amazon web services - AWS SDK What context do applications run in for ACL? -

we're using aws sdk (.net) , have uploaded files through our program using putobjectrequest. know how set acl permissions on file once it's created, when trying file using getobjectrequest our application getting "access denied". realize don't know userid application that's running. how can make sure application has permissions needed read file, without using "public" rights? (setting acl on file public works application).

is there way make application retrieve file user or group?

any aws api call request, need access key , secret key pair can set from:

hard coded in app,
aws configuration file (by default in ~/.aws/credentials or c:\users\*username*\.aws\credentials), or
instance role ec2 instances.

for #1 , #2, can check iam user permission in https://console.aws.amazon.com/iam/home?region=us-east-1#users.

for #3, can check iam role in https://console.aws.amazon.com/iam/home?region=us-east-1#roles.

make sure user/role have enough permission read s3 object. can attach policy user/role:

{   "version": "2012-10-17",   "statement": [     {       "sid": "stmt1455021573875",       "action": [         "s3:getobject",         "s3:getobjectacl"       ],       "effect": "allow",       "resource": "arn:aws:s3:::your-bucket-name/*"     }   ] }

adjust above policy. app should have read object access now.

btw, can set acl while creating resource. can find documentation on http://docs.aws.amazon.com/amazons3/latest/dev/acl-using-dot-net-sdk.html.

static string bucketname = "*** provide existing bucket name ***"; static string newbucketname = "*** provide name new bucket ***"; static string newkeyname = "*** provide name new key ***";  iamazons3 client; client = new amazons3client(amazon.regionendpoint.useast1);  // retrieve acl 1 of owner's buckets s3accesscontrollist acl = client.getacl(new getaclrequest {     bucketname = bucketname, }).accesscontrollist;  // describe grant full control owner. s3grant grant1 = new s3grant {     grantee = new s3grantee { canonicaluser = acl.owner.id },     permission = s3permission.full_control };  // describe grant write permission logdelivery group. s3grant grant2 = new s3grant {     grantee = new s3grantee { uri = "http://acs.amazonaws.com/groups/s3/logdelivery" },     permission = s3permission.write };  putbucketrequest request = new putbucketrequest() {     bucketname = newbucketname,     bucketregion = s3region.us,     grants = new list<s3grant> { grant1, grant2 } }; putbucketresponse response = client.putbucket(request);  putobjectrequest objectrequest = new putobjectrequest() {       contentbody = "object data simple put.",     bucketname = newbucketname,     key = newkeyname,     grants = new list<s3grant> { grant1 } }; putobjectresponse objectresponse = client.putobject(objectrequest);

Search This Blog

Ben

amazon web services - AWS SDK What context do applications run in for ACL? -

Comments

Post a Comment

Popular posts from this blog

sublimetext3 - what keyboard shortcut is to comment/uncomment for this script tag in sublime -

java - No use of nillable="0" in SOAP Webservice -

ubuntu - Laravel 5.2 quickstart guide gives Not Found Error -