Help Center/ Object Storage Service/ User Guide/ Permissions Control/ Configuring a Bucket ACL

Updated on 2025-12-16 GMT+08:00

View PDF

Configuring a Bucket ACL

Prerequisites

You are the bucket owner or you have the permission to write the bucket ACL.

Ways to Configure a Bucket ACL

You can use OBS Console, APIs, SDKs, OBS Browser+, or obsutil to configure a bucket ACL.

Using OBS Console

In the navigation pane of OBS Console, choose Object Storage.
In the bucket list, click the bucket you want to operate. The Objects page is displayed.
In the navigation pane, choose Permissions > Bucket ACL.
On the Bucket ACL page, choose Private, Public Read, or Public Read/Write to grant bucket ACL permissions for anonymous users.
- After you change Public Read or Public Read/Write to Private, only the bucket owner or object owner has the access.
- After you change Private to Public Read, anyone can read objects in the bucket. No identity authentication is required.
- After you change Private to Public Read/Write, anyone can read, write, and delete objects in the bucket. No identity authentication is required.
Figure 1 Changing a public access permission
In the Operation column, click Edit to grant the owner, anonymous user, or log delivery user required ACL permissions for the bucket.
In the middle of the page, click Export to get the bucket ACL configuration. The file includes the user type, account, bucket access, and ACL access.

In the middle of the page, click Add to apply specific ACL permissions to an account.

Click OK.

Figure 2 Granting permissions

**Table 1** Bucket access permissions
Permission	Description
Read	Grants the permission to obtain the list of objects in the bucket and the metadata of the bucket.
Write	Grants the permission to upload objects to the bucket and to delete and overwrite existing objects in the bucket.

**Table 2** Object access permissions
Permission	Description
Object read	Grants the permission to obtain the content and metadata of objects in the bucket. The objects inherit the read permission configured for the bucket.

**Table 3** ACL access permissions
Permission	Description
Read	Grants the permission to read the bucket ACL.
Write	Grants the permission to update the bucket ACL.

Using APIs

Configuring a Bucket ACL

Using SDKs

Using the GUI Tool - OBS Browser+

Log in to OBS Browser+.
Select the bucket you want and click Bucket ACLs.
Configure the bucket ACL as needed and click OK, as shown in Figure 3.

Figure 3 Configuring an ACL

If no ACL permissions are configured for a new bucket, OBS Browser+ automatically disables the access to the bucket and its objects by any other users except the bucket owner.

Using the CLI Tool - obsutil

Command Line Structure

In Windows

obsutil chattri obs://bucket [-sc=xxx] [-acl=xxx] [-aclXml=xxx] [-config=xxx] [-e=xxx] [-i=xxx] [-k=xxx] [-t=xxx]

In Linux or macOS

./obsutil chattri obs://bucket [-sc=xxx] [-acl=xxx] [-aclXml=xxx] [-config=xxx] [-e=xxx] [-i=xxx] [-k=xxx] [-t=xxx]

Examples

Take the Windows OS as an example. Run the obsutil chattri obs://bucket-test -acl=private command to change the access control policy of the bucket to private read and write.

obsutil chattri obs://bucket-test -acl=private

Start at 2024-09-29 07:58:46.0506904 +0000 UTC

Set the acl of bucket [bucket-test] to [private] successfully, request id [04050000016836C5DA6FB21F14A2A0C0]

Parameter Description

Parameter	Optional or Mandatory	Description
bucket	Mandatory	The bucket name
sc	Optional (additional parameter)	The default storage class of the bucket. Possible values are: standard: Standard storage class. It features low access latency and high throughput, and is applicable to storing frequently accessed data (multiple accesses per month) or data that is smaller than 1 MB. warm: Infrequent Access storage class. It is ideal for storing infrequently accessed (less than 12 times a year) data, but when needed, the access has to be fast. cold: Archive storage class. It provides secure, durable, and inexpensive storage for rarely-accessed (once a year) data. deep-archive: Deep Archive storage class (under limited beta testing). It is suitable for storing data that is barely (once every few years) accessed. This storage class costs less than the Archive storage class, but takes longer time (usually several hours) to restore data. NOTE: If the multi-AZ mode is enabled for a bucket, the default storage class of the bucket cannot be set to cold.
acl	Optional (additional parameter)	The predefined access control policy of the bucket. Possible values are: private public-read public-read-write NOTE: The preceding three values indicate private read and write, public read, and public read and write.
aclXml	Optional (additional parameter)	The bucket's access control policy, in XML format <AccessControlPolicy> <Owner> <ID>ownerid</ID> </Owner> <AccessControlList> <Grant> <Grantee> <ID>userid</ID> </Grantee> <Permission>[WRITE\|WRITE_ACP\|READ\|READ_ACP\|FULL_CONTROL]</Permission> </Grant> <Grant> <Grantee> <Canned>Everyone</Canned> </Grantee> <Permission>[WRITE\|WRITE_ACP\|READ\|READ_ACP\|FULL_CONTROL]</Permission> </Grant> </AccessControlList> </AccessControlPolicy> NOTE: Owner: Optional. Specify the bucket owner's ID. In AccessControlList, the Grant field contains the authorized users. Grantee specifies the IDs of authorized users. Canned specifies the authorized user group (currently, only Everyone is supported). The following permissions can be granted: WRITE (write), WRITE_ACP (write ACL), READ (read), READ_ACP (read ACL), and FULL_CONTROL (full control). NOTICE: Because angle brackets (<) and (>) are unavoidably included in the parameter value, you must use quotation marks to enclose them for escaping when running the command. Use single quotation marks for Linux or macOS and double quotation marks for Windows.
config	Optional (additional parameter)	The user-defined configuration file for executing the current command. For details about parameters that can be configured, see Configuration Parameters.
e	Optional (additional parameter)	The endpoint
i	Optional (additional parameter)	The user's AK
k	Optional (additional parameter)	The user's SK
t	Optional (additional parameter)	The user's security token

Only one from sc, acl, or aclXml can be set for each command.

Follow-up Procedure

A registered user can access a bucket in either of the following ways:

After an account is granted permissions through a bucket ACL, authorized users can use their own identity credentials (AK and SK) to access that bucket by adding the bucket to OBS Browser+.
After certain permissions are granted to an anonymous user, the anonymous user can access the bucket without any authentication. The anonymous user can be either a registered user or a non-registered user.

A non-registered user can access a bucket in either of the following ways:

Access the bucket's domain name in a browser to view the objects in the bucket.
Configure the bucket's domain name in a third-party system to directly connect to the bucket.

Parent Topic: Permissions Control

Previous topic: Configuring an Object Policy

Next topic: Configuring an Object ACL

Feedback

Was this page helpful?

Helpful Not helpful

Provide feedback

Thank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.

The system is busy. Please try again later.

Which of the following issues have you encountered?

Content is inconsistent with the product UI

Unclear descriptions

Lack of examples or code

Incorrect steps

Can't find what I need

Lack of best practices

Feedback (optional)

0/500

Select at least one type of issue, and enter your comments or suggestions.

Enter a maximum of 500 characters.

Submit Cancel

For any further questions, feel free to contact us through the chatbot.

Chatbot