In this serial of tutorials, we have learned how to upload files to S3 and listing all files from S3. But we still take not talked well-nigh how to grant public read access to S3 objects using python.

By default, all objects when uploaded to S3 will be private, and except the owner of that object, no i volition be able to view that file. In many cases, y'all will desire to give the general public to view that file for case, when nosotros are sharing images or using S3 as our static data hosting service.

In this blog, we will learn about dissimilar access control lists (ACLs) for objects in S3, and how we tin listing these ACLs for some objects. We will also learn how we can use python, boto3, and set_object_access_policy functions to grant public read access to s3 objects.

Setting up permissions for S3

For this tutorial to work, we will need an IAM user who has access to upload a file to S3. We tin configure this user on our local automobile using AWS CLI or nosotros can use its credentials straight in python script. We take already covered this topic on how to create an IAM user with S3 access. If yous practise not take this user setup please follow that blog get-go and and then go along with this web log.

What are ACLs

AWS S3 provides predefined grants that we can assign to buckets or objects to give them unlike access levels. These grants are known equally Access Control Lists (ACLs). The below tabular array listing down all ACLs available with the access levels they grant on object or bucket.

You can acquire more than near ACLs in AWS Documentation. At present that nosotros are familiar with ACLs, allow us learn how we can use them with S3 objects. We can also use these with S3 buckets simply we will encompass that in another web log.

List ACLs on s3 object

Outset, nosotros will write python code to listing all grants or ACLs nowadays on some object in S3. We tin employ the get_object_access_policy function from the boto3 client to list ACLs for objects.

When we run the above function we will encounter the beneath output that is an assortment of ACLs on the object. Every bit mentioned before, by default there is a "private" ACL on any object in S3 and it grants total access to the possessor.

When the object has a "private" ACL attached to it, no one will exist able to read that object. We can easily test this. When we click on the object and its URL from the S3 console nosotros will run across the beneath error.

can-not-read-private-objects-in-s3-bucket
Tin can non read private objects in s3 bucket

I am trying to read the test9.text file from my s3 saucepan but as information technology has individual ACL attached, we see the above folio with admission denied fault. This tin can be inverse by attaching "public-read" ACL to the object. Let the states learn how we can do that.

Grant public read access to S3 objects

At present that nosotros want to add public read access to our file and then that we tin can share a link with someone, allow usa learn how we can exercise that using python.

When we run this code, the "test9.txt" file in the S3 bucket will have public read access and if we click on its link, we tin can see the below output.

can-read-public-read-objects-from-s3
In one case an object has a public-read policy, nosotros can read it

Conclusion

In this tutorial, nosotros have learned how to list objects access listing (ACLs) and how to add ACLs to S3 objects using python and boto3. I promise you take institute this useful. In the next blog, we volition learn how to add saucepan-level policies. See y'all there.