Help Center/ Object Storage Service/ API Reference/ Object APIs/ Object ACLs/ Configuring an Object ACL

Updated on 2026-05-26 GMT+08:00

Configuring an Object ACL

Function

By default, only the object creator has the read and write permissions on the object. You can also use this API to configure an ACL for an existing object. For example, you can configure a public access policy for an object to allow all users to read the object. If an object is encrypted with SSE-KMS, the ACL configured for it is not in effect in the cross-tenant case.

For more information about configuring an object ACL, see Configuring an Object ACL.

Versioning

By default, this operation modifies the ACL of the latest version of an object. To set the ACL of a specific object version, the request can include the versionId parameter.

Constraints

You are the object owner or you have the permission to write the object ACL.

An object owner is the account that uploads the object and is not necessarily the owner of the bucket that stores the object. For example, account B is granted the permission to access a bucket of account A, and account B uploads a file to the bucket. In that case, account B, instead of the bucket owner account A, is the owner of the object. By default, account A is not allowed to access this object and cannot read or modify the object ACL.

An object ACL supports a maximum of 100 grants.

Authorization

To call this API, you must be the object owner or have the permissions to configure an object ACL. You are advised to use IAM or bucket policies for authorization. For details about OBS authorization methods, see Differences Between OBS Permissions Control Methods.

If you use IAM for authorization, you need to use either role/policy-based authorization or identity policy-based authorization and configure the required permissions:

If you use role/policy-based authorization (IAM v3 APIs in the old IAM version), you must have the obs:object:PutObjectAcl (versioning disabled) and obs:object:PutObjectVersionAcl (versioning enabled or suspended) permissions. For details, see Creating a Custom IAM Policy.

If you use identity policy-based authorization (IAM v5 APIs in the new IAM version), you must have the obs:object:putObjectAcl (versioning disabled) and obs:object:putObjectVersionAcl (versioning enabled or suspended) permissions, as shown in the following table. For details, see Creating a Custom IAM Identity Policy.

Action	Access Level	Resource Type (*: Required)	Condition Key	Alias	Dependencies
obs:object:PutObjectAcl (versioning disabled) obs:object:PutObjectVersionAcl (versioning enabled or suspended)	Permission_management	object *	g:EnterpriseProjectId	-	-
-	obs:EpochTime obs:SourceIp obs:TlsVersion obs:CustomDomain obs:x-obs-acl

Action

Access Level

Resource Type (*: Required)

Condition Key

Alias

Dependencies

obs:object:PutObjectAcl (versioning disabled)

obs:object:PutObjectVersionAcl (versioning enabled or suspended)

Permission_management

object *

g:EnterpriseProjectId

obs:EpochTime
obs:SourceIp
obs:TlsVersion
obs:CustomDomain
obs:x-obs-acl

If you use bucket policies for authorization, you must have the obs:object:PutObjectAcl (versioning disabled) and obs:object:PutObjectVersionAcl (versioning enabled or suspended) permissions. For details, see Creating a Custom Bucket Policy.

URI

PUT /{object_key}

Calling Method

For details, see Calling APIs. Before calling this API, calculate the API signature and add it to the request.

You can debug this API in API Explorer.

Request Syntax

     PUT /ObjectName?acl HTTP/1.1 
Host: bucketname.obs.region.myhuaweicloud.com 
Date: date
Authorization: authorization

<AccessControlPolicy> 
    <Owner> 
        <ID>ID</ID> 
    </Owner> 
    <Delivered>true</Delivered>
    <AccessControlList> 
        <Grant> 
            <Grantee>
               <ID>ID</ID>
            </Grantee> 
            <Permission>permission</Permission> 
        </Grant> 
    </AccessControlList> 
</AccessControlPolicy>
 
 
  

URI Parameters

Table 1 describes the request parameters.

**Table 1** URI Parameters
Parameter	Mandatory	Type	Description
versionId	No	String	Definition Object version ID The ACL of the specified object version is to be changed. For details about how to obtain the version ID of an object, see Listing Objects in a Bucket. Constraints N/A Range The value must contain 32 characters. Default Value N/A. If this parameter is not configured, the latest version of the object is specified.

Request Headers

This request uses common headers. For details, see Table 3.

Request Body

The request message carries the ACL information of the object by using message elements. For the meanings of the elements, see Table 2.

**Table 2** Request body parameters
Parameter	Mandatory	Type	Description
AccessControlList	Yes	XML	Definition Access control list. AccessControlList is the parent node of Grant, Grantee, and Permission. Constraints N/A Range For details, see Table 3. Default Value N/A
Owner	Yes	XML	Definition Owner information of a bucket. Owner is a parent node of ID. Constraints N/A Range For details, see Table 4. Default Value N/A
Canned	No	String	Definition Grants permissions to all users. Constraints N/A Range Everyone Default Value N/A

**Table 3** AccessControlList parameters
Parameter	Mandatory	Type	Description
Grant	No	XML	Definition Used to identify users and their permissions. Grant is the parent node of Grantee and Delivered. Constraints An ACL of an object can contain a maximum of 100 grants. Range For details, see Table 5. Default Value N/A
Grantee	No	XML	Definition Grantee information Constraints N/A Range N/A Default Value N/A
Permission	No	String	Definition Granted permissions Constraints N/A Range READ: Allows the grantee to obtain the object content and metadata. READ_ACP: Allows the grantee to read the ACL attributes of an object. WRITE_ACP: Allows the grantee to update the ACL of an object. FULL_CONTROL: The grantee has the READ, READ_ACP, and WRITE_ACP permissions on the object. Default Value N/A

**Table 4** Owner parameters
Parameter	Mandatory	Type	Description
ID	Yes	String	Definition Account ID of the authorized user. Constraints N/A Range For details about how to obtain the domain ID of a user, see Obtaining Account, IAM User, Project, User Group, Region, and Agency Information. Default Value N/A

**Table 5** Grant parameters
Parameter	Mandatory	Type	Description
Grantee	No	XML	Definition Grantee information Constraints N/A Range N/A Default Value N/A
Delivered	No	Boolean	Definition Whether an object ACL inherits the ACL of a bucket. Constraints N/A Range true: The object inherits the bucket ACL. false: The object does not inherit the bucket ACL. Default Value true

Response Syntax

     HTTP/1.1 status_code
Content-Length: length
Content-Type: application/xml

Response Headers

This response uses common headers. For details, see Table 1.

