AWS SDK for C++
Developer Guide

Managing Amazon S3 Access Permissions

Access permissions for an Amazon S3 bucket or object are defined in an access control list (ACL). The ACL specifies the owner of the bucket/object and a list of grants. Each grant specifies a user (or grantee) and the user's permissions to access the bucket/object, such as READ or WRITE access.

Manage an Object's Access Control List

The access control list for an object can be retrieved by calling the S3Client method GetObjectAcl. The method accepts the names of the object and its bucket. The return value includes the ACL's Owner and list of Grants.

#include <aws/core/Aws.h> #include <aws/s3/S3Client.h> #include <aws/s3/model/AccessControlPolicy.h> #include <aws/s3/model/GetObjectAclRequest.h> #include <aws/s3/model/PutObjectAclRequest.h> #include <aws/s3/model/Grant.h> #include <aws/s3/model/Grantee.h> #include <aws/s3/model/Permission.h>
// Set up the get request Aws::S3::S3Client s3_client; Aws::S3::Model::GetObjectAclRequest get_request; get_request.SetBucket(bucket_name); get_request.SetKey(object_name); // Get the current access control policy auto get_outcome = s3_client.GetObjectAcl(get_request); if (!get_outcome.IsSuccess()) { auto error = get_outcome.GetError(); std::cout << "Original GetObjectAcl error: " << error.GetExceptionName() << " - " << error.GetMessage() << std::endl; return; }

The ACL can be modified by either creating a new ACL or changing the grants specified in the current ACL. The updated ACL becomes the new current ACL by passing it to the PutObjectAcl method.

The following code uses the ACL retrieved by GetObjectAcl and adds a new grant to it. The user or grantee is given READ permission for the object. The modified ACL is passed to PutObjectAcl, making it the new current ACL. For further details, see the example source file.

// Reference the retrieved access control policy auto result = get_outcome.GetResult(); // Copy the result to an access control policy object (cannot type cast) Aws::S3::Model::AccessControlPolicy acp; acp.SetOwner(result.GetOwner()); acp.SetGrants(result.GetGrants()); // Define and add new grant Aws::S3::Model::Grant new_grant; Aws::S3::Model::Grantee new_grantee; new_grantee.SetID(grantee_id); new_grantee.SetType(Aws::S3::Model::Type::CanonicalUser); new_grant.SetGrantee(new_grantee); new_grant.SetPermission(GetPermission(permission)); acp.AddGrants(new_grant); // Set up the put request Aws::S3::Model::PutObjectAclRequest put_request; put_request.SetAccessControlPolicy(acp); put_request.SetBucket(bucket_name); put_request.SetKey(object_name); // Set the new access control policy auto set_outcome = s3_client.PutObjectAcl(put_request);

Manage a Bucket's Access Control List

In most cases, the preferred method for setting the access permissions of a bucket is to define a bucket policy. However, buckets also support access control lists for users who wish to use them.

Management of an access control list for a bucket is identical to that used for an object. The GetBucketAcl method retrieves a bucket's current ACL and PutBucketAcl applies a new ACL to the bucket.

The following code demonstrates getting and setting a bucket ACL. For details, see the example source file.

#include <aws/core/Aws.h> #include <aws/s3/S3Client.h> #include <aws/s3/model/AccessControlPolicy.h> #include <aws/s3/model/GetBucketAclRequest.h> #include <aws/s3/model/PutBucketAclRequest.h> #include <aws/s3/model/Grant.h> #include <aws/s3/model/Grantee.h> #include <aws/s3/model/Permission.h>
// Set up the get request Aws::S3::S3Client s3_client; Aws::S3::Model::GetBucketAclRequest get_request; get_request.SetBucket(bucket_name); // Get the current access control policy auto get_outcome = s3_client.GetBucketAcl(get_request); if (!get_outcome.IsSuccess()) { auto error = get_outcome.GetError(); std::cout << "Original GetBucketAcl error: " << error.GetExceptionName() << " - " << error.GetMessage() << std::endl; return; } // Reference the retrieved access control policy auto result = get_outcome.GetResult(); // Copy the result to an access control policy object (cannot typecast) Aws::S3::Model::AccessControlPolicy acp; acp.SetOwner(result.GetOwner()); acp.SetGrants(result.GetGrants()); // Define and add new grant Aws::S3::Model::Grant new_grant; Aws::S3::Model::Grantee new_grantee; new_grantee.SetID(grantee_id); new_grantee.SetType(Aws::S3::Model::Type::CanonicalUser); new_grant.SetGrantee(new_grantee); new_grant.SetPermission(GetPermission(permission)); acp.AddGrants(new_grant); // Set up the put request Aws::S3::Model::PutBucketAclRequest put_request; put_request.SetAccessControlPolicy(acp); put_request.SetBucket(bucket_name); // Set the new access control policy auto set_outcome = s3_client.PutBucketAcl(put_request);