Guides

×
×
Home > S3 Developer Guide > Operations > ACL

ACL

jQuery(document).attr(“title”, “Welcome to Sterling Kilgore | Results Beyond Words”);

The sample code in this section shows how to set ACL on a bucket my-bucket to manage access of that resource. The following is an example for IDrive Cloud’s Oregon (us-west-1) region.

IDrive Cloud allows users to set ACL on a bucket to manage access of that resource.

Whenever a resource is created using S3 APIs, by default, the creator of that resource becomes the owner of it and only the creator has access to this resource. The owner of the resource needs to set ACL to make it accessible to other users.

In IDrive Cloud every account has its own namespace for buckets unlike AWS where all accounts share a common namespace. This means, two different accounts can have the same bucket name e.g. account bob can have a bucket called images and another account alice too can have a bucket with the same name as images.

Due to this, ACLs in IDrive Cloud have a few differences compared to AWS:

  1. In AWS a 12 digit Account ID is used to identify the Owner and Grantee of a resource, whereas in IDrive Cloud it is a combination of <account name>:<username>. Account name in IDrive Cloud is the same as root username.
  2. Unlike AWS, a bucket created by one user in an account is not accessible, by default, by all other users. If this is desired, the bucket must be created via the IDrive Cloud console.
  3. For accessing buckets/objects in the same account in IDrive Cloud, only the Access Key and Secret is sufficient. However, for accessing buckets/objects from a separate account, the Access Key ID must be appended by a semicolon (:) followed by the Account ID of the bucket owner.

In the sections below, we explain some of the scenarios for applying ACLs on the resources in IDrive Cloud. 

  • Granting access to resources with in the same account

Bob has an account with IDrive Cloud with the username bob and Alice has a sub-account with username as alice. Bob needs to share a bucket named as images with Alice. Bob should use the following command to share the resource with Alice.


aws --profile bob s3api put-bucket-acl --bucket images --access-control-policy '{
   "Grants": [
      {
         "Grantee": {
            "ID": "bob:alice",
            "Type": "CanonicalUser"
         },
         "Permission": "FULL_CONTROL"
      }
   ],
   "Owner": {
      "ID": "bob:bob"
   }
}'

Executing the above commands will give Alice full control for the bucket images.

Note: Grantee ID is a combination of <account name> : <username>. In this case the account name is bob as Bob is the root user of this account and alice is the username of sub-account named Alice. Hence the Grantee ID is bob:alice.

  • Granting access to resources to a different account

Bob has an account with IDrive Cloud with the username bob and Alice is another account holder with username alice. Bob needs to share a bucket named images with Alice. Bob should use the following command to share the resource with Alice.


aws --profile bob s3api put-bucket-acl --bucket images --access-control-policy '{
   "Grants": [
      {
         "Grantee": {
            "ID": "alice:alice",
            "Type": "CanonicalUser"
         },
         "Permission": "FULL_CONTROL"
      }
   ],
   "Owner": {
      "ID": "bob:bob"
   }
}'

Executing the above commands will give Alice full control for the bucket images.

Note: Grantee ID is a combination of <account name> : <username>. Here the account name and username both are alice as Alice is a root user of account.

Alice needs to know Bob’s Account ID to access this resource and the same needs to be appended with the access key in the configuration as shown below.


aws_access_key_id = <ACCESS KEY>:<BOB’s ACCOUNT ID>

If Alice tries to access the bucket images without appending Bob’s account id, an error will be shown as below:


aws --profile alice s3api list-objects --bucket images

Error Message: 


An error occurred (NoSuchBucket) when calling the ListObjectsV2 operation: The specified bucket does not exist.
  • Granting public access of a resource

Bob has an account with IDrive Cloud with username as bob and he wants to make the bucket images publicly available. Bob should use the following command to share the resource publicly.


aws --profile bob s3api put-bucket-acl --bucket images --acl public-read

Executing the above commands will make the bucket images available to all users.

Before accessing this resource user needs to know Bob’s account id and the same needs to be appended to the access key in the configuration as shown below.


aws_access_key_id = :

If another account user called Alice tries to access the bucket images without appending Bob’s Account ID, an error will be shown as below:


aws --profile alice s3api list-objects --bucket images

Error Message:


An error occurred (NoSuchBucket) when calling the ListObjectsV2 operation: The specified bucket does not exist.
© 2020 IDrive Inc.