a>

If the action is successful, the service sends back an HTTP 200 response.

The following data is returned in JSON format by the service.

## Examples <a href="#api_getbucketpolicy_examples" id="api_getbucketpolicy_examples"></a>

### Sample Request <a href="#api_getbucketpolicy_example_1" id="api_getbucketpolicy_example_1"></a>

The following request returns the policy of the specified bucket.

```http
GET ?policy HTTP/1.1
Host: bucket.s3.<Region>.petabox.io
Date: Wed, 28 Oct 2009 22:32:00 GMT
Authorization: authorization string
```

### Sample Response <a href="#api_getbucketpolicy_example_2" id="api_getbucketpolicy_example_2"></a>

This example illustrates one usage of GetBucketPolicy.

```http
HTTP/1.1 200 OK  
x-amz-id-2: Uuag1LuByru9pO4SAMPLEAtRPfTaOFg==  
x-amz-request-id: 656c76696e67SAMPLE57374  
Date: Tue, 04 Apr 2010 20:34:56 GMT  
Connection: keep-alive  
Server: Petabox    


{
"Version":"2008-10-17",
"Id":"aaaa-bbbb-cccc-dddd",
"Statement" : [
    {
        "Effect":"Deny",
        "Sid":"1", 
        "Principal" : {
           "AWS":["111122223333","444455556666"]
        },
        "Action":["s3:*"],
        "Resource":"arn:aws:s3:::bucket/*"
     }
 ] 
}
```