Upload files to AWS S3 with public read ACL using AWS CLI or Boto 3
As you might notice, when you upload files to AWS S3, it stores the objects as private by default. This applies to both AWS CLI and Boto 3 tools when uploading files.
In some cases, you might need to store the given files as public read. For example, when you don’t want to provide a presigned url to access the resource.
To manage an object’s access permissions, AWS uses an Access Control List (AWS). This ACL stores all the users and groups that have access to read — or write — an object.
Assuming you want your files to be public readable, you have to give read access to the AWS AllUsers group. To do this, both AWS CLI and Boto 3, provide a tool to manage the ACL.
Copy or upload files with a given ACL using AWS CLI
To upload or copy files — using cp command — to a bucket grating public access, you have to specify the value public-read in the — acl flag:
aws s3 cp church_image.jpg s3://bucket_name/tests/church_image.jpg --acl public-readAfter that, we could use the next URL to access the object without giving the URL token access:
https://bucket_name.s3.amazonaws.com/tests/church_image.jpgAlso, you can use this — acl flag alongside the mv command.
Here you can find a list of a variety of grants that you can use with the — acl flag.
Change an Object’s ACL that is already within a bucket using AWS CLI
To change the permissions of an object that is already within a bucket, you can use the put-object-acl command of the s3api tool.
aws s3api put-object-acl --bucket bucket-name --key my_object --acl public-readUpload files with a given ACL using Boto 3
To upload a file with given permission you must specify the ACL using the ExtraArgs parameter within the upload_file or upload_fileobj methods.
import boto3s3_resource = boto3.resource(‘s3’)
s3_resource.meta.client.upload_file(
‘/tmp/church_image.jpg’,
‘bucket_name’,
‘tests/church_image.jpg’,
ExtraArgs={‘ACL’: ‘public-read’})
There is a variety of defined grants. You can find them here.
After that, we could use the next URL to access the object without giving the URL an access token:
https://bucket_name.s3.amazonaws.com/tests/church_image.jpgCheck an objects ACL
Of course, you can use AWS CLI or Boto 3 to check the Access Control List of an object.
The tool s3api allows you to check the ACL with the command get-object-acl:
aws s3api get-object-acl --bucket my-bucket --key index.htmlWith Boto 3 you can get this ACL creating an ObjectACL
import boto3s3_resource = boto3.resource(‘s3’)
s3_resource.ObjectAcl(‘bucket-name’, ‘tests/church_image.jpg’)
Both s3api and ObjectACL will return a dictionary with the ACL. The part of our interest here is the “Grants” key. Here you can find the groups and users that have access to the object, and the type of access that is granted.
When the object is public read, a group with the http://acs.amazonaws.com/groups/global/AllUsers and the “READ” permission will be found within this section.
{
"Owner": {
"DisplayName": "the_user",
"ID": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF”
},
“Grants”: [
{
"Grantee": {
"DisplayName": "the_user",
"ID": “FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF”,
"Type": "CanonicalUser"
},
"Permission": "FULL_CONTROL"
},
{
"Grantee”: {
"Type": "Group",
"URI": "http://acs.amazonaws.com/groups/global/AllUsers"
},
"Permission": "READ"
}
]
}No matter what are the permissions you want to grant to a user, you can use the ACL to give restricted access to an object, depending on what you may want.
