Help Center/ Object Storage Service/ API Reference/ Bucket APIs/ Bucket ACLs/ Configuring a Bucket ACL
Updated on 2026-05-26 GMT+08:00
View PDF
Share

Configuring a Bucket ACL

Function

You can configure a bucket ACL when creating a bucket or call this API to configure a bucket ACL after the bucket is created. For more information about configuring bucket ACLs, see Configuring a Bucket ACL.

For details about how to use bucket ACLs to manage permissions, see the permission control in the OBS Permission Configuration Guide.

Constraints

  • A bucket ACL supports a maximum of 100 grants.
  • This API is idempotent. A new bucket ACL will overwrite the original bucket ACL. To modify or delete an ACL, create a new ACL using the PUT method.

Authorization

To call this API, you must be the bucket owner or have the permission to configure a bucket ACL. You are advised to use IAM or bucket policies for authorization. For details about OBS authorization methods, see Differences Between OBS Permissions Control Methods.

  • If you use IAM for authorization, you need to use either role/policy-based authorization or identity policy-based authorization and configure the required permissions:
    • If you use role/policy-based authorization (IAM v3 APIs in the old IAM version), you must have the obs:bucket:PutBucketAcl permission. For details, see Creating a Custom IAM Policy.
    • If you use identity policy-based authorization (IAM v5 APIs in the new IAM version), you must have the obs:bucket:putBucketAcl permission, as shown in the following table. For details, see Creating a Custom IAM Identity Policy.

      Action

      Access Level

      Resource Type (*: Required)

      Condition Key

      Alias

      Dependencies

      obs:bucket:putBucketAcl

      Permission_management

      bucket *

      -

      -

      -
      • obs:EpochTime
      • obs:SourceIp
      • obs:TlsVersion
      • obs:CustomDomain
      • obs:x-obs-acl
  • If you use bucket policies for authorization, you must have the obs:bucket:PutBucketAcl permission. For details, see Creating a Custom Bucket Policy.

URI

PUT /

Calling Method

For details, see Calling APIs. Before calling this API, calculate the API signature and add it to the request.

You can debug this API in API Explorer.

Request Syntax

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
 
PUT /?acl HTTP/1.1 
Host: bucketname.obs.region.myhuaweicloud.com 
Date: date
Authorization: authorization
Content-Type: application/xml 
Content-Length: length

<AccessControlPolicy> 
    <Owner> 
        <ID>ID</ID> 
    </Owner> 
    <AccessControlList> 
        <Grant> 
            <Grantee>
               <ID>domainId</ID>
            </Grantee> 
            <Permission>permission</Permission> 
            <Delivered>false</Delivered>
        </Grant>
    </AccessControlList> 
</AccessControlPolicy>

URI Parameters

This request contains no parameters.

Request Headers

You can change the ACL of a bucket by using the header settings. Each ACL configured with the header setting has a set of predefined grantees and authorized permissions. If you want to authorize access permissions by adding the header to a request, you must add the following header and specify the value.

Table 1 Optional header for specifying canned ACLs

Header

Type

Mandatory

Description

x-obs-acl

String

No

Definition

Uses the canned ACL for a bucket.

Constraints

None

Range

  • private
  • public-read
  • public-read-write
  • public-read-delivered
  • public-read-write-delivered

For details about each policy, see "Configuring an ACL Using Header Fields" in ACLs.

Default Value

private

Request Body

This request carries ACL information in elements to specify an ACL. Table 3 describes the elements.

Table 2 Request body parameters

Element

Type

Mandatory

Description

Owner

XML

Yes

Definition

Bucket owner information, which is the parent node of the bucket owner's account ID.

Constraints

None

ID

String

Yes

Definition

Account ID of the bucket owner.

Constraints

None

Range

None

Default Value

None

AccessControlList

XML

Yes

Definition

Access control list, which is the parent node of Grant.

Constraints

None

Grant

XML

No

Definition

Identifies users and user permissions. It is the parent node of Grantee, Permission, and Delivered.

Constraints

A single bucket ACL can contain no more than 100 grants.

Grantee

XML

No

Definition

Records user information. It is the parent node of the authorized account ID.

Constraints

None

ID

String

No

Definition

Account ID of the authorized user.

Constraints

None

Range

None

Default Value

None

Canned

String

No

Definition

Grants permissions to everyone.

Constraints

None

Range

Everyone

Default Value

None

Permission

String

Yes

Definition

Permissions to be granted. For details, see access permissions controlled by a bucket ACL.

Constraints

None

Range

  • READ: grants the permission to obtain the bucket objects and bucket metadata.
  • READ_ACP: grants the permission to read the bucket ACL.
  • WRITE: grants the permission to upload objects to the bucket and to delete or overwrite existing objects in a bucket.
  • WRITE_ACP: grants the permission to update the bucket ACL.
  • FULL_CONTROL: grants the READ, WRITE, READ_ACP, and WRITE_ACP permissions.

Default Value

None

Delivered

Boolean

No

Definition

Whether the bucket ACL is applied to all objects in the bucket.

Constraints

None

Range

  • true: The bucket ACL is applied to all objects in the bucket.
  • false: The bucket ACL is not applied to any objects in the bucket.

Default Value

false

Response Syntax

1
2
3
 
HTTP/1.1 status_code
Date: date
Content-Length: length

Response Headers

This response uses common headers. For details, see Table 1.

Response Body

This response does not contain a response body.

Error Responses

No special errors. You can find all errors in Table 2.

Sample Request

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
 
PUT /?acl HTTP/1.1
User-Agent: curl/7.29.0
Host: examplebucket.obs.region.myhuaweicloud.com
Accept: */*
Date: WED, 01 Jul 2015 02:37:22 GMT
Authorization: OBS H4IPJX0TQTHTHEBQQCEC:iqSPeUBl66PwXDApxjRKk6hlcN4=
Content-Length: 727

<AccessControlPolicy xmlns="http://obs.ap-southeast-1.myhuaweicloud.com/doc/2015-06-30/">
  
  <Owner> 
    <ID>b4bf1b36d9ca43d984fbcb9491b6fce9</ID> 
  </Owner>  
  <AccessControlList> 
    <Grant> 
      <Grantee> 
        <ID>b4bf1b36d9ca43d984fbcb9491b6fce9</ID> 
      </Grantee>  
      <Permission>FULL_CONTROL</Permission> 
    </Grant>  
    <Grant> 
      <Grantee> 
        <ID>783fc6652cf246c096ea836694f71855</ID> 
      </Grantee>  
      <Permission>READ</Permission>  
      <Delivered>false</Delivered> 
    </Grant>  
    <Grant> 
      <Grantee> 
        <Canned>Everyone</Canned> 
      </Grantee>  
      <Permission>READ_ACP</Permission> 
    </Grant> 
  </AccessControlList> 
</AccessControlPolicy>

Sample Response

1
2
3
4
5
6
 
HTTP/1.1 200 OK
Server: OBS
x-obs-request-id: BF2600000164361F2954B4D063164704
x-obs-id-2: 32AAAQAAEAABSAAgAAEAABAAAQAAEAABCT78HTIBuhe0FbtSptrb/akwELtwyPKs
Date: WED, 01 Jul 2015 02:37:22 GMT
Content-Length: 0

Sample Request: Specifying Access Permissions Using Headers

PUT /?acl HTTP/1.1
Authorization: OBS H4IPJX0TQTHTHEBQQCEC:iqSPeUBl66PwXDApxjRKk6hlcN4=
User-Agent: curl/7.29.0
Host: examplebucket.obs.region.myhuaweicloud.com
x-obs-acl: private
Date: WED, 01 Jul 2015 02:37:22 GMT
Content-Type: application/xml

Sample Response: Specifying Access Permissions Using Headers

x-obs-id-2: 32AAAQAAEAABSAAgAAEAABAAAQAAEAABCSmpL2dv6zZLM2HmUrXKTAi258MPqmrp
x-obs-request-id: 0000018A2A73AF59D3085C8F8ABF0C65
Server: OBS
Content-Length: 0
Date: WED, 01 Jul 2015 02:37:22 GMT

Using SDKs to Call APIs

You are advised to use OBS SDKs to call APIs. SDKs encapsulate APIs to simplify development. You can call SDK API functions to access OBS without manually calculating signatures.

Java

Python

C

Go

BrowserJS

.NET

Android

iOS

PHP

Node.js

Helpful Links

Parent Topic: Bucket ACLs