Login/Register
How to set a bucket's ACL on S3?
Asked Answered
Solved amazon-s3acl
F

3

5

I tried a couple of things: S3Browse, the RightAws Ruby gem and other tools. All allow granting access on an individual key basis, but I wasn't able to set the ACL on buckets. Actually, I set the ACL on the bucket, no errors are returned. But when I refresh or check in another tool, the bucket's ACL is reset to owner only.

I want to give read and write access to FlixCloud for an application I'm developing. They need the access to write the output files.

Falda answered 14/7, 2009 at 19:13 Comment(0)
M
1

Yup, just checked it again after 10 min. ACL remains as configured. I guess this is something at your end then. Try different account/workstation.

Michaeline answered 15/7, 2009 at 13:58 Comment(1)
Forgot to ever answer this. My problem was a script I had written which overwrote the ACL a couple of minutes later.Reword
E
13

I was struggling with the ACL vs. Bucket Policy and found the following useful.

ACL

The ACL defines the permissions attached to a single file in your bucket. The Bucket Policy is a script that explains the permissions for any folder or file in a bucket. Use the bucket polcies to restrict hot linking, grant or deny access to specific or all files, restrict IP address, etc.

Edit the S3 Bucket Policy

Log into Amazon Web Services, click to S3 and click on the bucket name in the left column. View the bucket Properties panel at the bottom of the page. Click the button on the lower right corner that says "Edit bucket policy". This brings up a lightbox that you can paste the policy script into. If the script fails validation it will not save.

Sample Policy that enabled read access to everyone (useful if the bucket is being used as a content delivery network)

{
     "Version": "2008-10-17",
     "Id": "",
     "Statement": [
          {
               "Sid": "AddPerm",
               "Effect": "Allow",
               "Principal": {
                    "AWS": "*"
               },
               "Action": "s3:GetObject",
               "Resource": "arn:aws:s3:::my_bucket_name/*"
          }
     ]
}

Sample policy to prevent unauthorized hotlinking (third party sites linking to it) but allow anybody to download the files:

{ 
    "Version":"2008-10-17", 
    "Id":"preventHotLinking",

    "Statement":[ { 

        "Sid":"1", 
        "Effect":"Allow",
        "Principal": {
            "AWS":"*"
        },

        "Action":"s3:GetObject",
        "Resource":"arn:aws:s3:::your.bucket.name/*",

        "Condition":{

            "StringLike": { 

                "aws:Referer": [
                    "http://yourwebsitename.com/*", 
                    "http://www.yourwebsitename.com/*"
                ]
            }
        }
    }]
}

Generate a Policy

http://awspolicygen.s3.amazonaws.com/policygen.html

Sample Bucket Policies

http://docs.amazonwebservices.com/AmazonS3/latest/dev/index.html?AccessPolicyLanguage_UseCases_s3_a.html

Exactitude answered 23/9, 2011 at 14:34 Comment(2)
Bucket policies are great, one caveat... They only work for objects owned by the buckets owner. So if your content ends up in your bucket through a user account other than bucket owner, you need to use ACL's or copy paste the object in the bucket as owner to reset the owner.Caudle
Thanks for the tip Steve, I didn't know about the object owner caveat.Exactitude
M
1

I have just double checked that for you - S3fm was able to change the ACL successfully. I used their email [email protected] as userid. You can see the user in the list afterwords as flixclouds3.

Michaeline answered 15/7, 2009 at 3:36 Comment(1)
Did you check the ACL after 1 or 2 minutes? On my end, the ACL is always reset to owner only.Reword
M
1

Yup, just checked it again after 10 min. ACL remains as configured. I guess this is something at your end then. Try different account/workstation.

Michaeline answered 15/7, 2009 at 13:58 Comment(1)
Forgot to ever answer this. My problem was a script I had written which overwrote the ACL a couple of minutes later.Reword

© 2022 - 2024 — McMap. All rights reserved.