Documentation Index

Fetch the complete documentation index at: https://kb.vastdata.com/llms.txt

Use this file to discover all available pages before exploring further.

Set Access Control List (ACL) Permissions on an Object

  • Updated on Feb 13, 2026
  • Published on Jan 27, 2026
  • 2 minute(s) read
Prev Next

Before setting ACL permissions, we recommend you read Managing S3 Access Control Lists (ACLs).

The put_object_acl() method sets the permissions on an object using access control lists (ACL).

Syntax Notes

To grant permission to a user, specify the grantee with the following parameters:

  • For users on external providers only (for example, Active Directory or LDAP) pass:

    • The EmailAddress parameter and provide the user's principal name in the format user@domain, where user is the user name and domain is configured for an external auth provider on the cluster (LDAP, NIS).

    • The Type parameter and provide AmazonCustomerByEmail as its value.

  • For any users (including users on the local provider), pass:

    • The ID parameter and provide the user's VID as its value.

      Tip

      A VID is a VAST ID used in the cluster's internal user database. A user VID is retrievable by running the user query VAST CLI command and specifying udb as the context of the query. The output includes the user's VID.

    • The Type parameter and provide CanonicalUser as its value.

To grant permission to a predefined group, specify Group as the 'Type' and pass the group's URI as the 'URI':

  • For the All Users group: 'http://acs.amazonaws.com/groups/global/AllUsers'

  • For the Authenticated Users group: 'http://acs.amazonaws.com/groups/global/AuthenticatedUsers'

Examples

In this example, a user with VID 3 is granted full control permission to the object my_object in the bucket my_bucket owned by JDoe whose VID is 2.

response = client.put_object_acl(
      AccessControlPolicy={
        'Grants': [
            {
                'Grantee': {
                    'ID': '3',
                    'Type': 'CanonicalUser',
                },
                'Permission': 'FULL_CONTROL'
            },
        ],
        'Owner': {
            'DisplayName': 'JDoe',
            'ID': '2'
        }
    },
    Bucket='my_bucket',
    Key='my_object',
)

In this example, the predefined AUTHENTICATED_USERS group is granted WRITE permission to the object my_object in the bucket my_bucket owned by JDoe whose VID is 2..

response = client.put_object_acl(
    AccessControlPolicy={
        'Grants': [
            {
                'Grantee': {
                    'Type': 'Group',
                    'URI': 'http://acs.amazonaws.com/groups/global/AuthenticatedUsers'
                },
                'Permission': 'WRITE'
            },
        ],
        'Owner': {
            'DisplayName': 'JDoe',
            'ID': '2'
        }
    },
    Bucket='my_bucket',
    Key='my_object',
)
Related articles