Managing Simple Object Storage ACL
With Access Control Lists (ACLs), you can define specific permissions at the bucket level and single object level for a granular access policy. ACLs are not inherited from parent objects.
ACLs let you manage access to buckets and objects with read, write, read ACP, write ACP, and full control (read + write) rights. You can make your objects accessible by their public URL, your buckets writable by your team, and so on.
When you add an object (bucket, file, folder), you are the owner
will always have FULL_CONTROL
of the object.
Restricting API operations to a bucket
If you need to restrict API access to a certain bucket, such as issuing an API key allowed to only list or write objects on a single bucket, see IAM.
Add an ACL
From the Exoscale Portal
Select the Storage
section from the main navigation on the left to display the list of your buckets.
click on on the Edit
icon for your object. You are presented with the ACLs for
your object.
You have two ways of adding ACLs:
-
Using the Quick AC* menu: these are presets for commonly used ACLs, known as “canned ACLs”. For example, setting a file available for Public Read; see the list below.
-
Editing ACLs manually: for each permission you can enter an Organization ID (can be found in IAM section).
Note: editing the ACLs manually will remove the Quick ACL previously set.
From a command line cool
We assume for this example that you are using s3cmd.
The setacl
command modifies the ACLs.
You can then use the following options:
--acl-public
--acl-private
--acl-grant=PERMISSION:ORGANIZATION_ID
orUSER_CANONICAL_ID
$ s3cmd setacl --acl-public s3://<bucket>/<object>
s3://<bucket>/<object>: ACL set to Public [1 of 1]
View ACLs
From the Portal
To view the ACL associated with an object, need the object:
* Select the Storage
section from the main navigation
* Navigate to your object
* click on the Edit
icon for the object.
From command line tool
We assume you are using s3cmd.
The info
command will return information on an object, including its ACLs.
$ s3cmd info s3://<bucket>/<object>/
s3://<bucket>/<object>/ (object):
File size: 0
Last mod: Mon, 02 Nov 2015 13:37:00 UTC
MIME type: application/binary
MD5 sum: d41d8cd98f00b204e9800998ecf8427e
SSE: none
policy: none
cors: <?xml version="1.0" encoding="UTF-8"?><CORSConfiguration xmlns="http://s3.amazonaws.com/doc/2006-03-01/"></CORSConfiguration>
ACL: owner@domain.tld: FULL_CONTROL
ACL: *anon*: READ
Here the object is readable by anyone, and the owner has FULL_CONTROL.
Delete an ACL
From the Portal
To delete the ACL associated with an Object, edit the object:
* Select the Storage
section from the main navigation
* Navigate to the object
* click on the Edit
icon of the object.
Then click on the Quick ACL
menu and choose Private
. This will revert to
the default settings.
If you need to delete a specific entry, you have to use the Manual Edit
button which lets you specify all fields.
Canned ACLs
For buckets
- private
- public-read
- public-read-write
- authenticated-read
For files/folders
- private
- public-read
- public-read-write
- authenticated-read
- bucket-owner-read
- bucket-owner-full-control