With Access Control Lists (ACLs), you can define specific permissions at the bucket level and single object level for a granular access policy. ACLs are not inherited from parent objects.

ACLs let you manage access to buckets and objects with read, write, read ACP, write ACP, and full control (read + write) rights. You can make your objects accessible by their public URL, your buckets writable by your team, and so on.

When you add an object (bucket, file, folder), you are the owner will always have FULL_CONTROL of the object.

Restricting API operations to a bucket

If you need to restrict API access to a certain bucket, such as issuing an API key allowed to only list or write objects on a single bucket, see IAM.

Add an ACL

From the Exoscale Portal

Select the Storage section from the main navigation on the left to display the list of your buckets.

click on on the Edit icon for your object. You are presented with the ACLs for your object.

You have two ways of adding ACLs:

  • Using the Quick AC* menu: these are presets for commonly used ACLs, known as “canned ACLs”. For example, setting a file available for Public Read; see the list below.

  • Editing ACLs manually: for each permission you can enter an Organization ID (can be found in IAM section).

Note: editing the ACLs manually will remove the Quick ACL previously set.

From a command line cool

We assume for this example that you are using s3cmd.

The setacl command modifies the ACLs.

You can then use the following options:

  • --acl-public
  • --acl-private
  • --acl-grant=PERMISSION:ORGANIZATION_ID or USER_CANONICAL_ID
$ s3cmd setacl --acl-public  s3://<bucket>/<object>
s3://<bucket>/<object>: ACL set to Public  [1 of 1]

View ACLs

From the Portal

To view the ACL associated with an object, need the object: * Select the Storage section from the main navigation * Navigate to your object * click on the Edit icon for the object.

From command line tool

We assume you are using s3cmd.

The info command will return information on an object, including its ACLs.

$ s3cmd info s3://<bucket>/<object>/
s3://<bucket>/<object>/ (object):
   File size: 0
   Last mod:  Mon, 02 Nov 2015 13:37:00 UTC
   MIME type: application/binary
   MD5 sum:   d41d8cd98f00b204e9800998ecf8427e
   SSE:       none
   policy:    none
   cors:      <?xml version="1.0" encoding="UTF-8"?><CORSConfiguration xmlns="http://s3.amazonaws.com/doc/2006-03-01/"></CORSConfiguration>
   ACL:       owner@domain.tld: FULL_CONTROL
   ACL:       *anon*: READ

Here the object is readable by anyone, and the owner has FULL_CONTROL.

Delete an ACL

From the Portal

To delete the ACL associated with an Object, edit the object: * Select the Storage section from the main navigation * Navigate to the object * click on the Edit icon of the object.

Then click on the Quick ACL menu and choose Private. This will revert to the default settings.

If you need to delete a specific entry, you have to use the Manual Edit button which lets you specify all fields.

Canned ACLs

For buckets

  • private
  • public-read
  • public-read-write
  • authenticated-read

For files/folders

  • private
  • public-read
  • public-read-write
  • authenticated-read
  • bucket-owner-read
  • bucket-owner-full-control