What are ACLs?
ACLs, or Access Control Lists, are sets of rules that determine who has access to objects stored in Object Storage and what actions they are allowed to perform on those objects. Proper configuration of ACLs helps ensure the security of stored data.InfoThe storage owner is responsible for configuring ACLs. Use the AWS CLI or S3cmd documentation commands to manage ACLs for objects in Gcore Object Storage.
AWS CLI | S3cmd | Description |
---|---|---|
—public-read | —acl-public | Making an object publicly accessible |
—private | —acl-private | Making an object private |
—grant-full-control | —acl-grant=full-control | Granting full control over the bucket |
—grant-read | —acl-grant=read | Allowing the listing of objects in the bucket |
—grant-read-acp | —acl-grant=read_acp | Allowing the reading of ACLs |
—grant-write | —acl-grant=write | Allowing recording, overwriting, and deleting of objects |
What are policies?
Policies are JSON files that provide a more detailed way to control access to objects and buckets. They allow you to specify which actions a specific user or all users are allowed or denied to perform. The maximum request size in the policy is 20 KB. Note : The storage owner is responsible for configuring policies. Use the AWS CLI documentation actions, conditions, and resource types to manage policies for objects in Gcore Object Storage.Configure access via ACLs and policies
We’ve provided examples of ACLs and policies for some common tasks in managing Object Storage. In all the commands and JSON files, you need to replace the following with your values:- Replace sample.jpg with your object.
- Replace my_bucket with your bucket.
- Replace
<https://s-ed1.cloud.gcore.lu>
with your hostname.
Allow an object downloading by ACL
To allow all users to download an object, use the following command with the public ACL action —acl public-read (AWS CLI) or —acl public (S3cmd). AWS CLI:Allow listing of a bucket by ACL
To allow all users to list objects in a bucket, use the following command with the public ACL action —grant-read (AWS CLI) or —acl-grant=read (S3cmd). AWS CLI:Allow an object downloading by policy
To allow all users to download an object: 1. Create a JSON file with the following policy:Deny access to a bucket (hide a directory) by policy
To deny all users access to the “s3:GetObject” operation on a specific directory in a bucket while still allowing access to the higher-level bucket: 1. Create a JSON file with the following policy:Allow requests from a particular IP by policy
To allow requests to the storage bucket from a specified IP address: 1. Create a JSON file with the following policy:Allow requests from a particular website by policy
To allow referrals to the storage bucket from specified websites: 1. Create a JSON file with the following policy:<http://www.example.com/>
and <http://example.com/>
with your desired websites.
2. Apply the policy to the bucket with the following command.
AWS CLI: