Updated on 2025-08-04 GMT+08:00

ACLs

Access control lists (ACLs) allow resource owners to grant other accounts the access to resources. OBS ACLs define the read and write permissions that are attached to accounts. The permissions granted to an account are also applied to its IAM users. ACLs are not as fine-grained as bucket policies or IAM policies. It is recommended that you use IAM permissions and bucket policies for access control.

By default, only the bucket creator (also the bucket owner) has full control over the bucket, and only the object uploader (also the object owner) has full control over the object. If resource owners want other accounts to access their resources, they can use ACLs to grant the read and write permissions.

Scenarios

You can configure an ACL to:

  • Let another account, rather than you (the object owner), have full control over your object. Suppose you have uploaded object a to a bucket of account B. By default, account B does not have the read and write permissions for your object a. In this case, you can set the object ACL to bucket-owner-full-control so that account B has full control over object a and can further manage it in the bucket in a unified manner.
  • Individually control access to a specific object. Suppose you have applied a bucket policy to a set of objects and you want to further control access to a single object in this set of objects. You can use the object ACL to achieve this.

Relationship Between Bucket ACLs and Object ACLs

Both buckets and objects have their own ACL. Table 1 shows the relationship between bucket ACLs and object ACLs.

Table 1 Relationship between bucket ACLs and object ACLs

Dimension

Bucket ACL

Object ACL

Grantor

Bucket owner (the account that created the bucket)

A bucket owner has full control over the bucket by default. The read and write permissions for the bucket ACL are permanently available to the bucket owner, and cannot be modified. It is not recommended to modify a bucket owner's read and write permissions for the bucket.

Object owner (the account that uploaded the object, rather than the owner of the bucket that stores the object)

For example, if account A uploads object a to a bucket of account B, the owner of object a is account A.

The object owner has full control over the object by default. The read and write permissions for the object ACL are permanently available to the object owner, and cannot be modified.

Grantee

  • Other accounts
  • Anonymous users
  • Log delivery user groups
  • Other accounts
  • Anonymous users

Permissions that can be granted

  • Access to the bucket
  • Access to the bucket ACL
  • Whether the bucket ACL applies to its objects
  • Access to the object
  • Access to the object ACL
  • Whether the object inherits its bucket's ACL

Inheritance relationship between bucket ACLs and object ACLs

When an object ACL inherits a bucket ACL, the union of permissions from both ACLs is applied.

  • With the READ permission inherited, users granted the READ permission in both the bucket ACL and the object ACL can read the object. For example, if the bucket ACL grants anonymous users the read permission and the object ACL grants account A the read permission, the final effect is that both anonymous users and account A are allowed to read the object.
  • With the READ_ACP permission inherited, users granted the READ_ACP permission in both the bucket ACL and the object ACL can read the object ACL.
  • With the WRITE_ACP permission inherited, users granted the WRITE_ACP permission in both the bucket ACL and the object ACL can update the object ACL.

Grantee

You can configure an ACL to grant users listed in Table 2 access to buckets.

Table 2 Users who can be granted bucket access permissions in an ACL

Principal

Description

Other accounts

ACLs can be used to grant accounts permissions to access buckets and objects. Once a specific account is granted such permissions, all IAM users under this account have the same permissions as this account.

If you want to grant different permissions to different IAM users under other accounts, you can configure bucket policies.

NOTE:

Users must have both the ACL and IAM permissions to access resources across accounts. For details, see Which Permissions Apply When They Conflict?

Anonymous users

Visitors who have not registered with Huawei Cloud.

CAUTION:

If anonymous users are granted the access to a bucket or an object, anyone can access the bucket or the object without authentication.

Log delivery user groups

NOTE:

Only the bucket ACL supports authorizing permissions to the log delivery user.

A log delivery user group only delivers access logs of buckets and objects to the configured target bucket. OBS does not create or upload any file to a bucket automatically. Therefore, if you want to record access logs for buckets, you need to grant the permission to a log delivery user group who will deliver the access logs to your specified target bucket. This user group is only used to record internal logs of OBS.

NOTICE:

After logging is enabled, the log delivery user will be automatically granted the permission to read the bucket ACL and write the bucket where logs are saved. If you manually disable such permissions, bucket logging fails.

Permissions That Can Be Granted

Table 3 and Table 4 list the permissions that can be configured in a bucket ACL.

Table 3 Bucket access permissions

Permission

Description

Read

A user with this permission can obtain the list of objects in a bucket and the metadata of the bucket.

Write

A user with this permission can upload objects to a bucket, and can delete and overwrite existing objects in the bucket.

Object read

Objects in a bucket inherit the read permission configured for the bucket. An authorized user can obtain the content and metadata of objects.

Table 4 Bucket ACL access permissions

Permission

Description

Read

A user with this permission can read the bucket ACL.

Write

A user with this permission can update the bucket ACL.

Table 5 and Table 6 list the permissions that can be configured in an object ACL.

Table 5 Object access permissions

Permission

Description

Read

A user with this permission can obtain the content and metadata of an object.

Table 6 Object ACL access permissions

Permission

Description

Read

A user with this permission can read the object ACL.

