Set ACL Permissions on a Bucket

Before setting ACL permissions, we recommend you read Managing S3 Access Control Lists (ACLs).

The put_bucket_acl () method sets the permissions on a bucket using access control lists (ACL).

Syntax Notes

To grant permission to a user, specify the grantee with the following parameters:

For users on external providers only (for example, Active Directory or LDAP) pass:
- The EmailAddress parameter and provide the user's principal name in the format user@domain, where user is the user name and domain is configured for an external auth provider on the cluster (LDAP, NIS).
- The Type parameter and provide AmazonCustomerByEmail as its value.
For any users (including users on the local provider), pass:
- The ID parameter and provide the user's VID as its value.
  Tip
  A VID is a VAST ID used in the cluster's internal user database. A user VID is retrievable by running the user query VAST CLI command and specifying udb as the context of the query. The output includes the user's VID.
- The Type parameter and provide CanonicalUser as its value.

To grant permission to a group, specify the grantee as follows:

For groups on external providers only (for example, Active Directory or LDAP), pass:
- The EmailAddress parameter and provide the group in the format group@domain, where group is the group name and domain is configured for an external auth provider on the cluster (LDAP, NIS).
- The Type parameter and provide GroupLoginName as its value.
For any groups (including groups on the local provider), pass:
- The ID parameter and provide the group's VID as its value.
  Tip
  A VID is a VAST ID used in the cluster's internal user database. A group VID can be retrieved by running the group query VAST CLI command and specify udb as the context of the query. The output includes the group's VID.
- The Type parameter and provide CanonicalUser as its value.

To grant permission to a predefined group, specify Group as the 'Type' and pass the group's URI as the 'URI':

For the All Users group: 'http://acs.amazonaws.com/groups/global/AllUsers'
For the Authenticated Users group: 'http://acs.amazonaws.com/groups/global/AuthenticatedUsers'

Examples

In this example, a user with VID 3 is granted full control permission to the bucket my_bucket owned by JDoe whose VID is 2.

response = s3_client.put_bucket_acl(
      AccessControlPolicy={
        'Grants': [
            {
                'Grantee': {
                    'ID': '54',
                    'Type': 'CanonicalUser',
                },
                'Permission': 'FULL_CONTROL'
            },
        ],
        'Owner': {
            'DisplayName': 'BSmith',
            'ID': '4'
        }
    },
    Bucket='BobsBucket',
)

In the following example, a group identified with an email address of mygroup@domain.com is granted WRITE permissions on the bucket BobsBucket.

response = s3_client.put_bucket_acl(
      AccessControlPolicy={
        'Grants': [
            {
                'Grantee': {

                    'Type': 'GroupLoginName',
                    'EmailAddress': 'mygroup@domain.com'
                },
                'Permission': 'WRITE'
            },
        ],
        'Owner': {
            'DisplayName': 'BSmith',
            'ID': '4'
        }
    },
    Bucket='BobsBucket',
)

In the following example, the Authenticated_Users group is granted READ permission on the bucket BobsBucket.

response = s3_client.put_bucket_acl(
      AccessControlPolicy={
        'Grants': [
            {
                'Grantee': {

                    'Type': 'Group',
                    'URI': 'http://acs.amazonaws.com/groups/global/AuthenticatedUsers'
                },
                'Permission': 'READ'
            },
        ],
        'Owner': {
            'DisplayName': 'BSmith',
            'ID': '4'
        }
    },
    Bucket='BobsBucket',
)