Identity and Access Management

Any enabled vCloud Director organization tenant user can work with the vCloud Director Object Storage Extension S3 REST API.

vCloud Director Object Storage Extension uses the identity providers and configuration of vCloud Director.

For more information, see the Managing Identity Providers topic in the vCloud Director Service Provider Admin Portal Guide.

Access management to buckets and objects in vCloud Director Object Storage Extension is the same as in AWS S3. To share an object or a bucket with other users, you modify the access permissions for that object or bucket. For more information, see the Overview of Managing Access topic in the AWS S3 Developer Guide.

In the vCloud Director Object Storage Extension S3 REST API, buckets and objects are the entities that you can work with. By default, only the entity owner can access the entity. The user account that creates a bucket and uploads objects to it owns the bucket and the objects in the bucket.

You use bucket policies or access control lists(ACLs) to manage the access permissions for buckets and ACLs to manage the access permissions for objects.

Access Control Lists

Every bucket and every object have an ACL associated with them. An ACL is a list of grants that identifies grantee and permissions granted. You can use ACLs to grant permissions to other users within the same vCloud Director organization, or to make buckets and objects publicly accessible. You use ACLs to grant basic read/write permissions to a grantee.

You can use a set of built-in canned ACLs, or you can create a custom ACL.

The following table describes the permissions that you can use to create a custom ACL.
Permission When applied to a bucket When applied to an object
READ Allows the grantee to list the objects in the bucket. Allows the grantee to read the object data and its metadata.
WRITE Allows the grantee to create, overwrite, and delete objects in the bucket. Not applicable.
READ_ACP Allows the grantee to read the ACL of the bucket. Allows the grantee to read the ACL of the object.
WRITE_ACP Allows the grantee to write the ACL for the bucket. Allows the grantee to write the ACL for the object.
FULL_CONTROL Grants Read and Write permissions for the bucket and Read and Write permissions for the ACL of the bucket. Grants Read and Write permissions for the object and Read and Write permissions for the ACL of the object.
You can apply a canned ACL to both an object and a bucket. The following table describes the set of canned ACLs and the associated permissions.
Canned ACL Description
Private Only the owner can access the bucket or the object.
Public-Read Grants Read permissions to all users.
Public-Read-Write Grants Read and Write permissions to all users.
Authenticated-Read Grants Read permissions to all authenticated users.

Bucket Policies

With vCloud Director Object Storage Extension S3 REST API, you can modify the access permissions of a bucket by adding a bucket policy to the bucket. Bucket policies supplement the capabilities of granting access permissions with ACLs. With bucket policies, you can, for example, grant access permissions with added conditions for a bucket to multiple vCloud Director organization users. You can also restrict the access to a bucket for a specific IP address or a specific HTTP referrer.