S3 Buckets and ACLs

Posted on May 5, 2020 S3 Cloud Storage

            Access Control List with Netdepot Object Storage

    Our Object Storage allows for granting different level of access to object or bucket resources. This makes it possible to open some objects or buckets for public access and leave the rest private or allow other users to access them.

    We will cover the following topics in this guide:

    Canned ACL’s for objects and buckets

    ACL’s for versioned objects

    User based ACL’s

    JSON based ACL’s

    Canned ACL’s for objects and buckets

Canned ACL’s can be used to set access permissions to an object. One of the following canned ACL’s can be applied to an object

– private

– public-read

– public-read-write

– authenticated-read

– aws-exec-read

– bucket-owner-read

– bucket-owner-full-control


    The public read-only access to a bucket can be allowed with public-read canned ACL:

        aws s3api put-bucket-acl –endpoint=https://us-east-1-s3.netdepot.com –bucket example-bucket –acl public-read

   NOTE

    When permissions (ACL’s) are applied to a bucket, they will not be automatically applied to the existing objects and it requires the ACL’s to be set for every existing object which need to have the permissions changed. Newly created objects inherit permissions from the bucket. 

    The public read-only access to an object can be allowed with the following command:

    aws s3api put-object-acl –endpoint=https://us-east-1-s3.netdepot.com –bucket example-bucket –key example.txt –acl public-read

    That would allow public access of an object file at the link:

    http(s)://{bucket-name}.{s3-endpoint}/{object-name}

    ACL’s for versioned objects

    NOTE

    If a bucket has versioning enabled, ACL’s are applied to the latest version of the object. The old versions of the object will have their permissions unchanged. Newly uploaded versions of the objects will inherit permissions from the previous last version.

    If our object example.txt has a few versions and the previous command changed the permissions of the latest version only,  the previous versions of the object will not have their permissions changed. You can check it following the steps outlined below.

  1. We need to get a list of versions for our object first:

    aws s3api list-object-versions –endpoint=https://us-east-1-s3.netdepot.com –bucket example-bucket  –prefix example.txt

  1. Then we can get the permissions for the latest version of the file:

    aws s3api get-object-acl –endpoint=https://us-east-1-s3.netdepot.com –bucket example-bucket –key example.txt

{

“Owner”: {

“DisplayName”: “bucket-owner”,

“ID”: “bucket-owner”

},

“Grants”: [

{

“Grantee”: {

“Type”: “Group”,

“URI”: “http://acs.amazonaws.com/groups/global/AllUsers”

},

“Permission”: “READ”

},

{

“Grantee”: {

“DisplayName”: “bucket-owner”,

“ID”: “bucket-owner”,

“Type”: “CanonicalUser”

},

“Permission”: “FULL_CONTROL”

}

]

}

  1. Permissions of the object by its corresponding version can be verified with the command:

    aws s3api get-object-acl –endpoint=https://us-east-1-s3.netdepot.com –bucket example-bucket –key example.txt –version-id={VERSION_ID}

    {

“Owner”: {

“DisplayName”: “bucket-owner”,

“ID”: “bucket-owner”

},

“Grants”: [

{

“Grantee”: {

“DisplayName”: “bucket-owner”,

“ID”: “bucket-owner”,

“Type”: “CanonicalUser”

},

“Permission”: “FULL_CONTROL”

}

]

}

    To change the permission of a specific version of an object the version id must be specified with –version-id parameter. In the below example public read access is applied to one of the versions of the object:

    aws s3api put-object-acl –endpoint=https://us-east-1-s3.netdepot.com –bucket example-bucket –key example.txt –version-id={VERSION_ID} –acl public-read 

    User-based ACL’s

    ACL’s might be very useful in circumstances when access need to be open to user(s) different from bucket’s or object’s owner.

    First you would need to retrieve the owner of a bucket. It’s required to get the owner ID as it will be used in commands granting the access to buckets and objects.

    NOTE

    If owner ID is not specified in the list of users who are allowed to access the object or bucket, it will lose the permissions to them. But it will still have access to change ACL’s for the object or the bucket.

    aws s3api get-bucket-acl –endpoint=https://us-east-1-s3.netdepot.com –bucket example-bucket

    It would return the output similar to the outlined:

    {

“Owner”: {

“DisplayName”: “bucket-owner”,

“ID”: “bucket-owner”

},

“Grants”: [

{

“Grantee”: {

“DisplayName”: “bucket-owner”,

“ID”: “bucket-owner”,

“Type”: “CanonicalUser”

},

“Permission”: “FULL_CONTROL”

}

]

}

    After you have retrieved the owner ID you can grant permissions to additional users.

    aws s3api put-bucket-acl –endpoint=https://us-east-1-s3.netdepot.com –bucket example-bucket –grant-full-control id=bucket-owner –grant-read id=example-id

    Permissions can also be granted by specifying the e-mail address of the user:

    aws s3api put-bucket-acl –endpoint=https://us-east-1-s3.netdepot.com –bucket example-bucket –grant-full-control id=bucket-owner –grant-read emailaddress=example-id@example.com

    JSON based ACL’s

    The other option is to create a JSON structure with the format outlined below and pass it to the command:

    {

“Grants”: [

{

“Grantee”: {

“DisplayName”: “string”,

“EmailAddress”: “string”,

“ID”: “string”,

“Type”: “CanonicalUser”|”AmazonCustomerByEmail”|”Group”,

“URI”: “string”

},

“Permission”: “FULL_CONTROL”|”WRITE”|”WRITE_ACP”|”READ”|”READ_ACP”

}

],

“Owner”: {

“DisplayName”: “string”,

“ID”: “string”

}

}

    1. First we create the acl.json file and put the following lines into it:

    {

“Owner”: {

“DisplayName”: “bucket-owner”,

“ID”: “bucket-owner”

},

“Grants”: [

{

“Grantee”: {

“DisplayName”: “bucket-owner”,

“ID”: “bucket-owner”,

“Type”: “CanonicalUser”

},

Contact Us Today To Experience How We Can Save You Time, Money And Stress