Amazon Simple Storage Service
开发人员指南 (API Version 2006-03-01)
AWS 服务或AWS文档中描述的功能,可能因地区/位置而异。点 击 Getting Started with Amazon AWS to see specific differences applicable to the China (Beijing) Region.

使用适用于 .NET 的 AWS 开发工具包管理 ACL

在创建资源时设置 ACL

创建资源 (存储桶和对象) 时,您可以通过在请求中指定授权的集合 (参阅 访问控制列表 (ACL) 概述) 来授予许可。对于每个授权,您可以创建一个 S3Grant 对象,显式地指定被授权者和许可。

例如,以下 C# 代码示例发送 PUT Bucket 请求以创建存储桶,然后发送 PutObject 请求以将新对象放置在新存储桶中。在请求中,代码为拥有者指定完全控制权限,并为 Amazon S3 日志传输 组指定 WRITE 权限。PutObject 调用包括请求正文中的对象数据和请求标头 (参阅 PUT Object) 中的 ACL 授权。

Copy
static string bucketName = "*** Provide existing bucket name ***"; static string newBucketName = "*** Provide a name for a new bucket ***"; static string newKeyName = "*** Provide a name for a new key ***"; IAmazonS3 client; client = new AmazonS3Client(Amazon.RegionEndpoint.USEast1); // Retrieve ACL from one of the owner's buckets S3AccessControlList acl = client.GetACL(new GetACLRequest { BucketName = bucketName, }).AccessControlList; // Describe grant for full control for owner. S3Grant grant1 = new S3Grant { Grantee = new S3Grantee { CanonicalUser = acl.Owner.Id }, Permission = S3Permission.FULL_CONTROL }; // Describe grant for write permission for the LogDelivery group. S3Grant grant2 = new S3Grant { Grantee = new S3Grantee { URI = "http://acs.amazonaws.com/groups/s3/LogDelivery" }, Permission = S3Permission.WRITE }; PutBucketRequest request = new PutBucketRequest() { BucketName = newBucketName, BucketRegion = S3Region.US, Grants = new List<S3Grant> { grant1, grant2 } }; PutBucketResponse response = client.PutBucket(request); PutObjectRequest objectRequest = new PutObjectRequest() { ContentBody = "Object data for simple put.", BucketName = newBucketName, Key = newKeyName, Grants = new List<S3Grant> { grant1 } }; PutObjectResponse objectResponse = client.PutObject(objectRequest);

有关上传对象的更多信息,请参阅 使用 Amazon S3 对象

在前面的代码示例中,您为每个 S3Grant 显式标识了被授权者和权限。或者,您也可以在创建资源时,在请求中指定标准 (预定义的) ACL (参阅 标准 ACL )。以下 C# 代码示例在请求中创建一个对象并指定一个 LogDeliveryWrite 预装 ACL,以向日志传输组授予对存储桶的 WRITE 和 READ_ACP 权限。

Copy
static string newBucketName = "*** Provide existing bucket name ***"; static string keyName = "*** Provide key name ***"; IAmazonS3 client; client = new AmazonS3Client(Amazon.RegionEndpoint.USEast1); PutBucketRequest request = new PutBucketRequest() { BucketName = newBucketName, BucketRegion = S3Region.US, // Add canned ACL. CannedACL = S3CannedACL.LogDeliveryWrite }; PutBucketResponse response = client.PutBucket(request);

有关底层 REST API 的信息,请参阅 PUT Bucket

更新现有资源上的 ACL

您可以通过调用 AmazonS3Client.PutACL 方法在现有对象或存储桶上设置 ACL。您可以使用 ACL 授权的列表创建 S3AccessControlList 类的实例并将该列表包含在 PutACL 请求中。

以下 C# 代码示例首先使用 AmazonS3Client.GetACL 方法读取现有 ACL,向其添加新授权,然后对对象设置经过修订的 ACL。

Copy
static string bucketName = "*** Provide existing bucket name ***"; static string keyName = "*** Provide key name ***"; IAmazonS3 client; client = new AmazonS3Client(Amazon.RegionEndpoint.USEast1); // Retrieve ACL for object S3AccessControlList acl = client.GetACL(new GetACLRequest { BucketName = bucketName, Key = keyName }).AccessControlList; // Retrieve owner Owner owner = acl.Owner; // Clear existing grants. acl.Grants.Clear(); // First, add grant to reset owner's full permission // (previous clear statement removed all permissions). S3Grant grant0 = new S3Grant { Grantee = new S3Grantee { CanonicalUser = acl.Owner.Id } }; acl.AddGrant(grant0.Grantee, S3Permission.FULL_CONTROL); // Describe grant for permission using email address. S3Grant grant1 = new S3Grant { Grantee = new S3Grantee { EmailAddress = emailAddress }, Permission = S3Permission.WRITE_ACP }; // Describe grant for permission to the LogDelivery group. S3Grant grant2 = new S3Grant { Grantee = new S3Grantee { URI = "http://acs.amazonaws.com/groups/s3/LogDelivery" }, Permission = S3Permission.WRITE }; // Create new ACL. S3AccessControlList newAcl = new S3AccessControlList { Grants = new List<S3Grant> { grant1, grant2 }, Owner = owner }; // Set new ACL. PutACLResponse response = client.PutACL(new PutACLRequest { BucketName = bucketName, Key = keyName, AccessControlList = newAcl });

