Join us and get access to thousands of tutorials and a community of expert Pythonistas.

Unlock This Lesson

This lesson is for members only. Join us and get access to thousands of tutorials and a community of expert Pythonistas.

Unlock This Lesson

Hint: You can adjust the default video playback speed in your account settings.
Hint: You can set your subtitle preferences in your account settings.
Sorry! Looks like there’s an issue with video playback 🙁 This might be due to a temporary outage or because of a configuration issue with your browser. Please see our video player troubleshooting guide to resolve the issue.

Access Control Lists

Joe Tatusko

Python, Boto3, and AWS S3: Demystified
Joe Tatusko 06:20

Recommended Tutorial Sample Code (.zip)

Access Control Lists (ACLs) help you manage access to your buckets and the objects within them. They are considered the legacy way of administrating permissions to S3. Why should you know about them? If you have to manage access to individual objects, then you would use an object ACL.

By default, when you upload an object to S3, that object is private. If you want to make this object available to someone else, you can set the object’s ACL to be public at creation time.

00:00 Now it’s time to get into some advanced features of S3 and how you can use Boto3 to take advantage of them. First, let’s talk about Access Control Lists, or ACLs.

00:11 These are a way of controlling permissions on S3, so if you need to manage rules for individual objects, you can use an object ACL. When you upload something to S3, the default configuration is to set the object as private.

00:25 If you want to make the object publicly accessible, you can set the ACL at creation time. Let’s create a second file and see what this looks like. So, from my terminal I’m going to open up Python, import bodo3, and also going to import this create_temp_file(), so from boto3_guide import create_temp_file.

00:52 Cool. And I’m going to grab this first bucket name again.

01:01 So, first_bucket_name and set that equal to the first bucket name. All right! second_file_name is going to equal create_temp_file().

01:16 And make this one 400 bytes, let’s call it 'secondfile.txt', and go ahead and fill it with 's'. All right, if that worked, you should be able to open it up and—yep!

01:33 There’s a bunch of s’s in this new second file here. And if you want to see what that name is, you can just say “What’s second_file_name?” And there it is.

01:43 Before I get too far, I’m going to copy that, paste it. So now, create another resource interface by saying boto3.resource('s3').

01:59 And go ahead and make a second_object, which is just going to be the s3_resource.Object() and put this in the first bucket,

02:13 and give it the second_file_name. Okay, so at this point you have your second_object instance, but like before, nothing has been uploaded to S3 yet.

02:26 So go ahead and call .upload_file(). And in here, you’re going to pass the second_file_name, but then this time you’re also going to pass in these ExtraArgs.

02:47 And this extra argument is going to be 'ACL' in all caps, and set this equal to 'public-read', just like that. Close out the dictionary and close out the function. Run this, no errors. So if you want to see what that object’s ACL is, you can go ahead and make something called second_object_acl and set this equal to your second_object

03:19 and call the .Acl() method off of that. So from here, if you wanted to see who has access

03:29 based on that ACL, you can say second_object_acl and get this .grants property off of it. And we can take a look here and you can see that you have a list of these grantees.

03:47 So this first grantee is myself, with my ID and everything, and you can see that my permission is 'FULL_CONTROL', which makes sense because I made the object. Now the second grantee over here isn’t a specific user, but a group. And this group represents global/AllUsers.

04:09 And if you keep following, the 'Permission' here is 'READ', which matches this 'ACL' from up here, where when you uploaded this file, you set it equal to 'public-read'.

04:21 Now let’s say for a second that you didn’t want to do that, and maybe you want to make this object private. Now, one way you could do this is by deleting the object and then re-uploading it, but fortunately, you don’t have to do that.

04:37 So let’s make a new response here, and what you’re going to do is take that second_object_acl and you’re going to call .put() off of that. And inside here, just say ACL and set this equal to 'private'.

04:58 Let’s run that, no errors. Let’s see what response looks like. And this looks just like the response that you got when you deleted an object, and here you can see your HTTP response is a 200 code, which means it was successful.

05:14 So, let’s actually prove that by taking a look at the second_object.acl.grants property again.

05:25 And we’re not looking at the second_object.acl, we are looking at second_object_acl, so that would help if that’s typed incorrectly. And here you go!

05:37 Taking a look at this again, you can see that now the only 'Grantee' that’s on here is myself. All right! Now you should have a pretty good idea of how you can use ACLs when you’re creating and working with objects to control who has access to look at them.

05:55 If you think you’re going to have multiple categories of data uploaded to S3, you can look into tags. Tags aren’t only a great way to separate out data, but you can actually grant access to objects based on their tags. Okay!

06:12 In the next video, you’re going to learn how to use encryption to add an extra layer of security to your data.

Become a Member to join the conversation.