An Access Control List (ACL) is a mechanism that defines who can access or modify specific resources, such as buckets and objects. ACLs allow resource owners to grant varying levels of permissions such as read, write, or full control to different users or groups.
Note: ACL is supported for both contract-owned buckets and user-owned buckets. For contract-owned buckets, sharing access with users is available only for grantees from other contracts. For more information, see Bucket Types.
Note: Due to the granularity limitations and the complexity of managing permissions across a large scale of resources and users, we recommend using Bucket Policy instead of ACLs.
You can use ACLs to make a bucket or object public or to share access with certain authorized users by setting the right permissions. IONOS Object Storage offers the following ACL management methods:
The feature functions in the IONOS Object Storage Service Availability regions and supports both contract-owned buckets and user-owned buckets.
Use Bucket Policy instead of ACLs which offers the following additional capabilities:
Manage access to prefixes like /folder/* or *.jpg.
Use conditions to grant access, for example, IP address.
Allow or deny certain actions like listing the object list.
We recommend using Share Objects with Pre-Signed URLs instead of ACL for granting temporary access to authorized users for a specified period, after which the URL expires.
If you have defined ACLs granting public access, activating the Block Public Access revokes these permissions, ensuring your data remains private. This feature is invaluable in scenarios where ensuring data privacy is paramount, or when you want to enforce a blanket no-public-access rule, irrespective of ACL settings. Currently, Block Public Access is available only via the IONOS Object Storage API.
You can manage ACL permission for buckets through the DCD, IONOS Object Storage API, or the CLI.
Note: Due to the granularity limitations and the complexity of managing permissions across a large scale of resources and users, we recommend using Bucket Policy instead of ACLs.
The following table shows the ACL permissions that you can configure for buckets in the IONOS Object Storage:
Note: For security, granting some of the access permissions such as Public access WRITE, Public access WRITE_ACP, Authenticated users WRITE, Authenticated users WRITE_ACP is possible only through an API Call.
To manage ACL for buckets using the DCD, follow these steps:
Prerequisites:
— Make sure the user ID of the grantee is known. For more information, see Retrieve User ID.
— The grantee should already exist. If not, create a user and retrieve the Canonical User ID by following the steps in Retrieve the user ID of a new user.
1. In the DCD, go to Menu > Storage > IONOS Object Storage.
2. From the drop-down list in the Buckets tab, choose either Show user-owned buckets or Show contract-owned buckets depending on the bucket type you want to view.
3. From the Buckets list, choose the bucket to which you want to manage the ACL.
4. Click Bucket settings and choose the Access Control List (ACL) under the Access management section.
5. Depending on the Bucket Types, manage the access permissions as follows:
Select the checkboxes against the access permissions to grant at each user level such as specific or all users of another contract, all users of a group, and authenticated users of a group. For more information, see ACL permission for buckets.
Add grantees to provide additional users with access permission to the contract-owned bucket.
In the Additional Grantees section, enter the retrieved Contract Number of the grantee.
Select the checkboxes on the bucket ACL permissions to grant, and click Add.
Select the checkboxes against the access permissions to grant at each user level such as users, all users of a group, authenticated users of a group, and Log Delivery Group. For more information, see ACL permission for buckets.
Add grantees to provide additional users with access permission to the user-owned bucket.
In the Additional Grantees section, enter the retrieved Canonical user ID of the grantee.
Select the checkboxes on the bucket ACL permissions to grant, and click Add.
6. Click Save to apply ACL permissions and add the grantee to the bucket.
Result: The ACL permissions are successfully applied on the bucket.
Note: Granting access to a bucket for another IONOS user does not make the bucket appear in the user's Object Storage in the DCD due to the S3 protocol's architecture. To access the bucket, the user must utilize other S3 Tools as the granted access does not translate to interface visibility.
Use the API to manage bucket ACL permissions.
Use CLI to manage ACL permission for buckets.
You can manage ACL permission for objects through the DCD, IONOS Object Storage API, or the CLI.
Note: Due to the granularity limitations and the complexity of managing permissions across a large scale of resources and users, we recommend using instead of ACLs.
The following table shows the ACL permissions that you can configure for objects in a bucket in the IONOS Object Storage:
These permissions are applied at individual object levels offering a high granularity in access control.
Note: For security, granting some of the access permissions such as Public access WRITE_ACP and Authenticated users WRITE_ACP is possible only through an API call.
To manage ACL for objects using the DCD, follow these steps:
Prerequisites:
— Make sure the user ID of the grantee is known. For more information, see .
— The grantee should already exist. If not, create a user and retrieve the Canonical User ID by following the steps in .
1. In the DCD, go to Menu > Storage > IONOS Object Storage.
2. From the drop-down list in the Buckets tab, choose either Show user-owned buckets or Show contract-owned buckets, depending on the bucket type you want to view.
3. From the Buckets list, choose the bucket under which the object ACL to be modified exists.
4. From the Objects list, choose the object for which ACL permissions must be modified.
5. From the Object Settings, go to the Access Control List (ACL).
Add grantees to provide additional users with access permission to the contract-owned bucket's objects.
