Help Center/ Object Storage Service/ API Reference/ Object APIs/ Object ACLs/ Obtaining Object ACL Configuration

Updated on 2026-04-16 GMT+08:00

Obtaining Object ACL Configuration

Functions

This API is used to obtain the ACL configuration of an object. For more information about object ACLs, see Configuring an Object ACL.

Versioning

By default, this operation obtains the ACL of the latest version of an object. If the object has a delete marker, status code 404 is returned. To obtain the ACL of a specified version, the versionId parameter can be used to specify the desired version.

Authorization Information

To call this API, you must be the object owner or have the permissions to obtain the ACL configuration of an object. You are advised to use IAM or bucket policies for authorization. For details about OBS authorization methods, see Differences Between OBS Permissions Control Methods.

If you use IAM for authorization, you need to use either role/policy-based authorization or identity policy-based authorization and configure the required permissions:

If you use role/policy-based authorization (IAM v3 APIs in the old IAM version), you need to grant the obs:object:GetObjectAcl (versioning disabled) and obs:object:GetObjectVersionAcl (versioning enabled or suspended) permissions. For details, see Creating a Custom IAM Policy.

If you use identity policy-based authorization (IAM v5 APIs in the new IAM version), you need to grant the obs:object:getObjectAcl (versioning disabled) and obs:object:getObjectVersionAcl (versioning enabled or suspended) permissions, as shown in the following table. For details, see Creating a Custom IAM Identity Policy.

Action	Access Level	Resource Type (*: Required)	Condition Key	Alias	Dependencies
obs:object:getObjectAcl (versioning disabled) obs:object:getObjectVersionAcl (versioning enabled or suspended)	Read	object *	g:EnterpriseProjectId	-	-
-	obs:EpochTime obs:SourceIp obs:TlsVersion obs:CustomDomain

Action

Access Level

Resource Type (*: Required)

Condition Key

Alias

Dependencies

obs:object:getObjectAcl (versioning disabled)

obs:object:getObjectVersionAcl (versioning enabled or suspended)

Read

object *

g:EnterpriseProjectId

obs:EpochTime
obs:SourceIp
obs:TlsVersion
obs:CustomDomain

If you use bucket policies for authorization, you need to grant the obs:object:GetObjectAcl (versioning disabled) and obs:object:GetObjectVersionAcl (versioning enabled or suspended) permissions. For details, see Creating a Custom Bucket Policy.

Request Syntax

     GET /ObjectName?acl HTTP/1.1 
Host: bucketname.obs.region.myhuaweicloud.com 
Date: date
Authorization: authorization

URI Parameters

The request URI parameters required are described in Table 1.

**Table 1** URI parameters
Parameter	Mandatory (Yes/No)	Type	Description
acl	Yes	String	Definition: Indicates that the request is to obtain the object ACL. Constraints: None Range: None Default value: None
versionId	No	String	Definition: Version number of an object. For details about how to obtain the version ID of an object, see Listing Objects in a Bucket. Constraints: None Range: The value must contain 32 characters. Default value: None. If this parameter is not configured, the latest version of the object is specified.

Request Headers

This request uses common headers. For details, see Table 3.

Request Body

This request contains no request body parameters.

Response Syntax

     HTTP/1.1 status_code
Date: date
Content-Length: length
Content-Type: application/xml 

<?xml version="1.0" encoding="UTF-8" standalone="yes"?> 
<AccessControlPolicy xmlns="http://obs.region.myhuaweicloud.com/doc/2015-06-30/">
    <Owner> 
        <ID>id</ID> 
    </Owner> 
    <Delivered>true</Delivered>
    <AccessControlList> 
        <Grant> 
            <Grantee> 
                <ID>id</ID> 
            </Grantee> 
            <Permission>permission</Permission> 
        </Grant> 
    </AccessControlList> 
</AccessControlPolicy>
 
 
  

Response Headers

This response uses common headers. For details, see Table 1.

In addition to the common response headers, the headers listed in Table 2 may be used.

**Table 2** Response Headers
Parameter	Type	Description
x-obs-version-id	String	Definition: Version number of an object. Range: The value must contain 32 characters.

Response Body

The response message of the request returns the ACL information of the object. Table 3 describes the elements.

**Table 3** Response body parameters
Parameter	Type	Description
AccessControlList	XML	Definition: List of users and their permissions for the bucket. AccessControlList is the parent node of Grant, Grantee, and Permission. Range: For details, see Table 4.
ID	String	Definition: Domain ID of the user. Range: None
Delivered	Boolean	Definition: Whether an object ACL inherits the ACL of a bucket. Range: true: The object inherits the bucket ACL. false: The object does not inherit the bucket ACL.

