S3 / Client / get_object_acl
get_object_acl#
- S3.Client.get_object_acl(**kwargs)#
Returns the access control list (ACL) of an object. To use this operation, you must have
s3:GetObjectAcl
permissions orREAD_ACP
access to the object. For more information, see Mapping of ACL permissions and access policy permissions in the Amazon S3 User GuideThis action is not supported by Amazon S3 on Outposts.
Versioning
By default, GET returns ACL information about the current version of an object. To return ACL information about a different version, use the versionId subresource.
Note
If your bucket uses the bucket owner enforced setting for S3 Object Ownership, requests to read ACLs are still supported and return the
bucket-owner-full-control
ACL with the owner being the account that created the bucket. For more information, see Controlling object ownership and disabling ACLs in the Amazon S3 User Guide.The following operations are related to
GetObjectAcl
:See also: AWS API Documentation
Request Syntax
response = client.get_object_acl( Bucket='string', Key='string', VersionId='string', RequestPayer='requester', ExpectedBucketOwner='string' )
- Parameters:
Bucket (string) –
[REQUIRED]
The bucket name that contains the object for which to get the ACL information.
When using this action with an access point, you must direct requests to the access point hostname. The access point hostname takes the form AccessPointName-AccountId.s3-accesspoint.*Region*.amazonaws.com. When using this action with an access point through the Amazon Web Services SDKs, you provide the access point ARN in place of the bucket name. For more information about access point ARNs, see Using access points in the Amazon S3 User Guide.
Key (string) –
[REQUIRED]
The key of the object for which to get the ACL information.
VersionId (string) – VersionId used to reference a specific version of the object.
RequestPayer (string) – Confirms that the requester knows that they will be charged for the request. Bucket owners need not specify this parameter in their requests. For information about downloading objects from Requester Pays buckets, see Downloading Objects in Requester Pays Buckets in the Amazon S3 User Guide.
ExpectedBucketOwner (string) – The account ID of the expected bucket owner. If the bucket is owned by a different account, the request fails with the HTTP status code
403 Forbidden
(access denied).
- Return type:
dict
- Returns:
Response Syntax
{ 'Owner': { 'DisplayName': 'string', 'ID': 'string' }, 'Grants': [ { 'Grantee': { 'DisplayName': 'string', 'EmailAddress': 'string', 'ID': 'string', 'Type': 'CanonicalUser'|'AmazonCustomerByEmail'|'Group', 'URI': 'string' }, 'Permission': 'FULL_CONTROL'|'WRITE'|'WRITE_ACP'|'READ'|'READ_ACP' }, ], 'RequestCharged': 'requester' }
Response Structure
(dict) –
Owner (dict) –
Container for the bucket owner’s display name and ID.
DisplayName (string) –
Container for the display name of the owner. This value is only supported in the following Amazon Web Services Regions:
US East (N. Virginia)
US West (N. California)
US West (Oregon)
Asia Pacific (Singapore)
Asia Pacific (Sydney)
Asia Pacific (Tokyo)
Europe (Ireland)
South America (São Paulo)
ID (string) –
Container for the ID of the owner.
Grants (list) –
A list of grants.
(dict) –
Container for grant information.
Grantee (dict) –
The person being granted permissions.
DisplayName (string) –
Screen name of the grantee.
EmailAddress (string) –
Email address of the grantee.
Note
Using email addresses to specify a grantee is only supported in the following Amazon Web Services Regions:
US East (N. Virginia)
US West (N. California)
US West (Oregon)
Asia Pacific (Singapore)
Asia Pacific (Sydney)
Asia Pacific (Tokyo)
Europe (Ireland)
South America (São Paulo)
For a list of all the Amazon S3 supported Regions and endpoints, see Regions and Endpoints in the Amazon Web Services General Reference.
ID (string) –
The canonical user ID of the grantee.
Type (string) –
Type of grantee
URI (string) –
URI of the grantee group.
Permission (string) –
Specifies the permission given to the grantee.
RequestCharged (string) –
If present, indicates that the requester was successfully charged for the request.
Exceptions
S3.Client.exceptions.NoSuchKey
Examples
The following example retrieves access control list (ACL) of an object.
response = client.get_object_acl( Bucket='examplebucket', Key='HappyFace.jpg', ) print(response)
Expected Output:
{ 'Grants': [ { 'Grantee': { 'DisplayName': 'owner-display-name', 'ID': 'examplee7a2f25102679df27bb0ae12b3f85be6f290b936c4393484be31bebcc', 'Type': 'CanonicalUser', }, 'Permission': 'WRITE', }, { 'Grantee': { 'DisplayName': 'owner-display-name', 'ID': 'examplee7a2f25102679df27bb0ae12b3f85be6f290b936c4393484be31bebcc', 'Type': 'CanonicalUser', }, 'Permission': 'WRITE_ACP', }, { 'Grantee': { 'DisplayName': 'owner-display-name', 'ID': 'examplee7a2f25102679df27bb0ae12b3f85be6f290b936c4393484be31bebcc', 'Type': 'CanonicalUser', }, 'Permission': 'READ', }, { 'Grantee': { 'DisplayName': 'owner-display-name', 'ID': '852b113eexamplee7a2f25102679df27bb0ae12b3f85be6f290b936c4393484be31bebcc7a2f25102679df27bb0ae12b3f85be6f290b936c4393484be31bebcc', 'Type': 'CanonicalUser', }, 'Permission': 'READ_ACP', }, ], 'Owner': { 'DisplayName': 'owner-display-name', 'ID': 'examplee7a2f25102679df27bb0ae12b3f85be6f290b936c4393484be31bebcc', }, 'ResponseMetadata': { '...': '...', }, }