putBucketAcl method
- required String bucket,
- BucketCannedACL? acl,
- AccessControlPolicy? accessControlPolicy,
- String? contentMD5,
- String? expectedBucketOwner,
- String? grantFullControl,
- String? grantRead,
- String? grantReadACP,
- String? grantWrite,
- String? grantWriteACP,
Sets the permissions on an existing bucket using access control lists
(ACL). For more information, see Using
ACLs. To set the ACL of a bucket, you must have WRITE_ACP
permission.
You can use one of the following two ways to set a bucket's permissions:
- Specify the ACL in the request body
- Specify permissions using request headers
Access Permissions
You can set access permissions using one of the following methods:
-
Specify a canned ACL with the
x-amz-acl
request header. Amazon S3 supports a set of predefined ACLs, known as canned ACLs. Each canned ACL has a predefined set of grantees and permissions. Specify the canned ACL name as the value ofx-amz-acl
. If you use this header, you cannot use other access control-specific headers in your request. For more information, see Canned ACL. -
Specify access permissions explicitly with the
x-amz-grant-read
,x-amz-grant-read-acp
,x-amz-grant-write-acp
, andx-amz-grant-full-control
headers. When using these headers, you specify explicit access permissions and grantees (AWS accounts or Amazon S3 groups) who will receive the permission. If you use these ACL-specific headers, you cannot use thex-amz-acl
header to set a canned ACL. These parameters map to the set of permissions that Amazon S3 supports in an ACL. For more information, see Access Control List (ACL) Overview.You specify each grantee as a type=value pair, where the type is one of the following:
-
id
– if the value specified is the canonical user ID of an AWS account -
uri
– if you are granting permissions to a predefined group -
emailAddress
– if the value specified is the email address of an AWS account
x-amz-grant-write
header grants create, overwrite, and delete objects permission to LogDelivery group predefined by Amazon S3 and two AWS accounts identified by their email addresses.x-amz-grant-write: uri="http://acs.amazonaws.com/groups/s3/LogDelivery", id="111122223333", id="555566667777"
-
Grantee Values
You can specify the person (grantee) to whom you're assigning access rights (using request elements) in the following ways:
-
By the person's ID:
<Grantee xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="CanonicalUser"><ID><>ID<></ID><DisplayName><>GranteesEmail<></DisplayName> </Grantee>
DisplayName is optional and ignored in the request
-
By URI:
<Grantee xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="Group"><URI><>http://acs.amazonaws.com/groups/global/AuthenticatedUsers<></URI></Grantee>
-
By Email address:
<Grantee xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="AmazonCustomerByEmail"><EmailAddress><>Grantees@email.com<></EmailAddress>lt;/Grantee>
The grantee is resolved to the CanonicalUser and, in a response to a GET Object acl request, appears as the CanonicalUser.
- US East (N. Virginia)
- US West (N. California)
- US West (Oregon)
- Asia Pacific (Singapore)
- Asia Pacific (Sydney)
- Asia Pacific (Tokyo)
- Europe (Ireland)
- South America (São Paulo)
Related Resources
Parameter bucket
:
The bucket to which to apply the ACL.
Parameter acl
:
The canned ACL to apply to the bucket.
Parameter accessControlPolicy
:
Contains the elements that set the ACL permissions for an object per
grantee.
Parameter contentMD5
:
The base64-encoded 128-bit MD5 digest of the data. This header must be
used as a message integrity check to verify that the request body was not
corrupted in transit. For more information, go to RFC 1864.
For requests made using the AWS Command Line Interface (CLI) or AWS SDKs, this field is calculated automatically.
Parameter expectedBucketOwner
:
The account id of the expected bucket owner. If the bucket is owned by a
different account, the request will fail with an HTTP 403 (Access
Denied)
error.
Parameter grantFullControl
:
Allows grantee the read, write, read ACP, and write ACP permissions on the
bucket.
Parameter grantRead
:
Allows grantee to list the objects in the bucket.
Parameter grantReadACP
:
Allows grantee to read the bucket ACL.
Parameter grantWrite
:
Allows grantee to create, overwrite, and delete any object in the bucket.
Parameter grantWriteACP
:
Allows grantee to write the ACL for the applicable bucket.
Implementation
Future<void> putBucketAcl({
required String bucket,
BucketCannedACL? acl,
AccessControlPolicy? accessControlPolicy,
String? contentMD5,
String? expectedBucketOwner,
String? grantFullControl,
String? grantRead,
String? grantReadACP,
String? grantWrite,
String? grantWriteACP,
}) async {
ArgumentError.checkNotNull(bucket, 'bucket');
final headers = <String, String>{
if (acl != null) 'x-amz-acl': acl.toValue(),
if (contentMD5 != null) 'Content-MD5': contentMD5.toString(),
if (expectedBucketOwner != null)
'x-amz-expected-bucket-owner': expectedBucketOwner.toString(),
if (grantFullControl != null)
'x-amz-grant-full-control': grantFullControl.toString(),
if (grantRead != null) 'x-amz-grant-read': grantRead.toString(),
if (grantReadACP != null) 'x-amz-grant-read-acp': grantReadACP.toString(),
if (grantWrite != null) 'x-amz-grant-write': grantWrite.toString(),
if (grantWriteACP != null)
'x-amz-grant-write-acp': grantWriteACP.toString(),
};
await _protocol.send(
method: 'PUT',
requestUri: '/${Uri.encodeComponent(bucket)}?acl',
headers: headers,
payload: accessControlPolicy?.toXml('AccessControlPolicy'),
exceptionFnMap: _exceptionFns,
);
}