S3 Object ACL

AWS Dosc:

  • https://docs.aws.amazon.com/sdk-for-ruby/v2/api/Aws/S3/ObjectAcl.html

BOTO3:

  • https://boto3.amazonaws.com/v1/documentation/api/latest/reference/services/s3.html#objectacl
For example, the following x-amz-grant-read header grants list objects permission to the two AWS accounts identified by their email addresses.

x-amz-grant-read: emailAddress="xyz@amazon.com", emailAddress="abc@amazon.com"

KDDI:

"x-amz-acl": "public-read"

https://doc.cloud-platform.kddi.ne.jp/developer/object-storage-api/service/object/put-object-acl

Condition Keys

s3:x-amz-acl: Require a Canned ACL.

https://docs.aws.amazon.com/AmazonS3/latest/dev/acl-overview.html#CannedACL

Canned ACL (Amazon S3 supports a set of predefined grants)

public-readなど

https://docs.aws.amazon.com/AmazonS3/latest/dev/acl-overview.html#CannedACL

Object S3 Put

  acl: "private", # accepts private, public-read, public-read-write, authenticated-read, aws-exec-read, bucket-owner-read, bucket-owner-full-control

https://docs.aws.amazon.com/sdk-for-ruby/v2/api/Aws/S3/Object.html#put-instance_method

By default, all objects in Amazon S3 are private. You can then add permissions so that people can access your objects. This can be done via:

- Access Control List permissions on individual objects
- A Bucket Policy that grants wide-ranging access based on path, IP address, referrer, etc
- IAM Users and Groups that grant permissions to Users with AWS credentials
- Pre-Signed URLs

https://stackoverflow.com/questions/40518642/setting-specific-permission-in-amazon-s3-boto-bucket

ACL指定なし

Params={"Bucket": cls.BUCKET, "Key": object_name, "ContentType": content_type, 'ACL': 'public-read'},
[mike@mike-pc ~/Workspace/srush/CSVs][10:16:23][X][I][%][λ]> curl -X PUT -T 顧客リストmybridge_no_errors.xls -H "Content-Type: application/vnd.ms-excel" -H "test-meta: 123" -H "x-amz-acl: public-read" -L "https://srush-upload-dev.s3.amazonaws.com/import_clients/wsu-2_e44e1667-7102-4fab-9d20-d51a74ab71e6?AWSAccessKeyId=AKIAX3UKWX7PWLEXYAO6&Signature=eMwRdhTcDVvs6rC1%2FVxaMPxFkM0%3D&content-type=application%2Fvnd.ms-excel&Expires=1596937605"
<?xml version="1.0" encoding="UTF-8"?>
<Error><Code>SignatureDoesNotMatch</Code><Message>The request signature we calculated does not match the signature you provided. Check your key and signing method.</Message><AWSAccessKeyId>AKIAX3UKWX7PWLEXYAO6</AWSAccessKeyId><StringToSign>PUT

application/vnd.ms-excel
1596937605
x-amz-acl:public-read
/srush-upload-dev/import_clients/wsu-2_e44e1667-7102-4fab-9d20-d51a74ab71e6</StringToSign><SignatureProvided>eMwRdhTcDVvs6rC1/VxaMPxFkM0=</SignatureProvided><StringToSignBytes>50 55 54 0a 0a 61 70 70 6c 69 63 61 74 69 6f 6e 2f 76 6e 64 2e 6d 73 2d 65 78 63 65 6c 0a 31 35 39 36 39 33 37 36 30 35 0a 78 2d 61 6d 7a 2d 61 63 6c 3a 70 75 62 6c 69 63 2d 72 65 61 64 0a 2f 73 72 75 73 68 2d 75 70 6c 6f 61 64 2d 64 65 76 2f 69 6d 70 6f 72 74 5f 63 6c 69 65 6e 74 73 2f 77 73 75 2d 32 5f 65 34 34 65 31 36 36 37 2d 37 31 30 32 2d 34 66 61 62 2d 39 64 32 30 2d 64 35 31 61 37 34 61 62 37 31 65 36</StringToSignBytes><RequestId>4F185B74DAC73838</RequestId><HostId>8dZd62L8jUBZIZIV8e0hXuTiOrvpQTUa6aB6Tj3QPGh1fCZV3QhjkGyytpc5EhUnYD5RjHPB7IM=</HostId></Error>% 

ACL指定あり


参考文献

https://github.com/boto/boto3/issues/1070 https://boto3.amazonaws.com/v1/documentation/api/latest/guide/s3-presigned-urls.html#using-presigned-urls-to-perform-other-s3-operations