Set Bucket ACL

  • Updated on Jan 31, 2026
  • Published on Jan 27, 2026
  • 1 minute(s) read
Prev Next

Before setting ACL permissions, we recommend you read Managing S3 Access Control Lists (ACLs).

s3cmd [-c CONFIGFILE] setacl s3://BUCKET[/OBJECT] [--acl-grant=PERMISSION:{USER|GROUP}] [--acl-revoke=PERMISSION:{USER_VAST_ID|GROUP}]

CONFIGFILE

Configuration file. Defaults to $HOME/s3cf

BUCKET

Name of bucket

--acl-grant

Grant stated permission for stated user or group.

--acl-revoke

Revoke stated permission for stated user or group

PERMISSION

Type of permission to grant:

  • read

  • write

  • read_acp

  • write_acp

  • full_control

  • all

USER

A user to which you want to grant the permission. Can be specified as: .

  • A principal name in the format user@domain, where user is the user name and domain is configured for an external auth provider on the cluster (LDAP, NIS).  

    Note

    Users on the local provider cannot be specified this way.

  • A VID, which is a VAST ID used in the cluster's internal user database. A user VID is retrievable by running the user query VAST CLI command and specify udb as the context of the query. The output includes the user's VID.

GROUP

A group to which you want to grant the permission. The group can be specified as follows:

  • Set the type to GroupLoginName and specify the group in the format group@domain, where group is the group name and domain is configured for an external auth provider on the cluster (such as LDAP).

  • Specify the group's VID, which is the VAST ID used in the cluster's internal user database. A group VID can be retrieved by running the group query VAST CLI command and specify udb as the context of the query. The output includes the group's VID.

If you want to grant permissions to an S3 predefined group, specify one of the following:

  • http://acs.amazonaws.com/groups/global/AllUsers, or

  • http://acs.amazonaws.com/groups/global/AuthenticatedUsers

Examples

Grant read permissions for bucket mybbucket to group mygroup@domain.com:

$ s3cmd setacl s3://mybucket --acl-grant=read:'groupLoginName=mygroup@domain.com'

Grant full control to the predefined group AuthenticatedUsers to access the bucket mybucket.

$ s3cmd setacl s3://mybucket --acl-grant='full_control:http://acs.amazonaws.com/groups/global/AuthenticatedUsers'

Grant read permission to the predefined AllUsers group to access the bucket mybucket.

$ s3cmd setacl s3://mybucket --acl-grant='read:http://acs.amazonaws.com/groups/global/AllUsers'

Grant user with VAST ID 14 write permission to the bucket mybucket:

$ s3cmd setacl s3://mybucket --acl-grant='write:14
Related articles
  • Set Bucket ACL
    VAST Cluster > Version 5.4 > VAST Cluster 5.4 Tenant Administrator's Guide > Managing Access Protocols > S3 Object Storage Protocol > S3cmd
  • Set Bucket ACL
    VAST Cluster > Version 5.3 > VAST Cluster 5.3 Tenant Administrator’s Guide > Managing Access Protocols > S3 Object Storage Protocol > S3cmd
  • Set Bucket ACL
    VAST Cluster > Version 5.1 > VAST Cluster 5.1 Administrator's Guide > Managing Access Protocols > S3 Object Storage Protocol > S3cmd