您也可以在请求中指定标准 ACL,而不是创建 S3Grant 对象并显式地指定被授权者和许可。以下 C# 代码示例对新存储桶设置一个预装 ACL。示例请求指定一个 AuthenticatedRead 标准 ACL,以向 Amazon S3 Authenticated Users 组授予读取访问权限。

Copy
static string newBucketName = "*** Provide new bucket name ***"; IAmazonS3 client; client = new AmazonS3Client(Amazon.RegionEndpoint.USEast1); PutBucketRequest request = new PutBucketRequest() { BucketName = newBucketName, BucketRegion = S3Region.US, // Add canned ACL. CannedACL = S3CannedACL.AuthenticatedRead }; PutBucketResponse response = client.PutBucket(request);

示例

下面的 C# 代码示例将执行以下任务:

  • 创建存储桶。在请求中,它将指定一个 log-delivery-write 标准 ACL,以将写入权限授予 LogDelivery Amazon S3 组。

  • 读取存储桶上的 ACL。

  • 清除现有许可并将新的许可添加到 ACL。

  • 调用 PutACL 请求以将新的 ACL 添加到存储桶。

有关如何创建和测试有效示例的说明,请参阅运行 Amazon S3 .NET 代码示例

Copy
using System; using System.Collections.Specialized; using System.Configuration; using Amazon.S3; using Amazon.S3.Model; using Amazon.S3.Util; using System.Collections.Generic; namespace s3.amazon.com.docsamples { class ManageACLs { static string bucketName = "*** Provide existing bucket name ***"; static string newBucketName = "*** Provide a name for a new bucket ***"; static string keyName = "*** Provide key name ***"; static string newKeyName = "*** Provide a name for a new key ***"; static string emailAddress = "*** Provide email address ***"; static IAmazonS3 client; public static void Main(string[] args) { try { using (client = new AmazonS3Client(Amazon.RegionEndpoint.USEast1)) { // Add bucket (specify canned ACL). AddBucketWithCannedACL(newBucketName); // Get ACL on a bucket. GetBucketACL(bucketName); // Add (replace) ACL on an object in a bucket. AddACLToExistingObject(bucketName, keyName); Console.WriteLine("Example complete."); } } catch (AmazonS3Exception amazonS3Exception) { if (amazonS3Exception.ErrorCode != null && (amazonS3Exception.ErrorCode.Equals("InvalidAccessKeyId") || amazonS3Exception.ErrorCode.Equals("InvalidSecurity"))) { Console.WriteLine("Check the provided AWS Credentials."); Console.WriteLine("For service sign up go to http://aws.amazon.com/s3"); } else { Console.WriteLine( "Error occurred. Message:'{0}' when writing an object" , amazonS3Exception.Message); } } catch (Exception e) { Console.WriteLine(e.Message); } Console.WriteLine("Press any key to continue..."); Console.ReadKey(); } static void AddBucketWithCannedACL(string bucketName) { PutBucketRequest request = new PutBucketRequest() { BucketName = newBucketName, BucketRegion = S3Region.US, // Add canned ACL. CannedACL = S3CannedACL.LogDeliveryWrite }; PutBucketResponse response = client.PutBucket(request); } static void GetBucketACL(string bucketName) { GetACLResponse response = client.GetACL(new GetACLRequest { BucketName = bucketName }); // GetACLResponse response = client.GetACL(request); S3AccessControlList accessControlList = response.AccessControlList; //response.Dispose(); } static void AddACLToExistingObject(string bucketName, string keyName) { // Retrieve ACL for object S3AccessControlList acl = client.GetACL(new GetACLRequest { BucketName = bucketName, Key = keyName }).AccessControlList; // Retrieve owner Owner owner = acl.Owner; // Clear existing grants. acl.Grants.Clear(); // First, add grant to reset owner's full permission // (previous clear statement removed all permissions). S3Grant grant0 = new S3Grant { Grantee = new S3Grantee { CanonicalUser = acl.Owner.Id } }; acl.AddGrant(grant0.Grantee, S3Permission.FULL_CONTROL); // Describe grant for permission using email address. S3Grant grant1 = new S3Grant { Grantee = new S3Grantee { EmailAddress = emailAddress }, Permission = S3Permission.WRITE_ACP }; // Describe grant for permission to the LogDelivery group. S3Grant grant2 = new S3Grant { Grantee = new S3Grantee { URI = "http://acs.amazonaws.com/groups/s3/LogDelivery" }, Permission = S3Permission.WRITE }; // Create new ACL. S3AccessControlList newAcl = new S3AccessControlList { Grants = new List<S3Grant> { grant1, grant2 }, Owner = owner }; // Set new ACL. PutACLResponse response = client.PutACL(new PutACLRequest { BucketName = bucketName, Key = keyName, AccessControlList = newAcl }); // Get and print response. Console.WriteLine(client.GetACL(new GetACLRequest() { BucketName = bucketName, Key = keyName } )); } } }