I want to give read permission to all the files inside a folder in S3 using Java. I am doing folder upload using TransferManager but I did not find any API to set ACL on the directory level
MultipleFileUpload upload = transferManager.uploadDirectory(bucketName, uploadDirectory, new File(folderName), true);
I know that I can set ACL of an S3 object using:
s3.setObjectAcl(bucketName, key, acl);
But I want to do it on all files at once in a folder. Is there any way to do it?
If the IAM user and S3 bucket belong to the same AWS account, then you can grant the user access to a specific bucket folder using an IAM policy. As long as the bucket policy doesn't explicitly deny the user access to the folder, you don't need to update the bucket policy if access is granted by the IAM policy.
Amazon S3 access control lists (ACLs) enable you to manage access to buckets and objects. Each bucket and object has an ACL attached to it as a subresource. It defines which AWS accounts or groups are granted access and the type of access.
ACLs were the first authorization mechanism in S3. Bucket policies are the newer method, and the method used for almost all AWS services. Policies can implement very complex rules and permissions, ACLs are simplistic (they have ALLOW but no DENY). To manage S3 you need a solid understanding of both.
In S3, there is no such thing as folders, only buckets and keys. Keys that share a common prefix are grouped together in the console for your convenience but under the hood, the structure is completely flat. As a result, there is no way to set the ACL for a folder. But there are some workarounds.
Depending on what permissions you want to grant and to whom, you can grant access rights to all keys in a "folder" using a bucket policy. This example allows anyone to get any key under the folder path/to/folder/
from bucket my-bucket
. Here's a list of possible actions and a list of possible principals from the docs.
{
"Version":"2012-10-17",
"Statement":[
{
"Sid":"SimulateFolderACL",
"Effect":"Allow",
"Principal": "*",
"Action":["s3:GetObject"],
"Resource":["arn:aws:s3:::my-bucket/path/to/folder/*"]
}
]
}
You can also loop through all the keys and apply the ACL directly like you mentioned using s3.setObjectAcl(bucketName, key, acl)
. You can filter the keys by the folder prefix so you don't have to check each key name directly. After the directory is uploaded, you can do something like this:
// We only want the keys that are in the folder
ListObjectsRequest listObjectsRequest = new ListObjectsRequest()
.withBucketName("my-bucket")
.withPrefix("path/to/folder/");
ObjectListing objectListing;
// Iterate over all the matching keys
do {
objectListing = s3client.listObjects(listObjectsRequest);
for (S3ObjectSummary objectSummary : objectListing.getObjectSummaries())
{
// Apply the ACL
s3.setObjectAcl(bucketName, key, acl);
}
listObjectsRequest.setMarker(objectListing.getNextMarker());
} while (objectListing.isTruncated());
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With