Managing Amazon S3 Access Permissions for Buckets and Objects

You can use access control lists (ACLs) for Amazon S3 buckets and objects for fine-grained control over your Amazon S3 resources.

Note

These code examples assume that you understand the material in Using the AWS SDK for Java and have configured default AWS credentials using the information in Set up AWS Credentials and Region for Development.

Get the Access Control List for a Bucket

To get the current ACL for a bucket, call the AmazonS3's getBucketAcl method, passing it the bucket name to query. This method returns an AccessControlList object. To get each access grant in the list, call its getGrantsAsList method, which will return a standard Java list of Grant objects.

Imports


import com.amazonaws.services.s3.AmazonS3;
import com.amazonaws.services.s3.AmazonS3ClientBuilder;
import com.amazonaws.AmazonServiceException;
import com.amazonaws.services.s3.model.AccessControlList;
import com.amazonaws.services.s3.model.Grant;
import java.util.List;

Code


final AmazonS3 s3 = AmazonS3ClientBuilder.defaultClient();
try {
    AccessControlList acl = s3.getBucketAcl(bucket_name);
    List<Grant> grants = acl.getGrantsAsList();
    for (Grant grant : grants) {
        System.out.format("  %s: %s\n", grant.getGrantee().getIdentifier(),
                grant.getPermission().toString());
    }
} catch (AmazonServiceException e) {
    System.err.println(e.getErrorMessage());
    System.exit(1);
}

See the complete example on GitHub.

Set the Access Control List for a Bucket

To add or modify permissions to an ACL for a bucket, call the AmazonS3's setBucketAcl method. It takes an AccessControlList object that contains a list of grantees and access levels to set.

Imports


import com.amazonaws.services.s3.AmazonS3;
import com.amazonaws.services.s3.AmazonS3ClientBuilder;
import com.amazonaws.AmazonServiceException;
import com.amazonaws.services.s3.model.AccessControlList;
import com.amazonaws.services.s3.model.EmailAddressGrantee;
import com.amazonaws.services.s3.model.Permission;

Code


final AmazonS3 s3 = AmazonS3ClientBuilder.defaultClient();
try {
    // get the current ACL
    AccessControlList acl = s3.getBucketAcl(bucket_name);
    // set access for the grantee
    EmailAddressGrantee grantee = new EmailAddressGrantee(email);
    Permission permission = Permission.valueOf(access);
    acl.grantPermission(grantee, permission);
    s3.setBucketAcl(bucket_name, acl);
} catch (AmazonServiceException e) {
    System.err.println(e.getErrorMessage());
    System.exit(1);
}

Note

You can provide the grantee's unique identifier directly using the Grantee class, or use the EmailAddressGrantee class to set the grantee by email, as we've done here.

See the complete example on GitHub.

Get the Access Control List for an Object

To get the current ACL for an object, call the AmazonS3's getObjectAcl method, passing it the bucket name and object name to query. Like getBucketAcl, this method returns an AccessControlList object that you can use to examine each Grant.

Imports


import com.amazonaws.services.s3.AmazonS3;
import com.amazonaws.services.s3.AmazonS3ClientBuilder;
import com.amazonaws.AmazonServiceException;
import com.amazonaws.services.s3.model.AccessControlList;
import com.amazonaws.services.s3.model.Grant;
import java.util.List;

Code


final AmazonS3 s3 = AmazonS3ClientBuilder.defaultClient();
try {
    AccessControlList acl = s3.getObjectAcl(bucket_name, object_key);
    List<Grant> grants = acl.getGrantsAsList();
    for (Grant grant : grants) {
        System.out.format("  %s: %s\n", grant.getGrantee().getIdentifier(),
                grant.getPermission().toString());
    }
} catch (AmazonServiceException e) {
    System.err.println(e.getErrorMessage());
    System.exit(1);
}

See the complete example on GitHub.

Set the Access Control List for an Object

To add or modify permissions to an ACL for an object, call the AmazonS3's setObjectAcl method. It takes an AccessControlList object that contains a list of grantees and access levels to set.

Imports


import com.amazonaws.services.s3.AmazonS3;
import com.amazonaws.services.s3.AmazonS3ClientBuilder;
import com.amazonaws.AmazonServiceException;
import com.amazonaws.services.s3.model.AccessControlList;
import com.amazonaws.services.s3.model.EmailAddressGrantee;
import com.amazonaws.services.s3.model.Permission;

Code


    final AmazonS3 s3 = AmazonS3ClientBuilder.defaultClient();
    try {
        // get the current ACL
        AccessControlList acl = s3.getObjectAcl(bucket_name, object_key);
        // set access for the grantee
        EmailAddressGrantee grantee = new EmailAddressGrantee(email);
        Permission permission = Permission.valueOf(access);
        acl.grantPermission(grantee, permission);
        s3.setObjectAcl(bucket_name, object_key, acl);
    } catch (AmazonServiceException e) {
        System.err.println(e.getErrorMessage());
        System.exit(1);
    }
}

Note

You can provide the grantee's unique identifier directly using the Grantee class, or use the EmailAddressGrantee class to set the grantee by email, as we've done here.

See the complete example on GitHub.

More Information

GET Bucket acl in the Amazon S3 API Reference
PUT Bucket acl in the Amazon S3 API Reference
GET Object acl in the Amazon S3 API Reference
PUT Object acl in the Amazon S3 API Reference

Warning Javascript is disabled or is unavailable in your browser.

To use the AWS Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

« Previous Next »