Amazon S3 - Set ACL

Declaration

<AMAWSRDS ACTIVITY="authorize_security_group" SECURITYGROUP="text" 
CIDRIP="text" ACCESSKEY="text" SECRETKEY="text 
(encrypted)" SERVICEURL="text" PROXYHOST="text" 
USERAGENT="text" PROXYPORT="number" PROXYUSER="text" 
PROXYPWD="text (encrypted)" MAXERRORRETRY="number" 
SIGNMETHOD="text" SIGNVERSION="number" />

Description: Sets the Access Control List (ACL) permissions for an existing bucket or object. Each bucket and object in S3 includes an ACL that defines which users are granted access to objects, as well as what operations are allowed on given objects.

NOTE: Bucket ACLs are completely independent of Object ACLs. This means that ACLs set on a bucket can be different of ACLs set on any object contained in bucket. An ACL is a list of grants. A grant consists of one grantee and one permission.

Practical Usage

Used to set the ACL permissions for an existing bucket or object.

Connection Parameters

Property

Type

Required

Default

Markup

Description

Connection

 

 

 

 

Indicates where AWS user credentials and preferences should originate from. This is a design mode parameter used only during task construction and configuration, thus, comprises no markup. The available options are:

  • Host (default) - Specifies that user credentials and/or advanced preferences are configured individually for this activity. This option is normally chosen if only a single activity is required to complete an operation.

  • Session - Specifies that user credentials and/or advanced preferences are obtained from a pre-configured session created in an earlier step with the use of the S3 - Create session activity. This option is normally chosen if a combination of related activities are required to complete an operation. Linking several activities to a single session eliminates redundancy. Additionally, a single task supports construction and simultaneous execution of multiple sessions, improving efficiency.

Session

Text

Yes if connection is session-based

EC2Session1

SESSION="S3Session1"

The name of an existing session to attach this activity to. This parameter is active only if the Connection parameter is set to Session. The default session name is 'S3Session1'.

Access key

Text

Yes if connection is host-based

(Empty)

ACCESSKEY=

"022QF06E7MXBSH9DHM02"

A 20-character alphanumeric string that uniquely identifies the owner of the AWS service account, similar to a username. This key along with a corresponding secret access key forms a secure information set that AWS uses to confirm a valid user's identity. This parameter is active only if the Connection parameter is set to Host.

Secret Access key

Text

Yes if connection is host-based

(Empty)

SECRETKEY=

"kWcrlUX5JEDGM/LtmEENI/

aVmYvHNif5zB+d9+ct"

A 40-character string that serves the role as password to access the AWS service account. This along with an associated access key forms a secure information set that EC2 uses to confirm a valid user's identity. This parameter is active only if the Connection parameter is set to Host.

Protocol

Text (options)

No

HTTP

PROTOCOL="HTTPS"

The protocol required. The available options are:

  • HTTP (default)

  • HTTPS

User agent

Text

No

AutoMate

USERAGENT="AutoMate"

The name of the client or application initiating requests to AWS, which in this case, is AutoMate. This parameter's default value is 'AutoMate'. 

Service URL

Text

No

(Empty)

SERVICEURL=

"https://s3.eu-west-1.amazonaws.com"

The URL that provides the service endpoint. To make the service call to a different region, you can pass the region-specific endpoint URL. For example, entering  https://s3.us-west-1.amazonaws.com points to US West (Northern California) region. A complete list of S3 regions, along with associated endpoints and valid protocols can be found below under S3 Endpoints and Regions.

Maximum retry on error

Number

No

(Empty)

MAXERRORRETRY="4"

The total amount of times this activity should retry its request to the server before returning an error. Network components can generate errors anytime in the life of a request, thus, implementing retries can increase reliability. 

Proxy host

Text

No

(Empty)

PROXYHOST="proxy.host.com"

The host name (e.g., server.domain.com) or IP address (e.g., xxx.xxx.xxx.xxx) of the proxy server to use when connecting to AWS.  

Proxy port

Number

No

(Empty)

PROXYPORT="1028"

The port that should be used to connect to the proxy server.

Proxy username

Text

No

(Empty)

PROXYUSER="username"

The username that should be used to authenticate connection with the proxy server (if required).

Proxy password

Text

No

(Empty)

PROXYPWD="encrypted"

The password that should be used to authenticate connection with the proxy server (if required).

ACL Parameters

Property

Type

Required

Default

Markup

Description

Bucket Name

Text

Yes

(Empty)

BUCKETNAME="MyBucket"

Indicates the name of the Bucket to set.

Key Name (Optional)

Text

No

(Empty)

KEYNAME="myFile"

The key name of the object to set. A key is the unique identifier for an object within a bucket. Every object in a bucket has exactly one key.

Canned ACL

Text

Yes

Private

ACL="PublicRead"

Specifies the ACL policy to set. The available Canned ACL options are:

  • NoACL - No access policies.

  • Private (Default) - Owner gets full control. No one else has access rights.

