Help Center/ Object Storage Service/ API Reference/ Bucket APIs/ Bucket ACLs/ Configuring a Bucket ACL

Updated on 2026-04-16 GMT+08:00

Configuring a Bucket ACL

Functions

You can configure a bucket ACL when creating a bucket or call this API to configure a bucket ACL after the bucket is created. For more information about configuring bucket ACLs, see Configuring a Bucket ACL.

For details about how to use bucket ACLs to manage permissions, see the permission control in the OBS Permission Configuration Guide.

Constraints

A bucket ACL supports a maximum of 100 grants.
This API is idempotent. A new bucket ACL will overwrite the original bucket ACL. To modify or delete an ACL, create a new ACL using the PUT method.

Authorization Information

To call this API, you must be the bucket owner or have the permission to configure a bucket ACL. You are advised to use IAM or bucket policies for authorization. For details about OBS authorization methods, see Differences Between OBS Permissions Control Methods.

If you use IAM for authorization, you need to use either role/policy-based authorization or identity policy-based authorization and configure the required permissions:

If you use role/policy-based authorization (IAM v3 APIs in the old IAM version), you need to grant the obs:bucket:PutBucketAcl permission. For details, see Creating a Custom IAM Policy.

If you use identity policy-based authorization (IAM v5 APIs in the new IAM version), you need to grant the obs:bucket:putBucketAcl permission, as shown in the following table. For details, see Creating a Custom IAM Identity Policy.

Action	Access Level	Resource Type (*: Required)	Condition Key	Alias	Dependencies
obs:bucket:putBucketAcl	Permission_management	bucket *	g:EnterpriseProjectId g:ResourceTag/<tag-key>	-	-
-	obs:EpochTime obs:SourceIp obs:TlsVersion obs:CustomDomain obs:x-obs-acl

Action

Access Level

Resource Type (*: Required)

Condition Key

Alias

Dependencies

obs:bucket:putBucketAcl

Permission_management

bucket *

obs:EpochTime
obs:SourceIp
obs:TlsVersion
obs:CustomDomain
obs:x-obs-acl

If you use bucket policies for authorization, you need to grant the obs:bucket:PutBucketAcl permission. For details, see Creating a Custom Bucket Policy.

Request Syntax

     PUT /?acl HTTP/1.1 
Host: bucketname.obs.region.myhuaweicloud.com 
Date: date
Authorization: authorization
Content-Type: application/xml 
Content-Length: length

<AccessControlPolicy> 
    <Owner> 
        <ID>ID</ID> 
    </Owner> 
    <AccessControlList> 
        <Grant> 
            <Grantee>
               <ID>domainId</ID>
            </Grantee> 
            <Permission>permission</Permission> 
            <Delivered>false</Delivered>
        </Grant>
    </AccessControlList> 
</AccessControlPolicy>
 
 
  

Description of the OBS request structure

An OBS request consists of the request method, request URI, request headers, and request body. The following figure shows an example of a request for creating a bucket. The bucket name is configured in the Host header, and the signature information is configured in the Authorization header. For details about how to calculate the signature, see Using an Authorization Header. For more information, see Constructing a Request.

URI Parameters

This request contains no parameters.

Request Headers

You can change the ACL of a bucket by using the header settings. Each ACL configured with the header setting has a set of predefined grantees and authorized permissions. If you want to authorize access permissions by adding the header to a request, you must add the following header and specify the value.

**Table 1** Optional header for specifying canned ACLs
Header	Type	Mandatory (Yes/No)	Description
x-obs-acl	String	No	Definition Uses the canned ACL for a bucket. Constraints None Range private public-read public-read-write public-read-delivered public-read-write-delivered For details about each policy, see "Configuring an ACL Using Header Fields" in ACLs. Default Value private

Request Body

This request carries ACL information in elements to specify an ACL. Table 3 describes the elements.

**Table 2** Request body parameters
Element	Type	Mandatory (Yes/No)	Description
Owner	XML	Yes	Definition Owner information of a bucket. Owner is a parent node of ID. Constraints None
ID	String	Yes	Definition Account ID of the bucket owner. Constraints None Range None Default Value None
AccessControlList	XML	Yes	Definition Access control list, which is the parent node of Grant. Constraints None
Grant	XML	No	Definition Used to identify users and user permissions. It is the parent node of Grantee, Permission and Delivered. Constraints A single bucket can contain at most 100 grants in its ACL.
Grantee	XML	No	Definition Records user information and is the parent node of the authorized account ID. Constraints: None
ID	String	No	Definition Account ID of the authorized user. Constraints None Range None Default Value None
Canned	String	No	Definition Grants permissions to all users. Constraints None Range Everyone Default Value None
Permission	String	Yes	Definition Permissions to be granted. For details, see access permissions controlled by a bucket ACL. Constraints None Range READ: Grants the permission to obtain the list of objects in the bucket and the metadata of the bucket. READ_ACP: Grants the permission to read the ACL of the bucket. WRITE: Grants the permission to upload objects to the bucket and to delete or overwrite existing objects in a bucket. WRITE_ACP: Grants the permission to update the ACL of the bucket. FULL_CONTROL: Grants the permission to read, write, read ACL, and write ACL of the bucket. Default Value None
Delivered	Boolean	No	Definition Whether the bucket ACL is applied to all objects in the bucket. Constraints None Range true: The bucket ACL is applied to all objects in the bucket. false: The bucket ACL is not applied to any objects in the bucket. Default Value false

