Bucket ACLs

Overview

Access Control List (ACL) on vStorage is a feature that allows you to manage access to buckets and objects within buckets. ACLs provide basic access levels that you can set for other Root user accounts on vStorage. Here is a basic guide to using ACLs:

  1. Select the icon in the project containing the bucket you want to grant permissions to.

  2. If you want to delegate bucket permissions to a Root User Account or another IAM User Account or Service Account , you need to know the vStorage User ID of the user you want to delegate permissions to:

    1. For Root User Account : you can get vStorage User ID information right on the project information page as shown below.

b. For IAM User Account and Service Account : you can get vStorage User ID information in Identity and Access Management

  1. Continue to select the Bucket you want to perform ACLs setup.

  2. Select the Action icon and select Set ACLs.

4. Here, you can select user sets and corresponding access rights. Specifically:

  • User sets in ACL: ACL allows setting access rights for the following types of users:

    • Bucket owner : The owner of the bucket.

    • Everyone (Public Access) : All users, any user can access the resource without being authenticated.

    • Authenticated users: All users on the vStorage HCM04 system.

    • Other accounts : Only users with specific vStorage User IDs are allowed to access the resources. You can view vStorage User ID information by following the instructions here.

  • Permissions that can be granted:

Action
Bucket ACLs
Object ACLs

READ

  • ListObjects: User can view list of all objects belonging to bucket.

  • ReadObject: Users can view detailed information about an object (object's data and object's metadata)

WRITE

  • WriteObjects: Users can upload objects to the bucket.

  • Not supported

READ + WRITE

  • ListObjects + WriteObjects: Users can view the list of objects in the bucket and upload objects to this bucket.

  • ReadObject: Users can view detailed information about an object (object's data and object's metadata)

  • In addition, the ReadBucketACL, WriteBucketACL, ReadObjectACL, WriteObjectACL permissions: Allow users to view information/update the ACLs configuration of the bucket or object.

5. Select Update to save the configuration set for ACLs.


Example

Example 1: Grant ListObject permission to everyone (Public-Read)

  • Select Everyone (public access) in the Access control list section .

  • Select the List action to grant permission to list objects in the bucket to all users.

  • Select Save .

Example 2: Grant FULL_CONTROL permission to another vStorage account

Attention:

  • To grant access to resources to another vStorage account, you need to know the vStorage User ID of the user you want to share access to. You can view the vStorage User ID information by following the instructions here.

  • In Other accounts , enter the vStorage User ID of the account to which you want to grant permissions.

  • Select the List, Write action to grant permission to list objects in the bucket and upload objects to this bucket.

  • Select Save .

  • As shown above, I have assigned the above working permission bucket001 to the user vngclouddemo-123456. Now, the user vngclouddemo-123456can use the feature Add external bucketto add this shared bucket to your bucket list:

Attention:

  • Public Access Control (Everyone) : Use public access only when necessary, as ACLs can lead to unwanted data disclosure. If you want to manage access in a granular manner, use Bucket Policy instead of public ACLs . Using Bucket Policy allows you to specify more granular access conditions, such as IP restrictions , authentication requirements , or specific security conditions.

  • Combined with Bucket Policy : ACL can be used in parallel with Bucket Policy, but care must be taken to avoid conflicts in permissions. For example: If ACL allows people to ListObjects in a bucket, but Bucket Policy denies access from public sources, then users will not be able to access public objects.

  • Limitations of ACL : ACL does not support complex conditions like Bucket Policy, so it is only suitable for simple authorization scenarios. When you need more complex control, consider combining it with Bucket Policy.

Last updated