How to add an ACL grantee for an AWS S3 bucket?

Question

What I can follow so far from the docs, you can get and put the whole ACL (access control list) for an S3 bucket.

Get specs describe you get all existing grants.

Put specs describe you need to write the whole ACL object back.

But what if I just want to insert a new grantee? (and ideally not retrieve all grants in the ACL to be able to do that)

Answer 1

A complete example is this:

s3_resource = boto3.resource('s3')
s3_bucket = s3_resource.Bucket("bucket_name")
bucket_acl = s3_bucket.Acl()

grant_write = {
    "Grantee": {
        "ID": "CANONICAL ID",
        "Type": "CanonicalUser"
    },
    "Permission": "WRITE"
}

grant_read = {
    "Grantee": {
        "ID": "CANONICAL ID",
        "Type": "CanonicalUser"
    },
    "Permission": "READ"
}

grant_read_acp = {
    "Grantee": {
        "ID": "CANONICAL ID",
        "Type": "CanonicalUser"
    },
    "Permission": "READ_ACP"
}

bucket_acl.grants.append(grant_write)
bucket_acl.grants.append(grant_read)
bucket_acl.grants.append(grant_read_acp)
s3_acl_response = bucket_acl.put(
    AccessControlPolicy={
    "Grants": bucket_acl.grants,
    "Owner": {
        "DisplayName": "OWNER Account",
        "ID": "OWNER CANONICAL ID"
    }
})

Answer 2

For me works the following (still not sure whether all grants are transferred):

    grant = {
                'Grantee': {
                    'DisplayName': grantee_id,
                    'ID': grantee_canonical_user_id,
                    'Type': 'CanonicalUser'

                },
                'Permission': 'FULL_CONTROL'
            }

    acl.grants.append(grant)
    acl.put(
        AccessControlPolicy={
        'Grants': acl.grants,
        'Owner': {
            'ID': owner_canonical_user_id
        }
    })