Define access and permissions using ACLs (Access Control Lists)

Access Control Lists (ACLs) are a method of defining access to Object Storage resources. You can apply ACLs to both buckets and objects, giving users access and controlling their permission level. There are two generalized modes of access: setting buckets and/or objects to be private or public. A few other more granular settings are also available; Cloud Manager and s3cmd sections provide information on these respective settings.

ACLs in Cloud Manager

Granular permissions for Cloud Manager

LevelPermissionDescription
BucketPrivateOnly you can list, create, overwrite, and delete Objects in this Bucket. Default
BucketAuthenticated ReadAll authenticated Object Storage users can list Objects in this Bucket, but only you can create, overwrite, and delete them.
BucketPublic ReadEveryone can list Objects in this Bucket, but only you can create, overwrite, and delete them.
BucketPublic Read/WriteEveryone can list, create, overwrite, and delete Objects in this Bucket. This is not recommended.
ObjectPrivateOnly you can download this Object. Default
ObjectAuthenticated ReadAll authenticated Object Storage users can download this Object.
ObjectPublic ReadEveryone can download this Object.

Bucket level ACLs in Cloud Manager

📘

Existing buckets and any new bucket created in Cloud Manager have a default ACL permission setting of Private.

  1. If you have not already, log in to the Cloud Manager.

  2. Click the Object Storage link in the sidebar, and then click on the bucket you wish to edit the ACLs for.

    Select an Object Storage Bucket

  3. The Object Storage Bucket detail page appears. Click the Access tab.

    Object Storage Bucket Detail Page

  4. The Object Storage Bucket Access Page appears.

    Object Storage Bucket Access Page

  5. On this page you can select the ACL for this bucket as well as enable CORS.

    📘

    CORS is enabled by default on all existing buckets and on all new buckets.

  6. Select the ACL for this bucket from the dropdown menu.

    Object Storage Bucket Access Menu

  7. Click the Save button to save these settings to the bucket.

    Object Storage Bucket Access Page Save Settings

Object level ACLs in Cloud Manager

📘

Existing objects and any new objects created in Cloud Manager have a default ACL permission setting of Private.

  1. If you have not already, log in to the Cloud Manager.

  2. Click the Object Storage link in the sidebar, and then click on the bucket that holds the objects that you wish to edit the ACLs for.

    Select an Object Storage Bucket

  3. The Object Storage Bucket detail page appears and displays all the objects in your bucket.

  4. Next to the object you wish to edit the ACL settings for, click the more options ellipsis and select Details from the drop down menu that appears.

    Object Storage Object Detail Menu

  5. The Object ACL panel opens.

    Object Storage Object ACL Panel

  6. Select the ACL you wish to set for this object from the dropdown menu.

    Object Storage Object ACL Menu Options

  7. Click the Save button. The panel closes and the ACL is applied to the object.

    Object Storage Object ACL Save Settings

ACLs with s3cmd

With s3cmd, you can set a bucket to be public with the setacl command and the --acl-public flag:

s3cmd setacl s3://acl-example --acl-public

This causes the bucket and its contents to be downloadable over the public Internet.

To set an object or bucket to private, you can use the setacl command and the --acl-private flag:

s3cmd setacl s3://acl-example --acl-private

This prevents users from accessing the bucket's contents over the public Internet.

Granular permissions for s3cmd

The more granular permissions are:

PermissionDescription
readUsers with can list objects within a bucket
writeUsers can upload objects to a bucket and delete objects from a bucket.
read_acpUsers can read the ACL currently applied to a bucket.
write_acpUsers can change the ACL applied to the bucket.
full_controlUsers have read and write access over both objects and ACLs.

Setting a permission: To apply granular permissions for a specific user with s3cmd, use the following setacl command with the --acl-grant flag:

s3cmd setacl s3://acl-example --acl-grant=PERMISSION:CANONICAL_ID

Substitute acl-example with the name of the bucket (and the object, if necessary), PERMISSION with a permission from the above table, and CANONICAL_ID with the canonical ID of the user to which you would like to grant permissions. See Find the canonical user ID for an account for details on finding the canonical ID.

Revoking a permission: To revoke a specific permission, you can use the setacl command with the acl-revoke flag:

s3cmd setacl s3://acl-example --acl-revoke=PERMISSION:CANONICAL_ID

Substitute the bucket name (and optional object), PERMISSION, and CANONICAL_ID with your relevant values.

View current ACLs: To view the current ACLs applied to a bucket or object, use the info command, replacing acl-example with the name of your bucket (and object, if necessary):

s3cmd info s3://acl-example

You should see output like the following:

s3://acl-bucket-example/ (bucket):
   Location:  default
   Payer:     BucketOwner
   Expiration Rule: none
   Policy:    none
   CORS:      b'<CORSConfiguration xmlns="http://s3.amazonaws.com/doc/2006-03-01/"><CORSRule><AllowedMethod>GET</AllowedMethod><AllowedMethod>PUT</AllowedMethod><AllowedMethod>DELETE</AllowedMethod><AllowedMethod>HEAD</AllowedMethod><AllowedMethod>POST</AllowedMethod><AllowedOrigin>*</AllowedOrigin><AllowedHeader>*</AllowedHeader></CORSRule></CORSConfiguration>'
   ACL:       *anon*: READ
   ACL:       a0000000-000a-0000-0000-00d0ff0f0000: FULL_CONTROL
   URL:       http://us-east-1.linodeobjects.com/acl-example/

📘

The owner of the bucket always has the full_control permission.

📘

If you set an ACL that does not map to an ACL in Cloud Manager, Cloud Manager displays this as Custom.

Custom ACL Setting Displayed in <<CLOUD_PORTAL>>