Response Syntax

     HTTP/1.1 status_code
Date: date
Content-Length: length

Description of the OBS response structure

An OBS response consists of a response status code, response headers, and the response body. The following figure shows an example of a response for obtaining the bucket's ACL configuration.

Response Headers

This response uses common headers. For details, see Table 1.

Response Body

The response of this API does not contain a response body.

Error Responses

No special error responses are returned. For details about error responses, see Table 2.

Sample Request

     PUT /?acl HTTP/1.1
User-Agent: curl/7.29.0
Host: examplebucket.obs.region.myhuaweicloud.com
Accept: */*
Date: WED, 01 Jul 2015 02:37:22 GMT
Authorization: OBS H4IPJX0TQTHTHEBQQCEC:iqSPeUBl66PwXDApxjRKk6hlcN4=
Content-Length: 727

<AccessControlPolicy xmlns="http://obs.ap-southeast-1.myhuaweicloud.com/doc/2015-06-30/">
  
  <Owner> 
    <ID>b4bf1b36d9ca43d984fbcb9491b6fce9</ID> 
  </Owner>  
  <AccessControlList> 
    <Grant> 
      <Grantee> 
        <ID>b4bf1b36d9ca43d984fbcb9491b6fce9</ID> 
      </Grantee>  
      <Permission>FULL_CONTROL</Permission> 
    </Grant>  
    <Grant> 
      <Grantee> 
        <ID>783fc6652cf246c096ea836694f71855</ID> 
      </Grantee>  
      <Permission>READ</Permission>  
      <Delivered>false</Delivered> 
    </Grant>  
    <Grant> 
      <Grantee> 
        <Canned>Everyone</Canned> 
      </Grantee>  
      <Permission>READ_ACP</Permission> 
    </Grant> 
  </AccessControlList> 
</AccessControlPolicy>
 
 
  

Sample Response

     HTTP/1.1 200 OK
Server: OBS
x-obs-request-id: BF2600000164361F2954B4D063164704
x-obs-id-2: 32AAAQAAEAABSAAgAAEAABAAAQAAEAABCT78HTIBuhe0FbtSptrb/akwELtwyPKs
Date: WED, 01 Jul 2015 02:37:22 GMT
Content-Length: 0
 
 
  

Sample Request: Specifying Access Permissions Using Headers

PUT /?acl HTTP/1.1
Authorization: OBS H4IPJX0TQTHTHEBQQCEC:iqSPeUBl66PwXDApxjRKk6hlcN4=
User-Agent: curl/7.29.0
Host: examplebucket.obs.region.myhuaweicloud.com
x-obs-acl: private
Date: WED, 01 Jul 2015 02:37:22 GMT
Content-Type: application/xml

Sample Response: Specifying Access Permissions Using Headers

x-obs-id-2: 32AAAQAAEAABSAAgAAEAABAAAQAAEAABCSmpL2dv6zZLM2HmUrXKTAi258MPqmrp
x-obs-request-id: 0000018A2A73AF59D3085C8F8ABF0C65
Server: OBS
Content-Length: 0
Date: WED, 01 Jul 2015 02:37:22 GMT

Using SDKs to Call APIs

You are advised to use OBS SDKs to call APIs. SDKs encapsulate APIs to simplify development. You can call SDK API functions to access OBS without manually calculating signatures.

References

To use obsutil to configure bucket ACLs, see Setting Bucket Properties.
To use OBS Browser+ to configure bucket ACLs, see Configuring a Bucket ACL.
For more information about configuring bucket ACLs, see Configuring a Bucket ACL.
For details about the billing items involved in API operations, see Billing Items.

Parent Topic: Bucket ACLs

Previous topic: Bucket ACLs

Next topic: Obtaining Bucket ACL Information

Feedback

Was this page helpful?

Helpful Not helpful

Provide feedback

Thank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.

The system is busy. Please try again later.

For any further questions, feel free to contact us through the chatbot.

Chatbot