Set Access Control List (ACL) Permissions on an Object

Before setting ACL permissions, we recommend you read Managing S3 Access Control Lists (ACLs).

The put_object_acl() method sets the permissions on an object using access control lists (ACL).

Syntax Notes

To grant permission to a user, specify the grantee with the following parameters:

For users on external providers only (for example, Active Directory or LDAP) pass:
- The EmailAddress parameter and provide the user's principal name in the format user@domain, where user is the user name and domain is configured for an external auth provider on the cluster (LDAP, NIS).
- The Type parameter and provide AmazonCustomerByEmail as its value.
For any users (including users on the local provider), pass:
- The ID parameter and provide the user's VID as its value.
  Tip
  A VID is a VAST ID used in the cluster's internal user database. A user VID is retrievable by running the user query VAST CLI command and specifying udb as the context of the query. The output includes the user's VID.
- The Type parameter and provide CanonicalUser as its value.

To grant permission to a group, specify the grantee as follows:

For groups on external providers only (for example, Active Directory or LDAP), pass:
- The EmailAddress parameter and provide the group in the format group@domain, where group is the group name and domain is configured for an external auth provider on the cluster (LDAP, NIS).
- The Type parameter and provide GroupLoginName as its value.
For any groups (including groups on the local provider), pass:
- The ID parameter and provide the group's VID as its value.
  Tip
  A VID is a VAST ID used in the cluster's internal user database. A group VID can be retrieved by running the group query VAST CLI command and specify udb as the context of the query. The output includes the group's VID.
- The Type parameter and provide CanonicalUser as its value.

To grant permission to a predefined group, specify Group as the 'Type' and pass the group's URI as the 'URI':

For the All Users group: 'http://acs.amazonaws.com/groups/global/AllUsers'
For the Authenticated Users group: 'http://acs.amazonaws.com/groups/global/AuthenticatedUsers'

Examples

In this example, a user with VID 3 is granted full control permission to the object my_object in the bucket my_bucket owned by JDoe whose VID is 2.

response = client.put_object_acl(
      AccessControlPolicy={
        'Grants': [
            {
                'Grantee': {
                    'ID': '3',
                    'Type': 'CanonicalUser',
                },
                'Permission': 'FULL_CONTROL'
            },
        ],
        'Owner': {
            'DisplayName': 'JDoe',
            'ID': '2'
        }
    },
    Bucket='my_bucket',
    Key='my_object',
)

In this example, the predefined AUTHENTICATED_USERS group is granted WRITE permission to the object my_object in the bucket my_bucket owned by JDoe whose VID is 2..

response = client.put_object_acl(
    AccessControlPolicy={
        'Grants': [
            {
                'Grantee': {
                    'Type': 'Group',
                    'URI': 'http://acs.amazonaws.com/groups/global/AuthenticatedUsers'
                },
                'Permission': 'WRITE'
            },
        ],
        'Owner': {
            'DisplayName': 'JDoe',
            'ID': '2'
        }
    },
    Bucket='my_bucket',
    Key='my_object',
)