I'm using AWS CLI to apply ACL policy to an object in S3, this is the command I have used
aws s3api put-object-acl --bucket XXXX --key XXXX --acl bucket-owner-full-control --grant-read uri=http://acs.amazonaws.com/groups/global/AllUsers
This command gives an error in return
An error occurred (InvalidRequest) when calling the PutObjectAcl operation: Specifying both Canned ACLs and Header Grants is not allowed
How to apply both Canned and Header Grants to an object ?
I tried by giving only Canned ACL first time (aws s3api put-object-acl --bucket XXXX --key XXXX --acl bucket-owner-full-control) and it applied ,but when I ran second time (aws s3api put-object-acl --bucket XXXX --key XXXX --grant-read uri=http://acs.amazonaws.com/groups/global/AllUsers by excluding canned ACL) and including Header Grants changes got overridden. It was including only Header Grants
Can you please help me out on this issue ?
You cannot do that, either you have to use Canned ACL or the Header grants.
You can include email address of bucket owner to grant full control and for others read access.
I mean include the bucket owner details run the command something like below as stated in AWS documentation example.
aws s3api put-object-acl --bucket MyBucket --key file.txt --grant-full-control emailaddress=user1#example.com,emailaddress=user2#example.com --grant-read uri=http://acs.amazonaws.com/groups/global/AllUsers
See the Note in AWS documentation.
Note
You can either use a canned ACL or specify access permissions explicitly. You cannot do both.
https://docs.aws.amazon.com/AmazonS3/latest/API/RESTObjectPUT.html
Related
I have tried to change the ACL configuration of a file in s3 through the command line, but it showed the error
Parameter validation failed:
Invalid bucket name
The problem is that the file I want to access has a structure such as follows:
data/folder1/folder2/folder3/file
I tried to access using the code
aws s3api put-object-acl --bucket s3://data/folder1/folder2/folder3/ --key file --acl public-read
How should I specify this?
Thank you very much!
Lluc
The bucket name doesn't need the s3:// prefix when using put-object-acl:
$ aws s3api put-object-acl --bucket flomics-public --key 'lluc/ext-controls/data/folder1/folder2/folder3/file' --acl public-read
aws s3 cp s3://arxiv/pdf/arXiv_pdf_0001_001.tar s3://bucket --request-payer requester
fails with
fatal error: An error occurred (403) when calling the HeadObject operation: Forbidden
But if I do
aws s3 cp s3://arxiv/pdf/arXiv_pdf_0001_001.tar . --request-payer requester
it works fine
Additionally this also works, but it only copies one file at a time:
aws s3api copy-object --copy-source arxiv/pdf/arXiv_pdf_0001_001.tar --request-payer requester --key arXiv_pdf_0001_001.tar --bucket arxivmanifest
Whats going on?
When I ran the first command, it gave the error:
An error occurred (AccessDenied) when calling the GetObjectTagging operation: Access Denied
This is because the aws s3 cp command does more than just copy the file by also attempting to copy tagging (it seems). It would also seem that the bucket has not granted permissions for the GetObjectTagging API call.
In contrast, the aws s3api copy-object command issues a single API call. In fact, all s3api commands map to a specific API call. The aws s3 commands are 'higher level' commands that do more, such as enabling a --recursive copy).
I want to see the existing configuration for a S3 Bucket, so that I can steal and tweak it for my own purposes, in a variety of cases. However, I am not seeing an option I would expect:
aws s3api describe-bucket --bucket BucketName
Akin to the EMR describe cluster option that does exist:
aws emr describe-cluster --cluster-id j-1PGB1J30TZHQF
There is no single API call or CLI invocation to return the configuration of an S3 bucket, that I'm aware of.
You'd need to query a number of different things, for example its bucket policy, its CORS configuration, any ACLs, transfer acceleration configuration, tags, and more.
All of these things are available from the awscli, for example:
aws s3api get-bucket-policy --bucket X
aws s3api get-bucket-cors --bucket X
aws s3api get-bucket-location --bucket X
aws s3api get-bucket-versioning --bucket X
How would I set the S3 Bucket Permissions for Public Access to 'Everyone' for Read Files using AWS CLI?
The documentation does not have clear specification of how to do this and have tried multiple variations. My end goal is to make the bucket a static site server bucket.
S3 Bucket ACL permission are set after the bucket is created - I achieved a public file read bucket using this command
aws s3api put-bucket-acl --bucket ${SITE_NAME} --acl public-read
After creating the bucket:
aws s3api create-bucket --bucket ${SITE_NAME} --region ap-southeast-2 --create-bucket-configuration LocationConstraint=ap-southeast-2
Hope the below command will help you to make the s3 object public through the AWS CLI command.
aws s3api put-object-acl --bucket <bucketname> --key <object name with extension> --grant-read uri=http://acs.amazonaws.com/groups/global/AllUsers
I have an amazon bucket with hundreds of thousands of objects. I just uploaded new file using their AWS console, but I can't get it in their console as I must scroll down for thousand times!
I tried to make the folder public, but it loops over all objects. I also downloaded BucketExplorer, but it downloads the index of all objects which take much time!
So, is there anyway to edit the permission for a specific object on Amazon S3 remotely?!
You can upload the objects again with the AWS CLI S3 and add the ACL in the options to public read. OR if that is not an option and you know the key of the new objects you can use the AWS CLI s3api command to edit the ACL with the s3api put-object-acl command.
S3 cp Example
Copies test.txt file to the S3 bucket mybucket with the name of test2.txt and sets the ACL to public-read
aws s3 cp test.txt s3://mybucket/test2.txt --acl public-read
--acl (string) Sets the ACL for the object when the command is performed. If you use this parameter you must have the "s3:PutObjectAcl" permission included in the list of actions for your IAM policy. Only accepts values of private, public-read, public-read-write, authenticated-read, aws-exec-read, bucket-owner-read, bucket-owner-full-control and log-delivery-write. See Canned ACL for details
S3api Example
Sets the ACL to public read for objet file.txt in bucket MyBuckey
aws s3api put-object-acl --bucket MyBucket --key file.txt --acl public-read
AWS CLI S3 CP command
http://docs.aws.amazon.com/cli/latest/reference/s3/cp.html
AWS CLI s3api command
http://docs.aws.amazon.com/cli/latest/reference/s3api/put-object-acl.html
Have you looked into granting GetObject permissions via bucket policy? The policy would apply to objects where the the bucket owner is also the object owner.
http://docs.aws.amazon.com/AmazonS3/latest/dev/example-bucket-policies.html