  • PublicRead - Owner gets full control and the anonymous principal is granted read access.

  • PublicReadWrite - Owner gets full control, the anonymous principal is granted read/write access. Useful policy to apply to a bucket, but is generally not recommended.

  • AuthenticatedRead - Owner gets full control, and any principal authenticated as a registered Amazon S3 user is granted read access.

  • BucketOwnerRead - Object owner gets full control. Bucket owner gets read access. This ACL applies only to objects and is equivalent to Private when used with Create Bucket activity. Use this ACL to let someone other than the bucket owner write content (get full control) in the bucket but still grant the bucket owner read access to the objects.

  • BucketOwnerFullControl - Object owner gets full control. Bucket owner gets full control. Applies only to objects and is equivalent to Private when used with Create Bucket activity. Use this ACL to let someone other than the bucket owner write content (get full control) in the bucket but still grant the bucket owner full rights over the objects.

Version ID (Optional)

Text

No

(Empty)

VERSION="333333"

Specifies the version of the object in which to set. This property is useful if an object has the same key name but different version IDs.

Advanced Parameters

Each Amazon S3 object has a set of key-value pairs with which it is associated called Headers or Metadata. Metadata can provide important details about an object, such as file name, type, date of creation/modification etc. There are two kinds of metadata in S3; system metadata, and user metadata. System metadata is used and processed by Amazon S3. User metadata (also known as custom header) is specified by you, the user. Amazon S3 simply stores it and passes it back to you upon request. S3 lets you to store your personal information as custom headers or user metadata such as First Name, Last Name, Company Name, Phone Numbers, etc, so that you can distinguish specific files. Using this parameter, you can add new custom header/user metadata to existing S3 objects, edit default S3 metadata on a bucket or store/upload new objects with custom header or metadata.

Property

Type

Required

Default

Markup

Description

Name

Text

No

(Empty)

HEADER NAME="myHeader"

Specifies the "key" in a key-value pair. This is the handle that you assign to an object. In Amazon S3, details about each file and folder are stored in key value pairs called metadata or headers. System metadata is used and processed by Amazon S3, however, user metadata or custom headers can be specified by you. This adds more flexibility and enables you to better distinguish specific files by adding or editing custom headers on existing S3 objects or assigning custom headers to new objects. Press Click here to add new row... to add a key-value pair. Press the red X to remove an existing key-value pair.

Value

Text

No

(Empty)

VALUE="theValue"

Specifies the "value" in a key-value pair. This is the content that you are storing for an object. In Amazon S3, details about each file and folder are stored in key value pairs called metadata or headers. System metadata is used and processed by Amazon S3, however, user metadata or custom headers can be specified by you. This adds more flexibility and enables you to better distinguish specific files by adding or editing custom headers on existing S3 objects or assigning custom headers to new objects. Press Click here to add new row... to add a key-value pair. Press the red X to remove an existing key-value pair.

Description tab - A custom description can be provided on the Description tab to convey additional information or share special notes about a task step.

Error Causes tab - Specify how this step should behave upon the occurrence of an error. (Refer to Task Builder > Error Causes Tab for details.)

On Error tab - Specify what AWE should do if this step encounters an error as defined on the Error Causes tab. (Refer to Task Builder > On Error Tab for details.)

S3 Endpoints and Regions

This table contains a complete list of Amazon endpoints, along with their corresponding regions, supported protocols and location constraints.

Endpoint

Region

Protocol

Location Constraints

s3.amazonaws.com

US Standard *

HTTP and HTTPS

(none required)

s3.us-west-2.amazonaws.com

US West (Oregon) Region

HTTP and HTTPS

us-west-2

s3.us-west-1.amazonaws.com

US West (Northern California) Region

HTTP and HTTPS

us-west-1

s3.eu-west-1.amazonaws.com

EU (Ireland) Region

HTTP and HTTPS

EU

s3.ap-southeast-1.amazonaws.com

Asia Pacific (Singapore) Region

HTTP and HTTPS

ap-southeast-1

s3.ap-southeast-2.amazonaws.com

Asia Pacific (Sydney) Region

HTTP and HTTPS

ap-southeast-2

s3.ap-northeast-1.amazonaws.com

Asia Pacific (Tokyo) Region

HTTP and HTTPS

ap-northeast-1

s3.sa-east-1.amazonaws.com

South America (Sao Paulo) Region

HTTP and HTTPS

sa-east-1

* The US Standard region automatically routes requests to facilities in Northern Virginia or the Pacific Northwest using network maps.

Example

The sample AML code below can be copied and pasted directly into the Steps panel of the Task Builder.

Description: Set access control list (ACL)  to "PublicRead". Bucket name is "myBucket". Key name is "file.txt". Version ID is "2". Use "mySession" S3 session.

<AMAWSS3 ACTIVITY="set_acl" BUCKETNAME="myBucket" KEYNAME="file.txt" 
VERSION="2" ACL="PublicRead" SESSION="mySession" />