Manage ACL for Buckets

You can manage ACL permission for buckets through the DCD, IONOS S3 Object Storage API, or the CLI.

Note: Due to the granularity limitations and the complexity of managing permissions across a large scale of resources and users, we recommend using Bucket Policy instead of ACLs.

ACL permission for buckets

The following table shows the ACL permissions that you can configure for buckets in the IONOS S3 Object Storage:

Grantee

Console permission

ACL permission

Access granted

Specific or all users of another contract

Objects - Read

READ

Allows grantee to list the objects in the bucket. With this permissions, you cannot read the object data and its metadata.

Specific or all users of another contract

Objects - Write

WRITE

Allows grantees to create new objects in the bucket. For the bucket and object owners of existing objects, it also allows deletions and overwrites of those objects.

Specific or all users of another contract

Bucket ACL - Read

READ_ACP

Grants the ability to read the ACL of the bucket.

Specific or all users of another contract

Bucket ACL - Write

WRITE_ACP

Allows the grantee to write the ACL of the bucket.

Group: All users

Objects - Read

READ

Allows anyone to list the objects in the bucket. With this permission, you cannot read the object data and metadata.

Group: All users

Bucket ACL - Read

READ_ACP

Grants public read access for the bucket ACL. Anyone can access the bucket ACL.

Group: Authenticated users

Objects - Read

READ

Allows anyone with an IONOS account to list the objects in the bucket. With this permssion, you cannot read the object data and its metadata.

Group: Authenticated users

Bucket ACL - Read

READ_ACP

Grants read access to bucket ACL to anyone with an IONOS account.

Note: For security, granting some of the access permissions such as Public access WRITE, Public access WRITE_ACP, Authenticated users WRITE, Authenticated users WRITE_ACP is possible only through an API Call.

DCD

To manage ACL for buckets using the DCD, follow these steps:

Prerequisites:

— Make sure the user ID of the grantee is known. For more information, see Retrieve User ID.

— The grantee should already exist. If not, create a user and retrieve the Canonical User ID by following the steps in Retrieve the user ID of a new user.

1. In the DCD, go to Menu > Storage > IONOS S3 Object Storage.

2. From the drop-down list in the Buckets tab, choose either Show user-owned buckets or Show contract-owned buckets depending on the bucket type you want to view.

3. From the Buckets list, choose the bucket to which you want to manage the ACL.

4. Click Bucket settings and choose the Access Control List (ACL) under the Access management section.

5. Depending on the Bucket Types, manage the access permissions as follows:

  • Select the checkboxes against the access permissions to grant at each user level such as specific or all users of another contract, all users of a group, and authenticated users of a group. For more information, see ACL permission for buckets.

  • Add grantees to provide additional users with access permission to the contract-owned bucket.

    • In the Additional Grantees section, enter the retrieved Contract Number of the grantee.

    • Select the checkboxes on the bucket ACL permissions to grant, and click Add.

6. Click Save to apply ACL permissions and add the grantee to the bucket.

Result: The ACL permissions are successfully applied on the bucket.

Note: Granting access to a bucket for another IONOS user does not make the bucket appear in the user's Object Storage in the DCD due to the S3 protocol's architecture. To access the bucket, the user must utilize other S3 Tools as the granted access does not translate to interface visibility.

IONOS S3 Object Storage API

Use the API to manage bucket ACL permissions.

CLI

Use CLI to manage ACL permission for buckets.

Last updated

Revision created

commented latest release