Help Center/ Object Storage Service/ API Reference/ Object APIs/ Object ACLs/ Obtaining Object ACL Configuration
Updated on 2026-04-16 GMT+08:00

Obtaining Object ACL Configuration

Functions

This API is used to obtain the ACL configuration of an object. For more information about object ACLs, see Configuring an Object ACL.

Versioning

By default, this operation obtains the ACL of the latest version of an object. If the object has a delete marker, status code 404 is returned. To obtain the ACL of a specified version, the versionId parameter can be used to specify the desired version.

Authorization Information

To call this API, you must be the object owner or have the permissions to obtain the ACL configuration of an object. You are advised to use IAM or bucket policies for authorization. For details about OBS authorization methods, see Differences Between OBS Permissions Control Methods.

  • If you use IAM for authorization, you need to use either role/policy-based authorization or identity policy-based authorization and configure the required permissions:
    • If you use role/policy-based authorization (IAM v3 APIs in the old IAM version), you need to grant the obs:object:GetObjectAcl (versioning disabled) and obs:object:GetObjectVersionAcl (versioning enabled or suspended) permissions. For details, see Creating a Custom IAM Policy.
    • If you use identity policy-based authorization (IAM v5 APIs in the new IAM version), you need to grant the obs:object:getObjectAcl (versioning disabled) and obs:object:getObjectVersionAcl (versioning enabled or suspended) permissions, as shown in the following table. For details, see Creating a Custom IAM Identity Policy.

      Action

      Access Level

      Resource Type (*: Required)

      Condition Key

      Alias

      Dependencies

      obs:object:getObjectAcl (versioning disabled)

      obs:object:getObjectVersionAcl (versioning enabled or suspended)

      Read

      object *

      g:EnterpriseProjectId

      -

      -

      -

      • obs:EpochTime
      • obs:SourceIp
      • obs:TlsVersion
      • obs:CustomDomain
  • If you use bucket policies for authorization, you need to grant the obs:object:GetObjectAcl (versioning disabled) and obs:object:GetObjectVersionAcl (versioning enabled or suspended) permissions. For details, see Creating a Custom Bucket Policy.

Request Syntax

1
2
3
4
GET /ObjectName?acl HTTP/1.1 
Host: bucketname.obs.region.myhuaweicloud.com 
Date: date
Authorization: authorization

URI Parameters

The request URI parameters required are described in Table 1.

Table 1 URI parameters

Parameter

Mandatory (Yes/No)

Type

Description

acl

Yes

String

Definition:

Indicates that the request is to obtain the object ACL.

Constraints:

None

Range:

None

Default value:

None

versionId

No

String

Definition:

Version number of an object. For details about how to obtain the version ID of an object, see Listing Objects in a Bucket.

Constraints:

None

Range:

The value must contain 32 characters.

Default value:

None. If this parameter is not configured, the latest version of the object is specified.

Request Headers

This request uses common headers. For details, see Table 3.

Request Body

This request contains no request body parameters.

Response Syntax

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
HTTP/1.1 status_code
Date: date
Content-Length: length
Content-Type: application/xml 

<?xml version="1.0" encoding="UTF-8" standalone="yes"?> 
<AccessControlPolicy xmlns="http://obs.region.myhuaweicloud.com/doc/2015-06-30/">
    <Owner> 
        <ID>id</ID> 
    </Owner> 
    <Delivered>true</Delivered>
    <AccessControlList> 
        <Grant> 
            <Grantee> 
                <ID>id</ID> 
            </Grantee> 
            <Permission>permission</Permission> 
        </Grant> 
    </AccessControlList> 
</AccessControlPolicy>

Response Headers

This response uses common headers. For details, see Table 1.

In addition to the common response headers, the headers listed in Table 2 may be used.

Table 2 Response Headers

Parameter

Type

Description

x-obs-version-id

String

Definition:

Version number of an object.

Range:

The value must contain 32 characters.

Response Body

The response message of the request returns the ACL information of the object. Table 3 describes the elements.

Table 3 Response body parameters

Parameter

Type

Description

AccessControlList

XML

Definition:

List of users and their permissions for the bucket. AccessControlList is the parent node of Grant, Grantee, and Permission.

Range:

For details, see Table 4.

ID

String

Definition:

Domain ID of the user.

Range:

None

Delivered

Boolean

Definition:

Whether an object ACL inherits the ACL of a bucket.

Range:

  • true: The object inherits the bucket ACL.
  • false: The object does not inherit the bucket ACL.
Table 4 AccessControlList parameters

Parameter

Type

Description

Grant

XML

Definition:

Used to identify users and their permissions. Grant is the parent node of Grantee and Delivered.

