Share an Object and a Bucket

To share an object, you use access control lists(ACLs). To set the ACL of an object, you must have the WRITE_ACP permission for the object.

Depending on your application architecture and needs, you can set the ACLs using the request headers or the body of the request.

When setting access permissions, you can use predefined ACL and specify the type with the x-amz-acl header, or explicitly specify the permissions you grant with the following headers:

x-amz-grant-read
x-amz-grant-read-acp
x-amz-grant-write-acp
x-amz-grant-full-control

To grant permissions, you specify the grantee of the permission as a type-value pair. Following are the available grantee types:

To use the user name of an organization user, use the id type.
To grant permissions to a predefined group, use the uri type.

For more information about working with ACLs, see https://docs.aws.amazon.com/AmazonS3/latest/dev/acl-overview.html.

Following the steps in the current procedure, you assign the Read of Object, the Write of Object, and the Write of Bucket permissions to an organization user. Then assign Public Read permissions for the object.

Prerequisites

Verify that you created an object in a bucket. For example, report_dec.xlsx, in the Reports bucket.
Verify that you have WRITE_ACP permissions for the report_dec.xlsx object and for the Reports bucket.

Procedure

Assign Read of Object permissions to an organization user.

PUT https://vcloud-object-storage.example.com:8443/api/v1/s3/Reports/report_dec.xlsx

If you use the request headers, use the x-amz-grant-read header and the user ID of the grantee.

If you use the request body, see the following example of a valid request body in JSON and XML formats:

{
  "grants": [
    {
      "grantee": {
        "id": "ID-of-Jane-Doe"
      },
      "permission": "READ"
    }
  ],
  "owner": {
    "displayName": "Jane Doe"
  }
}

<AccessControlPolicy>
  <Owner>
    <ID>ID-of-Jane-Doe</ID>
    <DisplayName>Jane Doe</DisplayName>
  </Owner>
  <AccessControlList>
    <Grant>
      <Grantee>
        <ID>ID-of-John-Doe</ID>
        <DisplayName>John Doe</DisplayName>
      </Grantee>
      <Permission>READ</Permission>
    </Grant>
  </AccessControlList>
</AccessControlPolicy>

The grantee can now download the object.

To allow the organization user to upload updated versions of the object to the bucket, assign Write of Bucket permissions for the bucket.

PUT https://vcloud-object-storage.example.com:8443/api/v1/s3/Reports

If you use the request headers, use the x-amz-grant-write header and the user ID of the grantee.

If you use the request body, see the following example of a valid request body in JSON and XML formats:

{
  "grants": [
    {
      "grantee": {
        "id": "ID-of-John-Doe"
      },
      "permission": "WRITE"
    }
  ],
  "owner": {
    "displayName": "Jane Doe"
  }
}

<AccessControlPolicy>
  <Owner>
    <ID>ID-of-Jane-Doe</ID>
    <DisplayName>Jane Doe</DisplayName>
  </Owner>
  <AccessControlList>
    <Grant>
      <Grantee>
        <ID>ID-of-John-Doe</ID>
        <DisplayName>John Doe</DisplayName>
      </Grantee>
      <Permission>WRITE</Permission>
    </Grant>
  </AccessControlList>
</AccessControlPolicy>

The grantee can now upload updated versions of the object to the bucket.

To enable sharing the report to internal and external users, make the object publicly readable.
```
PUT https://vcloud-object-storage.example.com:8443/api/v1/s3/Reports/report_dec.xlsx
```
Use the x-amz-acl header and the public-read value.