Bootstrap FreeKB - Amazon Web Services (AWS) - Update S3 Bucket Object Access Control List (ACL) using the AWS CLI
Amazon Web Services (AWS) - Update S3 Bucket Object Access Control List (ACL) using the AWS CLI


This assumes you have already configured the aws command line tool. If not, check out my article on Getting Started with the AWS CLI.

The aws s3api get-bucket-ownership-controls command can be used to determine if your S3 Bucket is.

  • BucketOwnerEnforced - only the owner of the S3 Bucket can list/read/write files in the S3 Bucket
  • BucketOwnerPreferred - objects added to the S3 Bucket will be owned by the user adding the object to the S3 Bucket, however, if the Bucket Owner is set when uploading objects to the S3 Bucket, then the object will be owned by the Bucket Owner
  • ObjectWriter - objects added to the S3 Bucket will be owned by the user adding the object to the S3 Bucket
~]$ aws s3api get-bucket-ownership-controls --bucket my-bucket-abc123
{
    "OwnershipControls": {
        "Rules": [
            {
                "ObjectOwnership": "BucketOwnerEnforced"
            }
        ]
    }
}

 

The aws s3api put-bucket-ownership-controls command can be used to set the S3 Bucket Ownership Control.

aws s3api put-bucket-ownership-controls \
--bucket my-bucket-abc123 \
--ownership-controls="Rules=[{ObjectOwnership=BucketOwnerPreferred}]"

 

If the Ownership Control is set to BucketOwnerEnforced, then the Access Control List (ACLs) cannot be changed (notice the Edit button is greyed out) and instead, the expectation is to use S3 Bucket Policies Instead.

 

If the Ownership Control is set to BucketOwnerPreferred or ObjectWriter, then the Access Control List (ACLs) can be set.

 

And the objects in the S3 Bucket will inherit the Ownership Control. In this example, index.html in the S3 Bucket inherited the Access Control List (ACL) from the S3 Bucket Ownership Control.

 

There are two similar (but unique) commands.

  • aws s3api get-bucket-acl - to get the Access Control List (ACL) of the entire S3 Bucket
  • aws s3api get-object-acl - to get the Access Control List (ACL) of a specific object in the S3 Bucket

By default, an S3 Bucket ACL will be set so that the Bucket Owner and list/read/write. This can also be seen with the aws s3api get-bucket-acl command.

The following permissions can be used:

  • FULL_CONTROL
  • READ
  • READ_ACP
  • WRITE
  • WRITE_ACP
~]$ aws s3api get-bucket-acl --bucket my-bucket-abc123
{
    "Owner": {
        "DisplayName": "john.doe",
        "ID": "ab0e0a12345678903a77c82240d5cb3fc41ff11cc312345678977a5f8e743743"
    },
    "Grants": [
        {
            "Grantee": {
                "DisplayName": "john.doe",
                "ID": "ab0e0a12345678903a77c82240d5cb3fc41ff11cc312345678977a5f8e743743",
                "Type": "CanonicalUser"
            },
            "Permission": "FULL_CONTROL"
        }
    ]
}

 

And likewise, each object in the S3 Bucket will inherit the Access Control List (ACL) from the S3 Bucket Ownership Control. The aws s3api get-object-acl command can be used to return the Access Control List (ACL) of a specific object in the S3 Bucket.

~]$ aws s3api get-object-acl --bucket my-bucket-abc123 --key index.html
{
    "Owner": {
        "DisplayName": "john.doe",
        "ID": "ab0e0a12345678903a77c82240d5cb3fc41ff11cc312345678977a5f8e743743"
    },
    "Grants": [
        {
            "Grantee": {
                "DisplayName": "john.doe",
                "ID": "ab0e0a12345678903a77c82240d5cb3fc41ff11cc312345678977a5f8e743743",
                "Type": "CanonicalUser"
            },
            "Permission": "FULL_CONTROL"
        }
    ]
}

 

The aws s3api put-object-acl command can be used to update the Access Control List (ACL) of a specific object in the S3 Bucket. Almost always, you are going to want to use --grant-full-control followed by the canonical ID of the user that already has read/write access to the object in the S3 Bucket and then also list another grant such as --grant-read to AllUsers.

aws s3api put-object-acl \
--bucket my-bucket-abc123 \
--key index.html \
--grant-full-control id=ab0e0a12345678903a77c82240d5cb3fc41ff11cc312345678977a5f8e743743 \
--grant-read uri=http://acs.amazonaws.com/groups/global/AllUsers

 

And now the aws s3api get-object-acl command should include the additional grant.

~]$ aws s3api get-object-acl --bucket my-bucket-abc123 --key index.html                                                                                                                            {
    "Owner": {
        "DisplayName": "john.doe",
        "ID": "ab0e0a12345678903a77c82240d5cb3fc41ff11cc312345678977a5f8e743743"
    },
    "Grants": [
        {
            "Grantee": {
                "Type": "Group",
                "URI": "http://acs.amazonaws.com/groups/global/AllUsers"
            },
            "Permission": "READ"
        },
        {
            "Grantee": {
                "DisplayName": "john.doe",
                "ID": "ab0e0a12345678903a77c82240d5cb3fc41ff11cc312345678977a5f8e743743",
                "Type": "CanonicalUser"
            },
            "Permission": "FULL_CONTROL"
        }
    ]
}

 

Likewise, in the AWS S3 Bucket console, the object should now have the Read ACL for AllUsers.

 

 




Did you find this article helpful?

If so, consider buying me a coffee over at Buy Me A Coffee



Comments


Add a Comment


Please enter 736fe2 in the box below so that we can be sure you are a human.