Posted on May 5, 2020
S3 Cloud Storage
Access Control List with Netdepot Object Storage
Our Object Storage allows for granting different level of access to object or bucket resources. This makes it possible to open some objects or buckets for public access and leave the rest private or allow other users to access them.
We will cover the following topics in this guide:
Canned ACL’s for objects and buckets
ACL’s for versioned objects
User based ACL’s
JSON based ACL’s
Canned ACL’s can be used to set access permissions to an object. One of the following canned ACL’s can be applied to an object
– private
– public-read
– public-read-write
– authenticated-read
– aws-exec-read
– bucket-owner-read
– bucket-owner-full-control
The public read-only access to a bucket can be allowed with public-read canned ACL:
aws s3api put-bucket-acl –endpoint=https://us-east-1-s3.netdepot.com –bucket example-bucket –acl public-read
NOTE
When permissions (ACL’s) are applied to a bucket, they will not be automatically applied to the existing objects and it requires the ACL’s to be set for every existing object which need to have the permissions changed. Newly created objects inherit permissions from the bucket.
The public read-only access to an object can be allowed with the following command:
aws s3api put-object-acl –endpoint=https://us-east-1-s3.netdepot.com –bucket example-bucket –key example.txt –acl public-read
That would allow public access of an object file at the link:
http(s)://{bucket-name}.{s3-endpoint}/{object-name}
NOTE
If a bucket has versioning enabled, ACL’s are applied to the latest version of the object. The old versions of the object will have their permissions unchanged. Newly uploaded versions of the objects will inherit permissions from the previous last version.
If our object example.txt has a few versions and the previous command changed the permissions of the latest version only, the previous versions of the object will not have their permissions changed. You can check it following the steps outlined below.
aws s3api list-object-versions –endpoint=https://us-east-1-s3.netdepot.com –bucket example-bucket –prefix example.txt
aws s3api get-object-acl –endpoint=https://us-east-1-s3.netdepot.com –bucket example-bucket –key example.txt
{
“Owner”: {
“DisplayName”: “bucket-owner”,
“ID”: “bucket-owner”
},
“Grants”: [
{
“Grantee”: {
“Type”: “Group”,
“URI”: “http://acs.amazonaws.com/groups/global/AllUsers”
},
“Permission”: “READ”
},
{
“Grantee”: {
“DisplayName”: “bucket-owner”,
“ID”: “bucket-owner”,
“Type”: “CanonicalUser”
},
“Permission”: “FULL_CONTROL”
}
]
}
aws s3api get-object-acl –endpoint=https://us-east-1-s3.netdepot.com –bucket example-bucket –key example.txt –version-id={VERSION_ID}
{
“Owner”: {
“DisplayName”: “bucket-owner”,
“ID”: “bucket-owner”
},
“Grants”: [
{
“Grantee”: {
“DisplayName”: “bucket-owner”,
“ID”: “bucket-owner”,
“Type”: “CanonicalUser”
},
“Permission”: “FULL_CONTROL”
}
]
}
To change the permission of a specific version of an object the version id must be specified with –version-id parameter. In the below example public read access is applied to one of the versions of the object:
aws s3api put-object-acl –endpoint=https://us-east-1-s3.netdepot.com –bucket example-bucket –key example.txt –version-id={VERSION_ID} –acl public-read
ACL’s might be very useful in circumstances when access need to be open to user(s) different from bucket’s or object’s owner.
First you would need to retrieve the owner of a bucket. It’s required to get the owner ID as it will be used in commands granting the access to buckets and objects.
NOTE
If owner ID is not specified in the list of users who are allowed to access the object or bucket, it will lose the permissions to them. But it will still have access to change ACL’s for the object or the bucket.
aws s3api get-bucket-acl –endpoint=https://us-east-1-s3.netdepot.com –bucket example-bucket
It would return the output similar to the outlined:
{
“Owner”: {
“DisplayName”: “bucket-owner”,
“ID”: “bucket-owner”
},
“Grants”: [
{
“Grantee”: {
“DisplayName”: “bucket-owner”,
“ID”: “bucket-owner”,
“Type”: “CanonicalUser”
},
“Permission”: “FULL_CONTROL”
}
]
}
After you have retrieved the owner ID you can grant permissions to additional users.
aws s3api put-bucket-acl –endpoint=https://us-east-1-s3.netdepot.com –bucket example-bucket –grant-full-control id=bucket-owner –grant-read id=example-id
Permissions can also be granted by specifying the e-mail address of the user:
aws s3api put-bucket-acl –endpoint=https://us-east-1-s3.netdepot.com –bucket example-bucket –grant-full-control id=bucket-owner –grant-read emailaddress=example-id@example.com
The other option is to create a JSON structure with the format outlined below and pass it to the command:
{
“Grants”: [
{
“Grantee”: {
“DisplayName”: “string”,
“EmailAddress”: “string”,
“ID”: “string”,
“Type”: “CanonicalUser”|”AmazonCustomerByEmail”|”Group”,
“URI”: “string”
},
“Permission”: “FULL_CONTROL”|”WRITE”|”WRITE_ACP”|”READ”|”READ_ACP”
}
…
],
“Owner”: {
“DisplayName”: “string”,
“ID”: “string”
}
}
1. First we create the acl.json file and put the following lines into it:
{
“Owner”: {
“DisplayName”: “bucket-owner”,
“ID”: “bucket-owner”
},
“Grants”: [
{
“Grantee”: {
“DisplayName”: “bucket-owner”,
“ID”: “bucket-owner”,
“Type”: “CanonicalUser”
},