Ownership Controls
Intro
Ownership Controls (also mentioned as Object Ownership) is a bucket-level setting that determines the owner of the objects in a bucket. By default, the user who uploads the object is the object owner, but Ownership Controls allows you to change this behavior.
Ownership Controls are closely related to ACLs (Access Control Lists) because they are used to determine who has access to objects in the bucket. In this article, we'll explore the different settings for Ownership Controls and their impact on ACLs and uploads.
Settings
There are three possible settings for Ownership Controls.
BucketOwnerEnforced
BucketOwnerEnforced
makes the bucket owner the object owner, regardless of who uploaded the object. This setting ensures that the bucket owner has object ownership, disabling ACLs and removing their effect on bucket access permissions.
Requests to update ACLs or any upload which also attempts to specify an ACL (different from the bucket-owner-full-control
canned ACL) will fail with an AccessControlListNotSupported
error. However, requests to read ACLs are still supported.
BucketOwnerPreferred
With BucketOwnerPreferred
, the original uploader is still the object owner, but the bucket owner can also become the owner if necessary, specifying the bucket-owner-full-control canned ACL. This setting can be useful for environments where the original uploader may not be known or may not be the appropriate owner. ACLs and uploads work as usual.
ObjectWriter (default)
With ObjectWriter
, the original uploader remains the object owner, and the bucket owner has no special ownership rights. ACLs and uploads work as usual.
This setting is the default value for Cubbit.
Disabling ACLs
To disable ACLs for a bucket, set its Ownership Controls to BucketOwnerEnforced
.
If you have given read or write access to any other account outside of yours through your bucket ACLs, you must first remove these permissions, otherwise, your attempt will fail with an InvalidBucketAclWithObjectOwnership
error.
How to
Following are some examples of how you might work with Ownership Controls with the s3api
CLI.
Set Ownership Controls while creating a bucket
In the usual CreateBucket
API, also specify --object-ownership
with the BucketOwnerEnforced
, BucketOwnerPreferred
, or ObjectWriter
value:
aws s3api create-bucket --endpoint https://s3.cubbit.eu --bucket my-cubbit-bucket --object-ownership BucketOwnerEnforced
Set Ownership Controls on an existing bucket
You can use the PutOwnershipControls
API with the BucketOwnerEnforced
, BucketOwnerPreferred
, or ObjectWriter
value:
aws s3api put-ownership-controls --endpoint https://s3.cubbit.eu --bucket my-cubbit-bucket --ownership-controls BucketOwnerEnforced
Get Ownership Controls for a bucket
You can use the GetOwnershipControls
API to read the current setting for a bucket:
aws s3api get-ownership-controls --endpoint https://s3.cubbit.eu --bucket my-cubbit-bucket
Delete Ownership Controls for a bucket
You can use the DeleteOwnershipControls
API to delete any setting for a bucket (which has the same effect as applying the default value of ObjectWriter
):
aws s3api delete-ownership-controls --endpoint https://s3.cubbit.eu --bucket my-cubbit-bucket