AWS SDK for Ruby
Developer Guide

Managing Amazon S3 Bucket and Object Access Permissions

This example demonstrates how to use the AWS SDK for Ruby to:

  1. Set a predefined grant (also known as a canned ACL) for a bucket in Amazon S3.

  2. Add an object to the bucket.

  3. Set a canned ACL for an object in the bucket.

  4. Get the bucket's current ACL.

For the complete code for this example, see Complete Example.

Prerequisites

To set up and run this example, you must first:

  1. Install the AWS SDK for Ruby. For more information, see Installing the AWS SDK for Ruby.

  2. Set the AWS access credentials that the AWS SDK for Ruby will use to verify your access to AWS services and resources. For more information, see Configuring the AWS SDK for Ruby.

Be sure the AWS credentials map to an AWS Identity and Access Management (IAM) entity with access to the AWS actions and resources described in this example.

This example assumes you have set the credentials in the AWS credentials profile file or in the AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY environment variables on your local system.

Configure the SDK

For this example, add a require statement so that you can use the classes and methods provided by the AWS SDK for Ruby for Amazon S3. Then create an Aws::S3::Client object in the AWS Region where you want to create the bucket. This code creates the Aws::S3::Client object in the us-west-2 region. This code also declares a variable representing the bucket.

require 'aws-sdk-s3' # v2: require 'aws-sdk' # Create a S3 client client = Aws::S3::Client.new(region: 'us-west-2')

Set a Canned ACL for a Bucket

Call the put_bucket_acl method, specifying the names of the canned ACL and the bucket. This code sets the public-read canned ACL on the bucket, which enables full control for the bucket's owner and read-only access for everyone else.

client.put_bucket_acl({ acl: "public-read", bucket: bucket, })

For more information about canned ACLs, see Canned ACL in Access Control List (ACL) Overview in the Amazon S3 Developer Guide.

To confirm this setting, call the Ruby Net::HTTP.get method to attempt to get the bucket's content.

bucket_path = "http://#{bucket}.s3-us-west-2.amazonaws.com/" resp = Net::HTTP.get(URI(bucket_path)) puts "Content of unsigned request to #{bucket_path}:\n\n#{resp}\n\n"

Upload an Object to a Bucket

Call the put_object method, specifying the names of the bucket and object and the object's content. This code declares a variable representing the object.

object_key = "my-key" # Put an object in the public bucket client.put_object({ bucket: bucket, key: object_key, body: 'Hello World', })

Set a Canned ACL for an Object

By default, you can't get the contents of the object in the bucket. To confirm this behavior, call the Ruby Net::HTTP.get method to attempt to get the object's content.

object_path = "http://#{bucket}.s3-us-west-2.amazonaws.com/#{object_key}" resp = Net::HTTP.get(URI(object_path)) puts "Content of unsigned request to #{object_path}:\n\n#{resp}\n\n"

To change this behavior, call the put_object_acl method, specifying the names of the canned ACL, bucket, and object. This code sets the public-read canned ACL on the object, which enables full control for the object's owner and read-only access for everyone else. After the call, try to get the object's content again.

client.put_object_acl({ acl: "public-read", bucket: bucket, key: object_key, }) object_path = "http://#{bucket}.s3-us-west-2.amazonaws.com/#{object_key}" puts "Now I can access object (#{object_key}) :\n#{Net::HTTP.get(URI(object_path))}\n\n"

Get a Bucket's Current ACL

Call the get_bucket_acl method, specifying the name of the bucket. The get_bucket_acl method returns an instance of the Aws::S3::Types::GetBucketAclOutput class. Use the grants attribute of the GetBucketAclOutput class to list the bucket's current ACL.

resp = client.get_bucket_acl(bucket: bucket) puts resp.grants

Complete Example

Here is the complete code for this example.

require 'aws-sdk-s3' # v2: require 'aws-sdk' # Create a S3 client client = Aws::S3::Client.new(region: 'us-west-2') bucket = 'my-bucket' # Sets a bucket to public-read client.put_bucket_acl({ acl: "public-read", bucket: bucket, }) object_key = "my-key" # Put an object in the public bucket client.put_object({ bucket: bucket, key: object_key, body: 'Hello World', }) # Accessing an object in the bucket with unauthorize request bucket_path = "http://#{bucket}.s3-us-west-2.amazonaws.com/" resp = Net::HTTP.get(URI(bucket_path)) puts "Content of unsigned request to #{bucket_path}:\n\n#{resp}\n\n" # However, accessing the object is denied since object Acl is not public-read object_path = "http://#{bucket}.s3-us-west-2.amazonaws.com/#{object_key}" resp = Net::HTTP.get(URI(object_path)) puts "Content of unsigned request to #{object_path}:\n\n#{resp}\n\n" # Setting the object to public-read client.put_object_acl({ acl: "public-read", bucket: bucket, key: object_key, }) object_path = "http://#{bucket}.s3-us-west-2.amazonaws.com/#{object_key}" puts "Now I can access object (#{object_key}) :\n#{Net::HTTP.get(URI(object_path))}\n\n" # Setting bucket to private again client.put_bucket_acl({ bucket: bucket, acl: 'private', }) # Get current bucket Acl resp = client.get_bucket_acl(bucket: bucket) puts resp.grants resp = Net::HTTP.get(URI(bucket_path)) puts "Content of unsigned request to #{bucket_path}:\n\n#{resp}\n\n"