Write

A user with this permission can update the object ACL.

How Do I Configure an ACL?

You can use the predefined bucket or object ACLs or customize an ACL.

OBS provides six types of predefined ACLs, as described in Table 7. A predefined ACL is applied to all users.

Table 7 OBS-predefined ACLs

Predefined ACL

Description

private

A bucket or an object can only be accessed by its owner.

By default, the ACL is set to private.

public-read

If this permission is set for a bucket, anyone can obtain its object list, multipart tasks, and metadata.

If this permission is set for an object, anyone can obtain the content and metadata of the object.

public-read-write

If this permission is set for a bucket, anyone can obtain its object list, multipart upload tasks, and metadata, and can upload, delete objects, initiate multipart uploads, upload, assemble, and copy parts, and cancel multipart uploads.

If this permission is set for an object, anyone can obtain the content and metadata of the object. This permission works the same as public-read.

public-read-delivered

If this permission is set for a bucket, anyone can obtain its object list, multipart upload tasks, and metadata. Compared with public-read, this permission also allows access to the content and metadata of the objects in the bucket.

This permission does not apply to objects.

public-read-write-delivered

If this permission is set for a bucket, anyone can obtain its object list, multipart upload tasks, and metadata, and can upload, delete objects, initiate multipart uploads, upload, assemble, and copy parts, and cancel multipart uploads. Compared with public-read-write, this permission also allows access to the content and metadata of the objects in the bucket.

This permission does not apply to objects.

bucket-owner-full-control

Setting this permission for an object will enable the bucket owner to have full control over the object.

By default, if you upload an object to a bucket of any other user, the bucket owner does not have the access to your object. After you grant the bucket-owner-full-control permission to the bucket owner, the bucket owner can have full control over your object.

Using OBS Console to Configure Predefined ACLs

Using APIs to Configure Predefined ACLs

You can use the x-obs-acl header to configure the bucket or object ACL when creating a bucket or uploading an object. For details, see Creating a Bucket and Uploading an Object. You can also configure the bucket or object ACL after the bucket is created or the object is uploaded. For details, see Configuring a Bucket ACL and Configuring an Object ACL.

Using SDKs to Configure Predefined ACLs

Configuring the ACL when creating a bucket

Java

Python

C

Go

BrowserJS: not supported

.NET

Android

iOS

PHP

Node.js

Configuring a bucket ACL

Java

Python

C

Go

BrowserJS

.NET

Android

iOS

PHP

Node.js

Configuring the ACL when uploading an object

Java

Python

C

Go

BrowserJS

.NET

Android

iOS

PHP

Node.js

Configuring an object ACL

Java

Python

C

Go

BrowserJS

.NET

Android

iOS

PHP

Node.js

Using OBS Browser+ to Configure Predefined ACLs

Using obsutil to Configure Predefined ACLs

You can customize ACLs to grant permissions to specified accounts or anonymous users. Table 8 lists the permissions that can be configured in bucket or object ACLs.

Table 8 Permissions that can be configured in bucket or object ACLs

Permission

When Granted for a Bucket

When Granted for an Object

API Header

READ

A user with this permission can obtain the list of objects in the bucket and the metadata of the bucket.

A user with this permission can obtain the content and metadata of the object.

x-obs-grant-read

WRITE

A user with this permission can upload objects to the bucket, and can delete and overwrite existing objects in the bucket.

Not supported

x-obs-grant-write

READ_ACP

A user with this permission can read the bucket ACL.

A user with this permission can read the object ACL.

x-obs-grant-read-acp

WRITE_ACP

A user with this permission can update the bucket ACL.

A user with this permission can update the object ACL.

x-obs-grant-write-acp

FULL_CONTROL

A user with this permission has the READ, WRITE, READ_ACP, and WRITE_ACP permissions.

A user with this permission has the READ, READ_ACP, and WRITE_ACP permissions for the object.

x-obs-grant-full-control

OBS allows you to customize an object ACL to inherit the bucket ACL. You can use the x-obs-grant-read-delivered header to configure a bucket ACL so that grantees can obtain the list of objects in the bucket and the metadata of the bucket, and also have the READ permission for objects in the bucket. Using the x-obs-grant-full-control-delivered header in a bucket ACL to grant the grantee the READ, WRITE, READ_ACP, and WRITE_ACP permissions for the bucket and also the READ, READ_ACP, and WRITE_ACP permissions for the objects in the bucket.

Using OBS Console to Customize an ACL

Using APIs to Customize an ACL

Using SDKs to Customize an ACL

Configuring the ACL when creating a bucket

Java

Python

C

Go

BrowserJS: not supported

.NET

Android

iOS

PHP

Node.js

Configuring a bucket ACL

Java

Python

C

Go

BrowserJS

.NET

Android

iOS

PHP

Node.js

Configuring the ACL when uploading an object

Java

Python

C

Go

BrowserJS

.NET

Android

iOS

PHP

Node.js

Configuring an object ACL

Java

Python

C

Go

BrowserJS

.NET

Android

iOS

PHP

Node.js

Using OBS Browser+ to Customize an ACL

Configure a Bucket ACL

Using obsutil to Customize an ACL