In the Additional Grantees section, enter the retrieved Contract Number of the grantee.
Select the checkboxes on the object ACL permissions to grant, and click Add.
Add grantees to provide additional users with access permission to the user-owned bucket's objects.
In the Additional Grantees section, enter the retrieved Canonical user ID of the grantee.
Select the checkboxes on the object ACL permissions to grant, and click Add.
7. Click Save to apply ACL permissions and add the grantee to the object.
Result: The object ACL permissions are successfully applied to the object.
6. Depending on the , manage the object access permissions as follows:
Select the checkboxes against the access permissions to grant at each user level such as specific or all users of another contract, all users of a group, and authenticated users of a group. For more information, see .
Select the checkboxes against the access permissions to grant at each user level such as users, all users of a group, authenticated users of a group, and Log Delivery Group. For more information, see .
Use the to manage object ACL permissions.
Use to manage ACL permission for objects.
Grantee
Console permission
ACL permission
Access granted
Specific or all users of another contract
Objects - Read
READ
Allows grantee to list the objects in the bucket. With this permissions, you cannot read the object data and its metadata.
Specific or all users of another contract
Objects - Write
WRITE
Allows grantees to create new objects in the bucket. For the bucket and object owners of existing objects, it also allows deletions and overwrites of those objects.
Specific or all users of another contract
Bucket ACL - Read
READ_ACP
Grants the ability to read the ACL of the bucket.
Specific or all users of another contract
Bucket ACL - Write
WRITE_ACP
Allows the grantee to write the ACL of the bucket.
Group: All users
Objects - Read
READ
Allows anyone to list the objects in the bucket. With this permission, you cannot read the object data and metadata.
Group: All users
Bucket ACL - Read
READ_ACP
Grants public read access for the bucket ACL. Anyone can access the bucket ACL.
Group: Authenticated users
Objects - Read
READ
Allows anyone with an IONOS account to list the objects in the bucket. With this permssion, you cannot read the object data and its metadata.
Group: Authenticated users
Bucket ACL - Read
READ_ACP
Grants read access to bucket ACL to anyone with an IONOS account.
Grantee
Console permission
ACL permission
Access granted
User
Objects - Read
READ
Allows grantee to list the objects in the bucket. With this permissions, you cannot read the object data and its metadata..
User
Objects - Write
WRITE
Allows grantees to create new objects in the bucket. For the bucket and object owners of existing objects, it also allows deletions and overwrites of those objects.
User
Bucket ACL - Read
READ_ACP
Grants the ability to read the ACL of the bucket.
User
Bucket ACL - Write
WRITE_ACP
Allows the grantee to write the ACL of the bucket.
Group: All users
Objects - Read
READ
Allows anyone to list the objects in the bucket. With this permission, you cannot read the object data and metadata.
Group: All users
Bucket ACL - Read
READ_ACP
Grants public read access for the bucket ACL. Anyone can access the bucket ACL.
Group: Authenticated users
Objects - Read
READ
Allows anyone with an IONOS account to list the objects in the bucket. With this permssion, you cannot read the object data and its metadata.
Authenticated users
Bucket ACL - Read
READ_ACP
Grants read access to bucket ACL to anyone with an IONOS account.
Log Delivery Group
Objects - Write
WRITE
Enables the group to write server access logs to the bucket.
Grantee | Console permission | ACL permission | Access granted |
Specific or all users of another contract | Objects - Read | READ | Allows grantee to read the object data and its metadata. |
Specific or all users of another contract | Object ACL - Read | READ_ACP | Grants the ability to read the object ACL. |
Specific or all users of another contract | Object ACL - Write | WRITE_ACP | Allows the grantee to write the ACL of the applicable object. |
Group: All users | Objects - Read | READ | Allows anyone to read the object data and its metadata. |
Group: All users | Object ACL - Read | READ_ACP | Allows anyone to read the object ACL. |
Group: Authenticated users | Objects - Read | READ | Allows anyone with an IONOS account to read the object data and its metadata. |
Group: Authenticated users | Object ACL - Read | READ_ACP | Grants read access to object ACL to anyone with an IONOS account. |
Grantee | Console permission | ACL permission | Access granted |
User | Objects - Read | READ | Allows grantee to read the object data and its metadata. |
User | Object ACL - Read | READ_ACP | Grants the ability to read the object ACL. |
User | Object ACL - Write | WRITE_ACP | Allows the grantee to write the ACL of the applicable object. |
Group: All users | Objects - Read | READ | Allows anyone to read the object data and its metadata. |
Group: All users | Object ACL - Read | READ_ACP | Allows anyone to read the object ACL. |
Group: Authenticated users | Objects - Read | READ | Allows anyone with an IONOS account to read the object data and its metadata. |
Group: Authenticated users | Object ACL - Read | READ_ACP | Grants read access to object ACL to anyone with an IONOS account. |
