← Back to Blog

How to Set File Permissions at the Time of Upload Through Amazon S3 API

As data scientists and software engineers, we often have to tackle the challenge of managing permissions on files that we upload to Amazon S3. In this article, we’ll guide you through the process of setting file permissions at the time of upload through the Amazon S3 API.
By Saturn Cloud | | Miscellaneous

How to Set File Permissions at the Time of Upload Through Amazon S3 API

As data scientists and software engineers, we often have to tackle the challenge of managing permissions on files that we upload to Amazon S3. In this article, we’ll guide you through the process of setting file permissions at the time of upload through the Amazon S3 API.

Understanding Amazon S3 Permissions

Before diving into the implementation, it’s essential to understand the permissions system in Amazon S3. Permissions are governed by Access Control Lists (ACLs). Each S3 object has an ACL associated with it, defining which AWS accounts or groups are granted access and the type of access they have.

Here are the primary types of permissions:

  • READ: Allows grantee to list the object in the bucket.
  • WRITE: Allows grantee to create, overwrite, and delete an object in the bucket.
  • READ_ACP: Allows grantee to read the bucket’s ACL.
  • WRITE_ACP: Allows grantee to write the ACL for the applicable bucket.
  • FULL_CONTROL: Allows grantee all the permissions above.

Setting File Permissions at Upload

Now, let’s walk through the process of setting file permissions during the upload process. We’ll be using the AWS SDK for Python (boto3), but the concept remains the same for other SDKs.

You need to import the boto3 module and initialize your S3 client first:

import boto3

s3 = boto3.client('s3')

When you upload a file, you can specify the ACL within the upload function:

with open('file.txt', 'rb') as data:
    s3.upload_fileobj(data, 'mybucket', 'file.txt', ExtraArgs={'ACL': 'public-read'})

In the ExtraArgs parameter, we specify the ACL value. In this case, we’ve used ‘public-read’, which allows anyone to read the file. Other possible values include ‘private’, ‘public-read-write’, ‘authenticated-read’, ‘aws-exec-read’, ‘bucket-owner-read’, ‘bucket-owner-full-control’.

Customizing Permissions

For more granular control, you can use S3’s put_object_acl() method to set specific permissions for individual AWS accounts:

s3.put_object_acl(
    AccessControlPolicy={
        'Grants': [
            {
                'Grantee': {
                    'Type': 'CanonicalUser',
                    'DisplayName': 'username',
                    'ID': 'user-id'
                },
                'Permission': 'FULL_CONTROL'
            },
        ],
        'Owner': {
            'DisplayName': 'owner-username',
            'ID': 'owner-id'
        }
    },
    Bucket='mybucket',
    Key='file.txt'
)

In the ‘Grants’ list, you can specify multiple grantees with various permissions. Each grantee is defined by a dictionary with their type, display name, and ID. The ‘Permission’ key indicates the permission level.

The ‘Owner’ dictionary is vital as well. It specifies the AWS account that owns the bucket. Without it, you might encounter ‘Access Denied’ errors.

Conclusion

Setting permissions at the time of upload to Amazon S3 is a crucial aspect of managing access control. Understanding and correctly using the ACLs can provide robust and flexible control over your S3 objects. Remember, security is paramount. Only grant the permissions necessary for each user or group to perform their required tasks.

About Saturn Cloud

Saturn Cloud is your all-in-one solution for data science & ML development, deployment, and data pipelines in the cloud. Spin up a notebook with 4TB of RAM, add a GPU, connect to a distributed cluster of workers, and more. Join today and get 150 hours of free compute per month.

Try Saturn Cloud Now