Amazon S3 CLI Grants Options

Question

In the AWS S3 Console, you can grant permission to files for "Any Authenticated AWS User" and give "Open/Download" permissions.

What is the CLI command to do the same?

I already know the cp command (for uploading):

aws s3 cp filename s3://bucket/folder/filename

But, I can't figure out the --grants configuration and the documentation is not specific with the accepted values.

Bonus if you can provide the rest of the accepted values for the --grants flag (e.g. View Permissions, Edit Permissions)?

Can this be done recursively?

EDIT 1 I've found the following, however it makes the file available to EVERYONE (public). So, where is the URI for my groups? I'm assuming it's not the same as the group's ARN.

aws s3 cp file.txt s3://my-bucket/ --grants read=uri=http://acs.amazonaws.com/groups/global/AllUsers

We can alternatively do:

aws s3 cp file.txt s3://my-bucket/ --grants full=emailaddress=user@example.com

That will provide full rights to the account associated with that email address.

Still nowhere to mirror "Any Authenticated AWS User" (I am assuming this is authenticated within my account).

James · Accepted Answer

You should use the --acl parameter to get the canned permissions:

aws s3 cp local.txt s3://some-bucket/remote.txt --acl authenticated-read

The documentation for aws s3 cp describes what the shorthand syntax is for the CLI:

--acl (string) Sets the ACL for the object when the command is performed. If you use this parameter you must have the "s3:PutObjectAcl" permission included in the list of actions for your IAM policy. Only accepts values of private, public-read, public-read-write, authenticated-read, bucket-owner-read, bucket-owner-full-control and log-delivery-write. See Canned ACL for details

--grants appears to allow fine-tuned custom ACLs, but the syntax is more complicated, as you discovered.

Amazon S3 CLI Grants Options

Answers (2)

Related Questions