Range:

None

Grantee

XML

Definition:

Grantee information.

Range:

None

Permission

String

Definition:

Permissions of a specified user for the bucket.

Range:

  • READ: Allows the grantee to obtain the object content and metadata.
  • READ_ACP: Allows the grantee to read the ACL attributes of an object.
  • WRITE_ACP: Allows the grantee to update the ACL of an object.
  • FULL_CONTROL: The grantee has the READ, READ_ACP, and WRITE_ACP permissions on the object.

Error Responses

No special error responses are returned. For details about error responses, see Table 2.

Sample Request

1
2
3
4
5
6
GET /object011?acl HTTP/1.1
User-Agent: curl/7.29.0
Host: examplebucket.obs.region.myhuaweicloud.com
Accept: */*
Date: WED, 01 Jul 2015 04:45:55 GMT
Authorization: OBS H4IPJX0TQTHTHEBQQCEC:YcmvNQxItGjFeeC1K2HeUEp8MMM=

Sample Response

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
HTTP/1.1 200 OK
Server: OBS
x-obs-request-id: 8DF400000163D3E650F3065C2295674C
x-obs-id-2: 32AAAQAAEAABAAAQAAEAABAAAQAAEAABCS+wsHqRuA2Tx+mXUpNtBbWLPMle9CIx
Content-Type: application/xml
Date: WED, 01 Jul 2015 04:45:55 GMT
Content-Length: 769

<?xml version="1.0" encoding="utf-8"?>
<AccessControlPolicy xmlns="http://obs.region.myhuaweicloud.com/doc/2015-06-30/">
  <Owner> 
    <ID>b4bf1b36d9ca43d984fbcb9491b6fce9</ID> 
  </Owner>  
  <Delivered>false</Delivered> 
  <AccessControlList> 
    <Grant> 
      <Grantee> 
        <ID>b4bf1b36d9ca43d984fbcb9491b6fce9</ID> 
      </Grantee>  
      <Permission>FULL_CONTROL</Permission> 
    </Grant>  
    <Grant> 
      <Grantee> 
        <ID>783fc6652cf246c096ea836694f71855</ID> 
      </Grantee>  
      <Permission>READ</Permission>  
      </Grant>  
    <Grant> 
      <Grantee> 
        <Canned>Everyone</Canned> 
      </Grantee>  
      <Permission>READ_ACP</Permission> 
    </Grant> 
  </AccessControlList> 
</AccessControlPolicy>

Sample Request: Obtaining the ACL of a Specific Object Version

GET /object01?acl&versionId=G001118A6803675AFFFFD3043F7F91D0 HTTP/1.1
Authorization: OBS H4IPJX0TQTHTHEBQQCEC:iqSPeUBl66PwXDApxjRKk6hlcN4=
User-Agent: curl/7.29.0
Host: examplebucket.obs.region.myhuaweicloud.com
Date: WED, 01 Jul 2015 02:37:22 GMT
Content-Type: application/xml

Sample Response: Obtaining the ACL of a Specific Object Version

x-obs-id-2: 32AAAQAAEAABSAAgAAEAABAAAQAAEAABCSmpL2dv6zZLM2HmUrXKTAi258MPqmrp
x-obs-request-id: 0000018A2A73AF59D3085C8F8ABF0C65
Server: OBS
Content-Length: 0
Date: WED, 01 Jul 2015 02:37:22 GMT
x-obs-version-id: G001118A6803675AFFFFD3043F7F91D0
 
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<AccessControlPolicy  xmlns="http://obs.myhwclouds.com/doc/2015-06-30/">
    <Owner>
        <ID>d6s58yhnm83f3081577800575ee4cf</ID>
    </Owner>
    <Delivered>false</Delivered>
    <AccessControlList>
        <Grant>
            <Grantee>
                <ID>f262a63g69422e8f330af1349c588f</ID>
            </Grantee>
            <Permission>READ</Permission>
        </Grant>
        <Grant>
            <Grantee>
                <ID>c965gfda2a849422e8f3985562432dsaa</ID>
            </Grantee>
            <Permission>FULL_CONTROL</Permission>
        </Grant>
        <Grant>
            <Grantee>
                <Canned>Everyone</Canned>
            </Grantee>
            <Permission>READ</Permission>
        </Grant>
    </AccessControlList>
</AccessControlPolicy>

Using SDKs to Call APIs

You are advised to use OBS SDKs to call APIs. SDKs encapsulate APIs to simplify development. You can call SDK API functions to access OBS without manually calculating signatures.

Java

Python

C

Go

BrowserJS: not supported

.NET: not supported

Android: not supported

iOS: not supported

PHP: not supported

Node.js

Harmony: not supported

Helpful Links