Set ACL Permissions on a Bucket

  • Updated on Jan 30, 2026
  • Published on Jan 28, 2026
  • 2 minute(s) read
Prev Next

Before setting ACL permissions, we recommend you read Managing S3 Access Control Lists (ACLs).

The put_bucket_acl () method sets the permissions on a bucket using access control lists (ACL).

Syntax Notes

To grant permission to a user, specify the grantee with the following parameters:

  • For users on external providers only (for example, Active Directory or LDAP) pass:

    • The EmailAddress parameter and provide the user's principal name in the format user@domain, where user is the user name and domain is configured for an external auth provider on the cluster (LDAP, NIS).

    • The Type parameter and provide AmazonCustomerByEmail as its value.

  • For any users (including users on the local provider), pass:

    • The ID parameter and provide the user's VID as its value.

      Tip

      A VID is a VAST ID used in the cluster's internal user database. A user VID is retrievable by running the user query VAST CLI command and specifying udb as the context of the query. The output includes the user's VID.

    • The Type parameter and provide CanonicalUser as its value.

To grant permission to a predefined group, specify Group as the 'Type' and pass the group's URI as the 'URI':

  • For the All Users group: 'http://acs.amazonaws.com/groups/global/AllUsers'

  • For the Authenticated Users group: 'http://acs.amazonaws.com/groups/global/AuthenticatedUsers'

Examples

In this example, a user with VID 3 is granted full control permission to the bucket my_bucket owned by JDoe whose VID is 2.

response = s3_client.put_bucket_acl(
      AccessControlPolicy={
        'Grants': [
            {
                'Grantee': {
                    'ID': '54',
                    'Type': 'CanonicalUser',
                },
                'Permission': 'FULL_CONTROL'
            },
        ],
        'Owner': {
            'DisplayName': 'BSmith',
            'ID': '4'
        }
    },
    Bucket='BobsBucket',
)

In the following example, the Authenticated_Users group is granted READ permission on the bucket BobsBucket.

response = s3_client.put_bucket_acl(
      AccessControlPolicy={
        'Grants': [
            {
                'Grantee': {

                    'Type': 'Group',
                    'URI': 'http://acs.amazonaws.com/groups/global/AuthenticatedUsers'
                },
                'Permission': 'READ'
            },
        ],
        'Owner': {
            'DisplayName': 'BSmith',
            'ID': '4'
        }
    },
    Bucket='BobsBucket',
)
Related articles
  • Set ACL Permissions on a Bucket
    VAST Cluster > Version 5.2 > VAST Cluster 5.2 Administrator's Guide > Managing Access Protocols > S3 Object Storage Protocol > Boto3 Client
  • Set ACL Permissions on a Bucket
    VAST Cluster > Version 5.0 > VAST Cluster 5.0 Administrator's Guide > Managing Access Protocols > S3 Object Storage Protocol > Boto3 Client
  • Set ACL Permissions on a Bucket
    VAST Cluster > Version 5.4 > VAST Cluster 5.4 Tenant Administrator's Guide > Managing Access Protocols > S3 Object Storage Protocol > Boto3 Client