Managing Simple Object Storage ACL
With Access Control Lists (ACLs), you can define specific permissions at the bucket level and single object level for a granular access policy. ACLs are not inherited from parent objects.
ACLs let you manage access to buckets and objects with read, write, read ACP, write ACP, and full control (read + write) rights. You can make your objects accessible by their public URL, your buckets writable by your team, and so on.
When you add an object (bucket, file, folder), you are the owner
will always have FULL_CONTROL of the object.
Restricting API operations to a bucket
If you need to restrict API access to a certain bucket, such as issuing an API key allowed to only list or write objects on a single bucket, see IAM.
Add an ACL
From the Exoscale Portal
Select the Storage section from the main navigation on the left to display the list of your buckets.
click on on the Edit icon for your object. You are presented with the ACLs for
your object.
You have two ways of adding ACLs:
-
Using the Quick AC* menu: these are presets for commonly used ACLs, known as “canned ACLs”. For example, setting a file available for Public Read; see the list below.
-
Editing ACLs manually: for each permission you can enter an Organization ID (can be found in IAM section).
Note: editing the ACLs manually will remove the Quick ACL previously set.
From a command line cool
We assume for this example that you are using aws s3 cli and the aws s3api command.
The setacl command modifies the ACLs.
You can then use the following options:
--bucket <bucket>--object <object>--acl <value>uses a canned ACL--access-control-policy <value>lets you configure your ACL using a json structure
$ aws s3api put-bucket-acl --acl public-read --bucket <bucket>
View ACLs
From the Portal
To view the ACL associated with an object, need the object:
* Select the Storage section from the main navigation
* Navigate to your object
* click on the Edit icon for the object.
From command line tool
We assume for this example that you are using aws s3 cli and the aws s3api command.
The get-bucket-acl command will return ACL information on a bucket
The get-object-acl command will return information on an object
$ aws s3api get-bucket-acl --bucket deleteme
{
"Owner": {
"DisplayName": "exoscale.community@exoscale.ch",
"ID": "33bda34b-82ac-4686-a5f9-7b542cbfc649"
},
"Grants": [
{
"Grantee": {
"DisplayName": "exoscale.community@exoscale.ch",
"ID": "33bda34b-82ac-4686-a5f9-7b542cbfc649",
"Type": "CanonicalUser"
},
"Permission": "FULL_CONTROL"
},
{
"Grantee": {
"Type": "Group",
"URI": "http://acs.amazonaws.com/groups/global/AllUsers"
},
"Permission": "READ"
}
]
}
$ $ aws s3api get-bucket-acl --bucket my-new-bucket --object picture.jpg
{
"Owner": {
"DisplayName": "exoscale.community@exoscale.ch",
"ID": "33bda34b-82ac-4686-a5f9-7b542cbfc649"
},
"Grants": [
{
"Grantee": {
"DisplayName": "exoscale.community@exoscale.ch",
"ID": "33bda34b-82ac-4686-a5f9-7b542cbfc649",
"Type": "CanonicalUser"
},
"Permission": "FULL_CONTROL"
}
]
}
Here the bucket is readable by anyone, the object is only readable by the owner and the owner has FULL_CONTROL.
Delete an ACL
From the Portal
To delete the ACL associated with an Object, edit the object:
* Select the Storage section from the main navigation
* Navigate to the object
* click on the Edit icon of the object.
Then click on the Quick ACL menu and choose Private. This will revert to
the default settings.
If you need to delete a specific entry, you have to use the Manual Edit
button which lets you specify all fields.
Canned ACLs
For buckets
- private
- public-read
- public-read-write
- authenticated-read
For files/folders
- private
- public-read
- public-read-write
- authenticated-read
- bucket-owner-read
- bucket-owner-full-control