setacl (set object's ACL)

 Top  Previous  Next

setacl [BUCKET_NAME]/[FOLDER]/OBJECT [-s] [-r] [-cacl:CANNED_ACL] [-grant-read:"GRANTEE"] [-grant-write:"GRANTEE"] [-grant-full-control:"GRANTEE"] [-grant-read-acp:"GRANTEE"] [-grant-write-acp:"GRANTEE"] [-sim] [-cond:"FILTER"] [-include:INCL] [-exclude:EXCL] [-rinclude:INCL] [-rexclude:EXCL] [-inclenc] [-exclenc] [-inclrr] [-exclrr] [-inclia] [-exclia] [-inclgl] [-exclgl] [-inclle] [-exclle]

Set the S3 ACL for one or multiple objects.

 

Parameter

Description

Examples

[BUCKET_NAME]/[FOLDER]/OBJECT

Name / path of the object(s) to set the ACL for. Wildcard characters are supported by default (* and ?) to match multiple objects. A regular expression can be used too, in that case use the flag -r on the command line, see below.

setacl mybucket/file -cacl:private (set canned ACL 'private' to mybucket/file)

 

setacl mybucket/* -cacl:public-read (set canned ACL 'public-read' to all files in mybucket)

 

setacl mybucket/*.txt -s -cacl:public-read-write (set canned ACL 'public-read-write' to all txt files in mybucket, including in subfolders of mybucket)

-s

Recursive, e.g. include all subfolders when processing multiple  objects with wildcard characters or regular expression.

setacl mybucket/*.txt -s -cacl:public-read-write (set canned ACL 'public-read-write' to all txt files in mybucket, including in subfolders of mybucket)

-r

Regular expression. This flag specifies that [BUCKET_NAME]/[FOLDER]/[FILE] is a regular expression.

cd mybucket (set working location to mybucket)

 
followed by

 

setacl ^(a.*)|(b.*)|(c.*) -s -cacl:public-read (set canned ACL 'public-read' to all files starting with a, b or c in mybucket, including files in subfolders of mybucket)

-cacl:CANNED_ACL

Set canned ACL. Amazon S3 supports a set of predefined ACLs, known as canned ACLs. Each canned ACL has a predefined set of grantees and permissions.

 

Valid Values for CANNED_ACL:

 

private (Owner gets FULL CONTROL. No one else has access rights, this is the default for an object)

 

public-read (Owner gets FULL CONTROL. The AllUsers group,  that is everyone, gets READ access)

 

public-read-write (Owner gets FULL CONTROL. The AllUsers group, that is everyone, gets READ and WRITE access)

 

authenticated-read (Owner gets FULL CONTROL. The AuthenticatedUsers group, that is all Amazon AWS accounts, gets READ access.)

 

bucket-owner-read (Object owner gets FULL CONTROL. Bucket owner gets READ access)

 

bucket-owner-full-control (Both the object owner and the bucket owner get FULL CONTROL over the object)

 

Note: You can specify only one of these canned ACLs in your request.

setacl mybucket/*.jpg -s -cacl:private (set canned ACL 'private' to all jpg files in mybucket, including in subfolders of mybucket)

-grant-read:"GRANTEE"

Allows grantee to read the object data and its metadata. See how to specify one or more grantees below.

setacl mybucket/* -grant-read:"emailAddress=xyz@amazon.com, emailAddress=abc@amazon.com"

-grant-write:"GRANTEE"

Allows grantee to write the object data and its metadata. See how to specify one or more grantees below.

setacl mybucket/* -grant-write:"emailAddress=xyz@amazon.com, emailAddress=abc@amazon.com"

-grant-full-control:"GRANTEE"

Allows grantee the read, write, read_acp and write_acp permissions on the object, that is full control.

setacl mybucket/subfolder/* -grant-full-control:"uri=http://acs.amazonaws.com/groups/global/AllUsers"

-grant-read-acp:"GRANTEE"

Allows grantee to read the object ACL. See how to specify one or more grantees below.

setacl mybucket/subfolder/* -grant-read-acp:"uri=http://acs.amazonaws.com/groups/global/AllUsers"

-grant-write-acp:"GRANTEE"

