Managing Amazon S3 Access Permissions for Buckets and Objects
You can use access control lists (ACLs) for Amazon S3 buckets and objects for fine-grained control over your Amazon S3 resources.
Note
These code examples assume that you understand the material in Using the AWS SDK for Java and have configured default AWS credentials using the information in Set up AWS Credentials and Region for Development.
Get the Access Control List for a Bucket
To get the current ACL for a bucket, call the AmazonS3's getBucketAcl
method,
passing it the bucket name to query. This method returns an AccessControlList object. To get each access grant in the list, call its
getGrantsAsList
method, which will return a standard Java list of
Grant objects.
Imports
import com.amazonaws.services.s3.AmazonS3; import com.amazonaws.services.s3.AmazonS3ClientBuilder; import com.amazonaws.AmazonServiceException; import com.amazonaws.services.s3.model.AccessControlList; import com.amazonaws.services.s3.model.Grant; import java.util.List;
Code
final AmazonS3 s3 = AmazonS3ClientBuilder.defaultClient(); try { AccessControlList acl = s3.getBucketAcl(bucket_name); List<Grant> grants = acl.getGrantsAsList(); for (Grant grant : grants) { System.out.format(" %s: %s\n", grant.getGrantee().getIdentifier(), grant.getPermission().toString()); } } catch (AmazonServiceException e) { System.err.println(e.getErrorMessage()); System.exit(1); }
See the complete example on GitHub.
Set the Access Control List for a Bucket
To add or modify permissions to an ACL for a bucket, call the AmazonS3's
setBucketAcl
method. It takes an AccessControlList object that contains a list of grantees and access levels to
set.
Imports
import com.amazonaws.services.s3.AmazonS3; import com.amazonaws.services.s3.AmazonS3ClientBuilder; import com.amazonaws.AmazonServiceException; import com.amazonaws.services.s3.model.AccessControlList; import com.amazonaws.services.s3.model.EmailAddressGrantee; import com.amazonaws.services.s3.model.Permission;
Code
final AmazonS3 s3 = AmazonS3ClientBuilder.defaultClient(); try { // get the current ACL AccessControlList acl = s3.getBucketAcl(bucket_name); // set access for the grantee EmailAddressGrantee grantee = new EmailAddressGrantee(email); Permission permission = Permission.valueOf(access); acl.grantPermission(grantee, permission); s3.setBucketAcl(bucket_name, acl); } catch (AmazonServiceException e) { System.err.println(e.getErrorMessage()); System.exit(1); }
Note
You can provide the grantee's unique identifier directly using the Grantee class, or use the EmailAddressGrantee class to set the grantee by email, as we've done here.
See the complete example on GitHub.
Get the Access Control List for an Object
To get the current ACL for an object, call the AmazonS3's getObjectAcl
method,
passing it the bucket name and object name to query. Like getBucketAcl
, this
method returns an AccessControlList object
that you can use to examine each Grant.
Imports
import com.amazonaws.services.s3.AmazonS3; import com.amazonaws.services.s3.AmazonS3ClientBuilder; import com.amazonaws.AmazonServiceException; import com.amazonaws.services.s3.model.AccessControlList; import com.amazonaws.services.s3.model.Grant; import java.util.List;
Code
final AmazonS3 s3 = AmazonS3ClientBuilder.defaultClient(); try { AccessControlList acl = s3.getObjectAcl(bucket_name, object_key); List<Grant> grants = acl.getGrantsAsList(); for (Grant grant : grants) { System.out.format(" %s: %s\n", grant.getGrantee().getIdentifier(), grant.getPermission().toString()); } } catch (AmazonServiceException e) { System.err.println(e.getErrorMessage()); System.exit(1); }
See the complete example on GitHub.
Set the Access Control List for an Object
To add or modify permissions to an ACL for an object, call the AmazonS3's
setObjectAcl
method. It takes an AccessControlList object that contains a list of grantees and access levels to
set.
Imports
import com.amazonaws.services.s3.AmazonS3; import com.amazonaws.services.s3.AmazonS3ClientBuilder; import com.amazonaws.AmazonServiceException; import com.amazonaws.services.s3.model.AccessControlList; import com.amazonaws.services.s3.model.EmailAddressGrantee; import com.amazonaws.services.s3.model.Permission;
Code
final AmazonS3 s3 = AmazonS3ClientBuilder.defaultClient(); try { // get the current ACL AccessControlList acl = s3.getObjectAcl(bucket_name, object_key); // set access for the grantee EmailAddressGrantee grantee = new EmailAddressGrantee(email); Permission permission = Permission.valueOf(access); acl.grantPermission(grantee, permission); s3.setObjectAcl(bucket_name, object_key, acl); } catch (AmazonServiceException e) { System.err.println(e.getErrorMessage()); System.exit(1); } }
Note
You can provide the grantee's unique identifier directly using the Grantee class, or use the EmailAddressGrantee class to set the grantee by email, as we've done here.
See the complete example on GitHub.
More Information
-
GET Bucket acl in the Amazon S3 API Reference
-
PUT Bucket acl in the Amazon S3 API Reference
-
GET Object acl in the Amazon S3 API Reference
-
PUT Object acl in the Amazon S3 API Reference