Menu
AWS SDK for Java
Developer Guide

Managing Amazon S3 Access Permissions for Buckets and Objects

You can use access control lists (ACLs) for Amazon S3 buckets and objects for fine-grained control over your Amazon S3 resources.

Note

These code snippets assume that you understand the material in Using the AWS SDK for Java and have configured default AWS credentials using the information in Set up AWS Credentials and Region for Development.

Get the Access Control List for a Bucket

To get the current ACL for a bucket, call the AmazonS3's getBucketAcl method, passing it the bucket name to query. This method returns an AccessControlList object. To get each access grant in the list, call its getGrantsAsList method, which will return a standard Java list of Grant objects.

Imports

Copy
import com.amazonaws.services.s3.AmazonS3; import com.amazonaws.services.s3.AmazonS3ClientBuilder; import com.amazonaws.AmazonServiceException; import com.amazonaws.services.s3.model.AccessControlList; import com.amazonaws.services.s3.model.Grant; import java.util.List;

Code

Copy
final AmazonS3 s3 = AmazonS3ClientBuilder.defaultClient(); try { AccessControlList acl = s3.getBucketAcl(bucket_name); List<Grant> grants = acl.getGrantsAsList(); for (Grant grant : grants) { System.out.format(" %s: %s\n", grant.getGrantee().getIdentifier(), grant.getPermission().toString()); } } catch (AmazonServiceException e) { System.err.println(e.getErrorMessage()); System.exit(1); }

See the complete example.

Set the Access Control List for a Bucket

To add or modify permissions to an ACL for a bucket, call the AmazonS3's setBucketAcl method. It takes an AccessControlList object that contains a list of grantees and access levels to set.

Imports

Copy
import com.amazonaws.services.s3.AmazonS3; import com.amazonaws.services.s3.AmazonS3ClientBuilder; import com.amazonaws.AmazonServiceException; import com.amazonaws.services.s3.model.AccessControlList; import com.amazonaws.services.s3.model.EmailAddressGrantee; import com.amazonaws.services.s3.model.Permission;

Code

Copy
final AmazonS3 s3 = AmazonS3ClientBuilder.defaultClient(); try { // get the current ACL AccessControlList acl = s3.getBucketAcl(bucket_name); // set access for the grantee EmailAddressGrantee grantee = new EmailAddressGrantee(email); Permission permission = Permission.valueOf(access); acl.grantPermission(grantee, permission); s3.setBucketAcl(bucket_name, acl); } catch (AmazonServiceException e) { System.err.println(e.getErrorMessage()); System.exit(1); }

Note

You can provide the grantee's unique identifier directly using the Grantee class, or use the EmailAddressGrantee class to set the grantee by email, as we've done here.

See the complete example.

Get the Access Control List for an Object

To get the current ACL for an object, call the AmazonS3's getObjectAcl method, passing it the bucket name and object name to query. Like getBucketAcl, this method returns an AccessControlList object that you can use to examine each Grant.

Imports

Copy
import com.amazonaws.services.s3.AmazonS3; import com.amazonaws.services.s3.AmazonS3ClientBuilder; import com.amazonaws.AmazonServiceException; import com.amazonaws.services.s3.model.AccessControlList; import com.amazonaws.services.s3.model.Grant; import java.util.List;

Code

Copy
final AmazonS3 s3 = AmazonS3ClientBuilder.defaultClient(); try { AccessControlList acl = s3.getObjectAcl(bucket_name, object_key); List<Grant> grants = acl.getGrantsAsList(); for (Grant grant : grants) { System.out.format(" %s: %s\n", grant.getGrantee().getIdentifier(), grant.getPermission().toString()); } } catch (AmazonServiceException e) { System.err.println(e.getErrorMessage()); System.exit(1); }

See the complete example.

Set the Access Control List for an Object

To add or modify permissions to an ACL for an object, call the AmazonS3's setObjectAcl method. It takes an AccessControlList object that contains a list of grantees and access levels to set.

Imports

Copy
import com.amazonaws.services.s3.AmazonS3; import com.amazonaws.services.s3.AmazonS3ClientBuilder; import com.amazonaws.AmazonServiceException; import com.amazonaws.services.s3.model.AccessControlList; import com.amazonaws.services.s3.model.EmailAddressGrantee; import com.amazonaws.services.s3.model.Permission;

Code

Copy
final AmazonS3 s3 = AmazonS3ClientBuilder.defaultClient(); try { // get the current ACL AccessControlList acl = s3.getObjectAcl(bucket_name, object_key); // set access for the grantee EmailAddressGrantee grantee = new EmailAddressGrantee(email); Permission permission = Permission.valueOf(access); acl.grantPermission(grantee, permission); s3.setObjectAcl(bucket_name, object_key, acl); } catch (AmazonServiceException e) { System.err.println(e.getErrorMessage()); System.exit(1); } }

Note

You can provide the grantee's unique identifier directly using the Grantee class, or use the EmailAddressGrantee class to set the grantee by email, as we've done here.

See the complete example.

More Information