# ACL for Buckets

This document provides instructions to [<mark style="color:blue;">Manage ACL for Buckets</mark>](https://docs.ionos.com/sections-test/guides/storage-and-backup/ionos-object-storage/settings/access-control-list/access-control-list-buckets) using the AWS CLI. Additionally, these tasks can also be performed using the [<mark style="color:blue;">DCD</mark>](https://docs.ionos.com/sections-test/guides/storage-and-backup/settings/access-control-list/access-control-list-buckets#dcd) and [<code class="expression">API</code>](https://docs.ionos.com/sections-test/guides/storage-and-backup/settings/access-control-list/access-control-list-buckets#api)<code class="expression">.</code>

{% hint style="info" %}
**Prerequisites:**

* Set up the AWS CLI by following the [<mark style="color:blue;">installation instructions</mark>](https://docs.ionos.com/sections-test/guides/storage-and-backup/ionos-object-storage/s3-tools/awscli/awscli-configure).
* Make sure to consider the supported [<mark style="color:blue;">Endpoints</mark>](https://docs.ionos.com/sections-test/guides/storage-and-backup/ionos-object-storage/endpoints).
  {% endhint %}

Use the following keys to define access permissions:

* `--grant-read`: Grants read-only access.
* `--grant-write`: Grants write-only access.
* `--grant-read-acp`: Grants permission to read the Access Control List.
* `--grant-write-acp`: Grants permission to modify the Access Control List.
* `--grant-full-control`: Grants full access, encompassing the permissions listed above (read, write, read ACL, and write ACL).

{% hint style="info" %}
**Note:** Granting access to a bucket for another IONOS user does not make the bucket appear in the user's Object Storage in the DCD due to the S3 protocol's architecture. To access the bucket, the user must utilize other [<mark style="color:blue;">S3 Tools</mark>](https://docs.ionos.com/sections-test/guides/storage-and-backup/ionos-object-storage/s3-tools), as the granted access does not translate to interface visibility.
{% endhint %}

### Grant access permission to another user

Grant full control of `my-bucket` to a user with a specific Canonical user ID:

```
aws s3api put-bucket-acl --bucket MY-BUCKET --grant-full-control id=CANONICAL_USER_ID --endpoint-url https://s3.eu-central-2.ionoscloud.com

```

Separate grants with a comma if you want to specify multiple Canonical user IDs:

```
aws s3api put-bucket-acl --bucket MY-BUCKET --grant-full-control id=CANONICAL_USER_ID_1,id=CANONICAL_USER_ID_2 --endpoint-url https://s3.eu-central-2.ionoscloud.com
```

Grant full control of `my-bucket` to multiple users using their Canonical user IDs:

```
aws s3api put-bucket-acl --bucket MY-BUCKET --grant-full-control id=CANONICAL_USER_ID_1,id=CANONICAL_USER_ID_2 --endpoint-url https://s3.eu-central-2.ionoscloud.com
```

Grant full control of `my-bucket` by using an `email address` instead of a Canonical User ID:

```
aws s3api put-bucket-acl --bucket MY-BUCKET --grant-full-control emailaddress=some@email.com --endpoint-url https://s3.eu-central-2.ionoscloud.com
```

Retrieve the ACL of a bucket and save it to the file `acl.json`:

```
aws s3api get-bucket-acl --bucket MY-BUCKET --endpoint-url https://s3.eu-central-2.ionoscloud.com > acl.json
```

Edit the file. For example, remove or add some grants and apply the updated ACL to the bucket:

```
aws s3api put-bucket-acl --bucket MY-BUCKET --access-control-policy file://acl.json --endpoint-url https://s3.eu-central-2.ionoscloud.com

```

Use the following values for the `--acl` key:

* `private` removes public access.
* `public-read` allows public read-only access.
* `public-read-write` allows public read/write access.
* `authenticated-read` allows read-only access to all authenticated users of IONOS Object storage (including ones out of your contract).

### Public access

Allow public read-only access to the bucket:

```
aws s3api put-bucket-acl --bucket MY-BUCKET --acl public-read --endpoint-url https://s3.eu-central-2.ionoscloud.com
```

Remove public access to the bucket:

```
aws s3api put-bucket-acl --bucket MY-BUCKET --acl private --endpoint-url https://s3.eu-central-2.ionoscloud.com
```

### Grant access permission to Log Delivery Group

Set `WRITE` and `READ_ACP` permissions for the Log Delivery Group, which is required before enabling the Logging feature for a bucket:

```
aws s3api put-bucket-acl --bucket MY-BUCKET --acl log-delivery-write --endpoint-url https://s3.eu-central-2.ionoscloud.com
```