Managing Amazon S3 Access Permissions for Buckets and Objects - Amazon SDK for Java 1.x
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

The Amazon SDK for Java 1.x has entered maintenance mode as of July 31, 2024, and will reach end-of-support on December 31, 2025. We recommend that you migrate to the Amazon SDK for Java 2.x to continue receiving new features, availability improvements, and security updates.

Managing Amazon S3 Access Permissions for Buckets and Objects

You can use access control lists (ACLs) for Amazon S3 buckets and objects for fine-grained control over your Amazon S3 resources.

Note

These code examples assume that you understand the material in Using the Amazon SDK for Java and have configured default Amazon credentials using the information in Set up Amazon Credentials and Region for Development.

Get the Access Control List for a Bucket

To get the current ACL for a bucket, call the AmazonS3’s getBucketAcl method, passing it the bucket name to query. This method returns an AccessControlList object. To get each access grant in the list, call its getGrantsAsList method, which will return a standard Java list of Grant objects.

Imports

import com.amazonaws.AmazonServiceException; import com.amazonaws.regions.Regions; import com.amazonaws.services.s3.AmazonS3; import com.amazonaws.services.s3.AmazonS3ClientBuilder; import com.amazonaws.services.s3.model.AccessControlList; import com.amazonaws.services.s3.model.Grant;

Code

final AmazonS3 s3 = AmazonS3ClientBuilder.standard().withRegion(Regions.DEFAULT_REGION).build(); try { AccessControlList acl = s3.getBucketAcl(bucket_name); List<Grant> grants = acl.getGrantsAsList(); for (Grant grant : grants) { System.out.format(" %s: %s\n", grant.getGrantee().getIdentifier(), grant.getPermission().toString()); } } catch (AmazonServiceException e) { System.err.println(e.getErrorMessage()); System.exit(1); }

See the complete example on GitHub.

Set the Access Control List for a Bucket

To add or modify permissions to an ACL for a bucket, call the AmazonS3’s setBucketAcl method. It takes an AccessControlList object that contains a list of grantees and access levels to set.

Imports

import com.amazonaws.AmazonServiceException; import com.amazonaws.regions.Regions; import com.amazonaws.services.s3.AmazonS3; import com.amazonaws.services.s3.AmazonS3ClientBuilder; import com.amazonaws.services.s3.model.AccessControlList; import com.amazonaws.services.s3.model.EmailAddressGrantee;

Code

final AmazonS3 s3 = AmazonS3ClientBuilder.standard().withRegion(Regions.DEFAULT_REGION).build(); try { // get the current ACL AccessControlList acl = s3.getBucketAcl(bucket_name); // set access for the grantee EmailAddressGrantee grantee = new EmailAddressGrantee(email); Permission permission = Permission.valueOf(access); acl.grantPermission(grantee, permission); s3.setBucketAcl(bucket_name, acl); } catch (AmazonServiceException e) { System.err.println(e.getErrorMessage()); System.exit(1); }
Note

You can provide the grantee’s unique identifier directly using the Grantee class, or use the EmailAddressGrantee class to set the grantee by email, as we’ve done here.

See the complete example on GitHub.

Get the Access Control List for an Object

To get the current ACL for an object, call the AmazonS3’s getObjectAcl method, passing it the bucket name and object name to query. Like getBucketAcl, this method returns an AccessControlList object that you can use to examine each Grant.

Imports

import com.amazonaws.AmazonServiceException; import com.amazonaws.regions.Regions; import com.amazonaws.services.s3.AmazonS3; import com.amazonaws.services.s3.AmazonS3ClientBuilder; import com.amazonaws.services.s3.model.AccessControlList; import com.amazonaws.services.s3.model.Grant;

Code

try { AccessControlList acl = s3.getObjectAcl(bucket_name, object_key); List<Grant> grants = acl.getGrantsAsList(); for (Grant grant : grants) { System.out.format(" %s: %s\n", grant.getGrantee().getIdentifier(), grant.getPermission().toString()); } } catch (AmazonServiceException e) { System.err.println(e.getErrorMessage()); System.exit(1); }

See the complete example on GitHub.

Set the Access Control List for an Object

To add or modify permissions to an ACL for an object, call the AmazonS3’s setObjectAcl method. It takes an AccessControlList object that contains a list of grantees and access levels to set.

Imports

import com.amazonaws.AmazonServiceException; import com.amazonaws.regions.Regions; import com.amazonaws.services.s3.AmazonS3; import com.amazonaws.services.s3.AmazonS3ClientBuilder; import com.amazonaws.services.s3.model.AccessControlList; import com.amazonaws.services.s3.model.EmailAddressGrantee;

Code

try { // get the current ACL AccessControlList acl = s3.getObjectAcl(bucket_name, object_key); // set access for the grantee EmailAddressGrantee grantee = new EmailAddressGrantee(email); Permission permission = Permission.valueOf(access); acl.grantPermission(grantee, permission); s3.setObjectAcl(bucket_name, object_key, acl); } catch (AmazonServiceException e) { System.err.println(e.getErrorMessage()); System.exit(1); } }
Note

You can provide the grantee’s unique identifier directly using the Grantee class, or use the EmailAddressGrantee class to set the grantee by email, as we’ve done here.

See the complete example on GitHub.

More Information