There are more AWS SDK examples available in the [AWS Doc SDK Examples](https://github.com/awsdocs/aws-doc-sdk-examples) GitHub repo.
# Manage access control lists (ACLs) for Amazon S3 buckets using an AWS SDK
The following code example shows how to manage access control lists (ACLs) for Amazon S3 buckets.
------
#### [ .NET ]
**SDK for .NET**
There's more on GitHub. Find the complete example and learn how to set up and run in the [AWS Code Examples Repository](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/dotnetv3/S3/ManageACLsExample#code-examples).
```
using System;
using System.Collections.Generic;
using System.Threading.Tasks;
using Amazon.S3;
using Amazon.S3.Model;
///
/// This example shows how to manage Amazon Simple Storage Service
/// (Amazon S3) access control lists (ACLs) to control Amazon S3 bucket
/// access.
///
public class ManageACLs
{
public static async Task Main()
{
string bucketName = "amzn-s3-demo-bucket1";
string newBucketName = "amzn-s3-demo-bucket2";
string keyName = "sample-object.txt";
string emailAddress = "someone@example.com";
// If the AWS Region where your bucket is located is different from
// the Region defined for the default user, pass the Amazon S3 bucket's
// name to the client constructor. It should look like this:
// RegionEndpoint bucketRegion = RegionEndpoint.USEast1;
IAmazonS3 client = new AmazonS3Client();
await TestBucketObjectACLsAsync(client, bucketName, newBucketName, keyName, emailAddress);
}
///
/// Creates a new Amazon S3 bucket with a canned ACL, then retrieves the ACL
/// information and then adds a new ACL to one of the objects in the
/// Amazon S3 bucket.
///
/// The initialized Amazon S3 client object used to call
/// methods to create a bucket, get an ACL, and add a different ACL to
/// one of the objects.
/// A string representing the original Amazon S3
/// bucket name.
/// A string representing the name of the
/// new bucket that will be created.
/// A string representing the key name of an Amazon S3
/// object for which we will change the ACL.
/// A string representing the email address
/// belonging to the person to whom access to the Amazon S3 bucket will be
/// granted.
public static async Task TestBucketObjectACLsAsync(
IAmazonS3 client,
string bucketName,
string newBucketName,
string keyName,
string emailAddress)
{
try
{
// Create a new Amazon S3 bucket and specify canned ACL.
var success = await CreateBucketWithCannedACLAsync(client, newBucketName);
// Get the ACL on a bucket.
await GetBucketACLAsync(client, bucketName);
// Add (replace) the ACL on an object in a bucket.
await AddACLToExistingObjectAsync(client, bucketName, keyName, emailAddress);
}
catch (AmazonS3Exception amazonS3Exception)
{
Console.WriteLine($"Exception: {amazonS3Exception.Message}");
}
}
///
/// Creates a new Amazon S3 bucket with a canned ACL attached.
///
/// The initialized client object used to call
/// PutBucketAsync.
/// A string representing the name of the
/// new Amazon S3 bucket.
/// Returns a boolean value indicating success or failure.
public static async Task CreateBucketWithCannedACLAsync(IAmazonS3 client, string newBucketName)
{
var request = new PutBucketRequest()
{
BucketName = newBucketName,
BucketRegion = S3Region.EUWest1,
// Add a canned ACL.
CannedACL = S3CannedACL.LogDeliveryWrite,
};
var response = await client.PutBucketAsync(request);
return response.HttpStatusCode == System.Net.HttpStatusCode.OK;
}
///
/// Retrieves the ACL associated with the Amazon S3 bucket name in the
/// bucketName parameter.
///
/// The initialized client object used to call
/// PutBucketAsync.
/// The Amazon S3 bucket for which we want to get the
/// ACL list.
/// Returns an S3AccessControlList returned from the call to
/// GetACLAsync.
public static async Task GetBucketACLAsync(IAmazonS3 client, string bucketName)
{
GetACLResponse response = await client.GetACLAsync(new GetACLRequest
{
BucketName = bucketName,
});
return response.AccessControlList;
}
///
/// Adds a new ACL to an existing object in the Amazon S3 bucket.
///
/// The initialized client object used to call
/// PutBucketAsync.
/// A string representing the name of the Amazon S3
/// bucket containing the object to which we want to apply a new ACL.
/// A string representing the name of the object
/// to which we want to apply the new ACL.
/// The email address of the person to whom
/// we will be applying to whom access will be granted.
public static async Task AddACLToExistingObjectAsync(IAmazonS3 client, string bucketName, string keyName, string emailAddress)
{
// Retrieve the ACL for an object.
GetACLResponse aclResponse = await client.GetACLAsync(new GetACLRequest
{
BucketName = bucketName,
Key = keyName,
});
S3AccessControlList acl = aclResponse.AccessControlList;
// Retrieve the owner.
Owner owner = acl.Owner;
// Clear existing grants.
acl.Grants.Clear();
// Add a grant to reset the owner's full permission
// (the previous clear statement removed all permissions).
var fullControlGrant = new S3Grant
{
Grantee = new S3Grantee { CanonicalUser = acl.Owner.Id },
};
acl.AddGrant(fullControlGrant.Grantee, S3Permission.FULL_CONTROL);
// Specify email to identify grantee for granting permissions.
var grantUsingEmail = new S3Grant
{
Grantee = new S3Grantee { EmailAddress = emailAddress },
Permission = S3Permission.WRITE_ACP,
};
// Specify log delivery group as grantee.
var grantLogDeliveryGroup = new S3Grant
{
Grantee = new S3Grantee { URI = "http://acs.amazonaws.com/groups/s3/LogDelivery" },
Permission = S3Permission.WRITE,
};
// Create a new ACL.
var newAcl = new S3AccessControlList
{
Grants = new List { grantUsingEmail, grantLogDeliveryGroup },
Owner = owner,
};
// Set the new ACL. We're throwing away the response here.
_ = await client.PutACLAsync(new PutACLRequest
{
BucketName = bucketName,
Key = keyName,
AccessControlList = newAcl,
});
}
}
```
+ For API details, see the following topics in *AWS SDK for .NET API Reference*.
+ [GetBucketAcl](https://docs.aws.amazon.com/goto/DotNetSDKV3/s3-2006-03-01/GetBucketAcl)
+ [GetObjectAcl](https://docs.aws.amazon.com/goto/DotNetSDKV3/s3-2006-03-01/GetObjectAcl)
+ [PutBucketAcl](https://docs.aws.amazon.com/goto/DotNetSDKV3/s3-2006-03-01/PutBucketAcl)
+ [PutObjectAcl](https://docs.aws.amazon.com/goto/DotNetSDKV3/s3-2006-03-01/PutObjectAcl)
------