The Amazon SDK for Java 1.x has entered maintenance mode as of July 31, 2024,
and will reach end-of-support
Managing Amazon S3 Access Permissions for Buckets and Objects
You can use access control lists (ACLs) for Amazon S3 buckets and objects for fine-grained control over your Amazon S3 resources.
Note
These code examples assume that you understand the material in Using the Amazon SDK for Java and have configured default Amazon credentials using the information in Set up Amazon Credentials and Region for Development.
Get the Access Control List for a Bucket
To get the current ACL for a bucket, call the AmazonS3’s getBucketAcl
method, passing it the bucket name to query. This method returns an AccessControlList object. To get each access grant in the list, call its getGrantsAsList
method, which will return a standard Java list of Grant objects.
Imports
import com.amazonaws.AmazonServiceException; import com.amazonaws.regions.Regions; import com.amazonaws.services.s3.AmazonS3; import com.amazonaws.services.s3.AmazonS3ClientBuilder; import com.amazonaws.services.s3.model.AccessControlList; import com.amazonaws.services.s3.model.Grant;
Code
final AmazonS3 s3 = AmazonS3ClientBuilder.standard().withRegion(Regions.DEFAULT_REGION).build(); try { AccessControlList acl = s3.getBucketAcl(bucket_name); List<Grant> grants = acl.getGrantsAsList(); for (Grant grant : grants) { System.out.format(" %s: %s\n", grant.getGrantee().getIdentifier(), grant.getPermission().toString()); } } catch (AmazonServiceException e) { System.err.println(e.getErrorMessage()); System.exit(1); }
See the complete example
Set the Access Control List for a Bucket
To add or modify permissions to an ACL for a bucket, call the AmazonS3’s setBucketAcl
method. It takes an AccessControlList object that contains a list of grantees and access levels to set.
Imports
import com.amazonaws.AmazonServiceException; import com.amazonaws.regions.Regions; import com.amazonaws.services.s3.AmazonS3; import com.amazonaws.services.s3.AmazonS3ClientBuilder; import com.amazonaws.services.s3.model.AccessControlList; import com.amazonaws.services.s3.model.EmailAddressGrantee;
Code
final AmazonS3 s3 = AmazonS3ClientBuilder.standard().withRegion(Regions.DEFAULT_REGION).build(); try { // get the current ACL AccessControlList acl = s3.getBucketAcl(bucket_name); // set access for the grantee EmailAddressGrantee grantee = new EmailAddressGrantee(email); Permission permission = Permission.valueOf(access); acl.grantPermission(grantee, permission); s3.setBucketAcl(bucket_name, acl); } catch (AmazonServiceException e) { System.err.println(e.getErrorMessage()); System.exit(1); }
Note
You can provide the grantee’s unique identifier directly using the Grantee class, or use the EmailAddressGrantee class to set the grantee by email, as we’ve done here.
See the complete example
Get the Access Control List for an Object
To get the current ACL for an object, call the AmazonS3’s getObjectAcl
method, passing it the bucket name and object name to query. Like getBucketAcl
, this method returns an AccessControlList object that you can use to examine each Grant.
Imports
import com.amazonaws.AmazonServiceException; import com.amazonaws.regions.Regions; import com.amazonaws.services.s3.AmazonS3; import com.amazonaws.services.s3.AmazonS3ClientBuilder; import com.amazonaws.services.s3.model.AccessControlList; import com.amazonaws.services.s3.model.Grant;
Code
try { AccessControlList acl = s3.getObjectAcl(bucket_name, object_key); List<Grant> grants = acl.getGrantsAsList(); for (Grant grant : grants) { System.out.format(" %s: %s\n", grant.getGrantee().getIdentifier(), grant.getPermission().toString()); } } catch (AmazonServiceException e) { System.err.println(e.getErrorMessage()); System.exit(1); }
See the complete example
Set the Access Control List for an Object
To add or modify permissions to an ACL for an object, call the AmazonS3’s setObjectAcl
method. It takes an AccessControlList object that contains a list of grantees and access levels to set.
Imports
import com.amazonaws.AmazonServiceException; import com.amazonaws.regions.Regions; import com.amazonaws.services.s3.AmazonS3; import com.amazonaws.services.s3.AmazonS3ClientBuilder; import com.amazonaws.services.s3.model.AccessControlList; import com.amazonaws.services.s3.model.EmailAddressGrantee;
Code
try { // get the current ACL AccessControlList acl = s3.getObjectAcl(bucket_name, object_key); // set access for the grantee EmailAddressGrantee grantee = new EmailAddressGrantee(email); Permission permission = Permission.valueOf(access); acl.grantPermission(grantee, permission); s3.setObjectAcl(bucket_name, object_key, acl); } catch (AmazonServiceException e) { System.err.println(e.getErrorMessage()); System.exit(1); } }
Note
You can provide the grantee’s unique identifier directly using the Grantee class, or use the EmailAddressGrantee class to set the grantee by email, as we’ve done here.
See the complete example
More Information
-
GET Bucket acl
in the Amazon S3 API Reference -
PUT Bucket acl
in the Amazon S3 API Reference -
GET Object acl
in the Amazon S3 API Reference -
PUT Object acl
in the Amazon S3 API Reference