ACL for Buckets

This document provides instructions to Manage ACL for Buckets using the AWS CLI command-line tool. Additionally, these tasks can also be performed using the web console and IONOS S3 Object Storage API.

Prerequisites:

Use the following keys to define access permissions:

  • --grant-read: Grants read-only access.

  • --grant-write: Grants write-only access.

  • --grant-read-acp: Grants permission to read the Access Control List.

  • --grant-write-acp: Grants permission to modify the Access Control List.

  • --grant-full-control: Grants full access, encompassing the permissions listed above (read, write, read ACL, and write ACL).

Note: Granting access to a bucket for another IONOS user does not make the bucket appear in the user's S3 web console due to the S3 protocol's architecture. To access the bucket, the user must utilize other S3 Tools, as the granted access does not translate to interface visibility.

Grant access permission to another user

To grant full control of my-bucket to a user with a specific Canonical user ID:

aws s3api put-bucket-acl --bucket MY-BUCKET --grant-full-control id=CANONICAL_USER_ID --endpoint-url https://s3-eu-central-2.ionoscloud.com

To separate grants with a comma if you want to specify multiple IDs:

aws s3api put-bucket-acl --bucket MY-BUCKET --grant-full-control id=CANONICAL_USER_ID_1,id=CANONICAL_USER_ID_2 --endpoint-url https://s3-eu-central-2.ionoscloud.com

To grant full control of my-bucket to multiple users using Canonical user ID:

aws s3api put-bucket-acl --bucket MY-BUCKET --grant-full-control id=CANONICAL_USER_ID_1,id=CANONICAL_USER_ID_2 --endpoint-url https://s3-eu-central-2.ionoscloud.com

To grant full control of my-bucket by using an email address instead of Canonical User ID:

aws s3api put-bucket-acl --bucket MY-BUCKET --grant-full-control emailaddress=some@email.com --endpoint-url https://s3-eu-central-2.ionoscloud.com

Retrieve the ACL of a bucket and save it to the file acl.json:

aws s3api get-bucket-acl --bucket MY-BUCKET --endpoint-url https://s3-eu-central-2.ionoscloud.com > acl.json

To edit the file, for example, remove or add some grants and apply updated ACL to the bucket:

aws s3api put-bucket-acl --bucket MY-BUCKET --access-control-policy file://acl.json --endpoint-url https://s3-eu-central-2.ionoscloud.com

Use the following values for the --acl key:

  • private removes public access.

  • public-read allows public read-only access.

  • public-read-write allows public read/write access.

  • authenticated-read allows read-only access to all authenticated users of IONOS S3 Object storage (including ones out of your contract).

Public access

To allow public read-only access to the bucket:

aws s3api put-bucket-acl --bucket MY-BUCKET --acl public-read --endpoint-url https://s3-eu-central-2.ionoscloud.com

To remove public access to the bucket:

aws s3api put-bucket-acl --bucket MY-BUCKET --acl private --endpoint-url https://s3-eu-central-2.ionoscloud.com

Grant access permission to Log Delivery Group

To set WRITE and READ_ACP permissions for the Log Delivery Group which is required before enabling the Logging feature for a bucket:

aws s3api put-bucket-acl --bucket MY-BUCKET --acl log-delivery-write --endpoint-url https://s3-eu-central-2.ionoscloud.com

Last updated

Revision created

fixed broken links