Use the OSS SDK for Python V1 to set or get the access control list (ACL) of an object.
Background
OSS supports four ACL values for objects:
| Access permission | Description | ACL value |
|---|---|---|
| Inherit from bucket | The object inherits the ACL of the bucket. | oss2.OBJECT_ACL_DEFAULT |
| Private | Only the object owner and authorized users have read and write permissions. Other users cannot access the object. | oss2.OBJECT_ACL_PRIVATE |
| Public-read | The object owner and authorized users have read and write permissions. Other users have read-only access. | oss2.OBJECT_ACL_PUBLIC_READ |
| Public-read-write | All users have read and write permissions. | oss2.OBJECT_ACL_PUBLIC_READ_WRITE |
Public-read and Public-read-write expose your object to unauthenticated internet traffic. Use these ACL values only when public access is required.
Object ACL takes precedence over bucket ACL. For example, if the bucket ACL is private but an object ACL is set to public-read-write, all users can read and write that object. If an object has no ACL, it inherits the bucket ACL.
Prerequisites
Before you begin, ensure that you have:
The
oss:PutObjectAclpermission to set an object ACLThe
oss:GetObjectAclpermission to get an object ACL
For more information, see Attach a custom policy to a RAM user.
Usage notes
The examples use the public endpoint for the China (Hangzhou) region. To access OSS from another Alibaba Cloud service in the same region, use the internal endpoint instead. For more information, see Regions and endpoints.
Access credentials in the examples are read from environment variables. For configuration details, see Configure access credentials using OSS SDK for Python 1.0.
The examples create an OSSClient instance using an OSS endpoint. To create an instance using custom domain names or Security Token Service (STS), see Initialization.
Initialize the client
Both examples below use the same client setup. Configure it once before running either sample.
# -*- coding: utf-8 -*-
import oss2
from oss2.credentials import EnvironmentVariableCredentialsProvider
# Read access credentials from environment variables.
# Set OSS_ACCESS_KEY_ID and OSS_ACCESS_KEY_SECRET before running this code.
auth = oss2.ProviderAuthV4(EnvironmentVariableCredentialsProvider())
# Set the endpoint for the region where your bucket is located.
# Example: https://oss-cn-hangzhou.aliyuncs.com for China (Hangzhou).
endpoint = "https://oss-cn-hangzhou.aliyuncs.com"
# Set the region. Required for V4 signatures.
region = "cn-hangzhou"
# Set yourBucketName to the name of the bucket.
bucket = oss2.Bucket(auth, endpoint, "yourBucketName", region=region)Set object ACL
Call put_object_acl with the target object name and the ACL value to apply.
# Set yourObjectName to the full path of the object. The full path cannot contain the bucket name.
bucket.put_object_acl('yourObjectName', oss2.OBJECT_ACL_PUBLIC_READ)Get object ACL
Call get_object_acl to retrieve the current ACL of an object.
# Set yourObjectName to the full path of the object. The full path cannot contain the bucket name.
print(bucket.get_object_acl('yourObjectName').acl)What's next
PutObjectACL — API reference for setting object ACL
GetObjectACL — API reference for getting object ACL
Generate a presigned URL — Grant time-limited access to a private object without changing its ACL