**Table 4** AccessControlList parameters
Parameter	Type	Description
Grant	XML	Definition: Used to identify users and their permissions. Grant is the parent node of Grantee and Delivered. Range: None
Grantee	XML	Definition: Grantee information. Range: None
Permission	String	Definition: Permissions of a specified user for the bucket. Range: READ: Allows the grantee to obtain the object content and metadata. READ_ACP: Allows the grantee to read the ACL attributes of an object. WRITE_ACP: Allows the grantee to update the ACL of an object. FULL_CONTROL: The grantee has the READ, READ_ACP, and WRITE_ACP permissions on the object.

Error Responses

No special error responses are returned. For details about error responses, see Table 2.

Sample Request

     GET /object011?acl HTTP/1.1
User-Agent: curl/7.29.0
Host: examplebucket.obs.region.myhuaweicloud.com
Accept: */*
Date: WED, 01 Jul 2015 04:45:55 GMT
Authorization: OBS H4IPJX0TQTHTHEBQQCEC:YcmvNQxItGjFeeC1K2HeUEp8MMM=
 
 
  

Sample Response

     HTTP/1.1 200 OK
Server: OBS
x-obs-request-id: 8DF400000163D3E650F3065C2295674C
x-obs-id-2: 32AAAQAAEAABAAAQAAEAABAAAQAAEAABCS+wsHqRuA2Tx+mXUpNtBbWLPMle9CIx
Content-Type: application/xml
Date: WED, 01 Jul 2015 04:45:55 GMT
Content-Length: 769

<?xml version="1.0" encoding="utf-8"?>
<AccessControlPolicy xmlns="http://obs.region.myhuaweicloud.com/doc/2015-06-30/">
  <Owner> 
    <ID>b4bf1b36d9ca43d984fbcb9491b6fce9</ID> 
  </Owner>  
  <Delivered>false</Delivered> 
  <AccessControlList> 
    <Grant> 
      <Grantee> 
        <ID>b4bf1b36d9ca43d984fbcb9491b6fce9</ID> 
      </Grantee>  
      <Permission>FULL_CONTROL</Permission> 
    </Grant>  
    <Grant> 
      <Grantee> 
        <ID>783fc6652cf246c096ea836694f71855</ID> 
      </Grantee>  
      <Permission>READ</Permission>  
      </Grant>  
    <Grant> 
      <Grantee> 
        <Canned>Everyone</Canned> 
      </Grantee>  
      <Permission>READ_ACP</Permission> 
    </Grant> 
  </AccessControlList> 
</AccessControlPolicy>
 
 
  

Sample Request: Obtaining the ACL of a Specific Object Version

GET /object01?acl&versionId=G001118A6803675AFFFFD3043F7F91D0 HTTP/1.1
Authorization: OBS H4IPJX0TQTHTHEBQQCEC:iqSPeUBl66PwXDApxjRKk6hlcN4=
User-Agent: curl/7.29.0
Host: examplebucket.obs.region.myhuaweicloud.com
Date: WED, 01 Jul 2015 02:37:22 GMT
Content-Type: application/xml

Sample Response: Obtaining the ACL of a Specific Object Version

x-obs-id-2: 32AAAQAAEAABSAAgAAEAABAAAQAAEAABCSmpL2dv6zZLM2HmUrXKTAi258MPqmrp
x-obs-request-id: 0000018A2A73AF59D3085C8F8ABF0C65
Server: OBS
Content-Length: 0
Date: WED, 01 Jul 2015 02:37:22 GMT
x-obs-version-id: G001118A6803675AFFFFD3043F7F91D0
 
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<AccessControlPolicy  xmlns="http://obs.myhwclouds.com/doc/2015-06-30/">
    <Owner>
        <ID>d6s58yhnm83f3081577800575ee4cf</ID>
    </Owner>
    <Delivered>false</Delivered>
    <AccessControlList>
        <Grant>
            <Grantee>
                <ID>f262a63g69422e8f330af1349c588f</ID>
            </Grantee>
            <Permission>READ</Permission>
        </Grant>
        <Grant>
            <Grantee>
                <ID>c965gfda2a849422e8f3985562432dsaa</ID>
            </Grantee>
            <Permission>FULL_CONTROL</Permission>
        </Grant>
        <Grant>
            <Grantee>
                <Canned>Everyone</Canned>
            </Grantee>
            <Permission>READ</Permission>
        </Grant>
    </AccessControlList>
</AccessControlPolicy>

Using SDKs to Call APIs

You are advised to use OBS SDKs to call APIs. SDKs encapsulate APIs to simplify development. You can call SDK API functions to access OBS without manually calculating signatures.

Java

Python

BrowserJS: not supported

.NET: not supported

Android: not supported

iOS: not supported

PHP: not supported

Node.js

Harmony: not supported

Helpful Links

For more information about object ACLs, see Configuring an Object ACL.
For details about the billing items involved in API operations, see Billing Items.

Parent Topic: Object ACLs

Previous topic: Configuring an Object ACL

Next topic: Object Tags

Feedback

Was this page helpful?

Helpful Not helpful

Provide feedback

Thank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.

The system is busy. Please try again later.

For any further questions, feel free to contact us through the chatbot.

Chatbot