In addition to the common response headers, the headers listed in Table 6 may be used.

**Table 6** Response Headers
Parameter	Type	Description
x-obs-version-id	String	Definition Version ID of the object whose ACL is modified. Range The value must contain 32 characters.

Response Body

This response contains no elements.

Error Responses

No special errors. You can find all errors in Table 2.

Sample Request

     PUT /obj2?acl HTTP/1.1
User-Agent: curl/7.29.0
Host: examplebucket.obs.region.myhuaweicloud.com
Accept: */*
Date: WED, 01 Jul 2015 04:42:34 GMT
Authorization: OBS H4IPJX0TQTHTHEBQQCEC:8xAODun1ofjkwHm8YhtN0QEcy9M=
Content-Length: 727

<AccessControlPolicy xmlns="http://obs.ap-southeast-1.myhuaweicloud.com/doc/2015-06-30/">
  <Owner> 
    <ID>b4bf1b36d9ca43d984fbcb9491b6fce9</ID> 
  </Owner>  
  <Delivered>false</Delivered>
  <AccessControlList> 
    <Grant> 
      <Grantee> 
        <ID>b4bf1b36d9ca43d984fbcb9491b6fce9</ID> 
      </Grantee>  
      <Permission>FULL_CONTROL</Permission> 
    </Grant>  
    <Grant> 
      <Grantee> 
        <ID>783fc6652cf246c096ea836694f71855</ID> 
      </Grantee>  
      <Permission>READ</Permission>
    </Grant>  
    <Grant> 
      <Grantee> 
        <Canned>Everyone</Canned> 
      </Grantee>  
      <Permission>READ</Permission> 
    </Grant> 
  </AccessControlList> 
</AccessControlPolicy>
 
 
  

Sample Response

     HTTP/1.1 200 OK
Server: OBS
x-obs-request-id: 8DF400000163D3F0FD2A03D2D30B0542
x-obs-id-2: 32AAAUgAIAABAAAQAAEAABAAAQAAEAABCTjCqTmsA1XRpIrmrJdvcEWvZyjbztdd
Date: WED, 01 Jul 2015 04:42:34 GMT
Content-Length: 0
 
 
  

Sample Request: Configuring the ACL for a Specific Object Version

PUT /object01?acl&versionId=G001118A6803675AFFFFD3043F7F91D0 HTTP/1.1
Authorization: OBS H4IPJX0TQTHTHEBQQCEC:iqSPeUBl66PwXDApxjRKk6hlcN4=
User-Agent: curl/7.29.0
Host: examplebucket.obs.region.myhuaweicloud.com
Date: WED, 01 Jul 2015 02:37:22 GMT
Content-Type: application/xml
 
<AccessControlPolicy  xmlns="http://obs.region.myhuaweicloud.com/doc/2015-06-30/">
    <Owner>
        <ID>d029cb567d46458sp0x75800575ee4cf</ID>
    </Owner>
    <Delivered>false</Delivered>
    <AccessControlList>
        <Grant>
            <Grantee>
                <ID>f98sx63gg849422e8f330af1349c588f</ID>
            </Grantee>
            <Permission>FULL_CONTROL</Permission>
        </Grant>
        <Grant>
            <Grantee>
                <ID>fa558a82a84946sn98u30af195as3hi5</ID>
            </Grantee>
            <Permission>READ</Permission>
        </Grant>
        <Grant>
            <Grantee>
                <Canned>Everyone</Canned>
            </Grantee>
            <Permission>READ</Permission>
        </Grant>
    </AccessControlList>
</AccessControlPolicy>

Sample Response: Configuring the ACL for a Specific Object Version

x-obs-id-2: 32AAAQAAEAABSAAgAAEAABAAAQAAEAABCSmpL2dv6zZLM2HmUrXKTAi258MPqmrp
x-obs-request-id: 0000018A2A73AF59D3085C8F8ABF0C65
Server: OBS
Content-Length: 0
Date: WED, 01 Jul 2015 02:37:22 GMT
x-obs-version-id: G001118A6803675AFFFFD3043F7F91D0

Using SDKs to Call APIs

You are advised to use OBS SDKs to call APIs. SDKs encapsulate APIs to simplify development. You can call SDK API functions to access OBS without manually calculating signatures.

Java

Python

BrowserJS: not supported

.NET: not supported

Android: not supported

iOS: not supported

PHP: not supported

Node.js

Harmony: not supported

Helpful Links

For more information about configuring an object ACL, see Configuring an Object ACL.
For details about the billing items involved in API operations, see Billing Items.

Parent Topic: Object ACLs

Previous topic: Object ACLs

Next topic: Obtaining Object ACL Configuration

Feedback

Was this page helpful?

Helpful Not helpful

Provide feedback

Thank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.

The system is busy. Please try again later.

For any further questions, feel free to contact us through the chatbot.

Chatbot