Allows grantee to write the object ACL. See how to specify one or more grantees below.

setacl mybucket/subfolder/* -grant-write-acp:"uri=http://acs.amazonaws.com/groups/global/AllUsers"

-sim

Only preview how the ACL would be set, do not actually set the ACL for objects.

setacl mybucket/*.jpg -s -cacl:private -sim (simulate setting canned ACL 'private' to all jpg files in mybucket, including in subfolders of mybucket, without actually setting yet, i.e. preview only)

-cond:
"FILTER"

Filter condition. Only apply the permissions to objects matching the specified condition. More info on filter condition syntax and variables.

setacl mybucket -s -cacl:private -cond:"s3_sizeMB > 5"  (set canned ACL 'private' to all files in mybucket and subfolders that are larger than 5 Megabytes)

 
setacl mybucket -s -cacl:private -cond:"to_lower(s3_extension) = '.exe'"  (set canned ACL 'private' to all files in mybucket and subfolders that have extension .exe, case insensitive)

-include:INCL

Only apply the permissions to objects matching the specified mask (Wildcards). Separate multiple masks with "|".

setacl mybucket -s -cacl:private -include:*.jpg|*.gif (set canned ACL 'private' to all files in mybucket and subfolders that have extension .jpg or .gif)

-exclude:EXCL

Do not apply the permissions to objects matching the specified mask (Wildcards). Separate multiple masks with "|".

setacl mybucket -s -cacl:private -exclude:*.jpg|*.gif|*.png (set canned ACL 'private' to all files in mybucket and subfolders, excluding files that have extension .jpg or .gif or *.png)

-rinclude:INCL

Only apply the permissions to objects matching the specified mask (Regular Expression).

setacl mybucket -s -cacl:private -rinclude:a(x|y|z)b (set canned ACL 'private' to all files in mybucket and subfolders whose name is matching axb, ayb and azb)

-rexclude:EXCL

Do not apply the permissions to objects matching the specified mask (Regular Expression).

setacl mybucket -s -cacl:private -rexclude:a(x|y|z)b (set canned ACL 'private' to all files in mybucket and subfolders, excluding files whose name is matching axb, ayb and azb)

-inclenc
-exclenc

Apply the permissions only to server-side encrypted files.
Do not apply the permissions to server-side encrypted files.

setacl mybucket -s -cacl:private -inclenc (set canned ACL 'private' to all files in mybucket and subfolders that are server-side encrypted)

-inclrr
-exclrr

Apply the permissions only to reduced redundancy files.

Do not apply the permissions to reduced redundancy files.

setacl mybucket -s -cacl:private -inclrr (set canned ACL 'private' to all files in mybucket and subfolders that have storage class 'reduced redundancy')

-inclia
-exclia

Apply the permissions only to infrequent access files.

Do not apply the permissions to infrequent access files.

setacl mybucket -s -cacl:private -inclia (set canned ACL 'private' to all files in mybucket and subfolders that have storage class 'infrequent access')

-inclgl
-exclgl

Apply the permissions only to Glacier files.

Do not apply the permissions to Glacier files.

setacl mybucket -s -cacl:private -inclgl (set canned ACL 'private' to all files in mybucket and subfolders that have storage class 'Glacier')

-inclle
-exclle

Apply the permissions only to client-side (locally) encrypted files.

Do not apply the permissions to client-side (locally) encrypted files.

setacl mybucket -s -cacl:private -inclle (set canned ACL 'private' to all files in mybucket and subfolders that are client-side encrypted)

 

How to specify a GRANTEE:
You specify each grantee as a type=value pair, where the type can be one of the following:
 
emailAddress — if value specified is the email address of an AWS account
id — if value specified is the canonical user ID of an AWS account
uri — if granting permission to a predefined group.
 
Multiple grantee must be separated by a comma.
 
For example, the following -grant-read grants read object data and its metadata permission to the AWS accounts identified by their email addresses:
-grant-read:"emailAddress=xyz@amazon.com, emailAddress=abc@amazon.com"

 
The following -grant-full-control grants full control to everyone:
-grant-full-control:"uri=http://acs.amazonaws.com/groups/global/AllUsers"
 
Refer to the Amazon S3 documentation for a full list of uri supported.