翻訳は機械翻訳により提供されています。提供された翻訳内容と英語版の間で齟齬、不一致または矛盾がある場合、英語版が優先します。
# Amazon S3 アクセス許可の管理
Amazon S3 バケットまたはオブジェクトのアクセス許可は、アクセスコントロールリスト (ACL) で定義されます。ACL では、バケット/オブジェクトの所有者、およびアクセス許可付与設定の一覧を指定します。アクセス許可付与設定では、ユーザー (被付与者) と、バケット/オブジェクトに対してそのユーザーに付与するアクセス許可 (READ や WRITE など) を指定します。
## 前提条件
作業を始める前に「[AWS SDK for C\$1\$1の開始方法](getting-started.md)」を読むことをお勧めします。
コード例をダウンロードし、「[コード例の開始方法](getting-started-code-examples.md)」の説明に従ってソリューションをビルドします。
例を実行するには、コードがリクエストを行うために使用するユーザープロファイルに適切なアクセス許可が必要です AWS ( サービスと アクション用)。詳細については、[AWS 「認証情報の提供](credentials.md)」を参照してください。
## オブジェクトのアクセスコントロールリストを管理する
オブジェクトのアクセスコントロールリストは `S3Client` メソッド `GetObjectAcl` を呼び出すことで取得できます。メソッドは、オブジェクトとそのバケットの名前を受け入れます。戻り値には ACL の `Owner`、および`Grants` の一覧が含まれます。
```
bool AwsDoc::S3::getObjectAcl(const Aws::String &bucketName,
const Aws::String &objectKey,
const Aws::S3::S3ClientConfiguration &clientConfig) {
Aws::S3::S3Client s3Client(clientConfig);
Aws::S3::Model::GetObjectAclRequest request;
request.SetBucket(bucketName);
request.SetKey(objectKey);
Aws::S3::Model::GetObjectAclOutcome outcome =
s3Client.GetObjectAcl(request);
if (!outcome.IsSuccess()) {
const Aws::S3::S3Error &err = outcome.GetError();
std::cerr << "Error: getObjectAcl: "
<< err.GetExceptionName() << ": " << err.GetMessage() << std::endl;
} else {
Aws::Vector grants =
outcome.GetResult().GetGrants();
for (auto it = grants.begin(); it != grants.end(); it++) {
std::cout << "For object " << objectKey << ": "
<< std::endl << std::endl;
Aws::S3::Model::Grant grant = *it;
Aws::S3::Model::Grantee grantee = grant.GetGrantee();
if (grantee.TypeHasBeenSet()) {
std::cout << "Type: "
<< getGranteeTypeString(grantee.GetType()) << std::endl;
}
if (grantee.DisplayNameHasBeenSet()) {
std::cout << "Display name: "
<< grantee.GetDisplayName() << std::endl;
}
if (grantee.EmailAddressHasBeenSet()) {
std::cout << "Email address: "
<< grantee.GetEmailAddress() << std::endl;
}
if (grantee.IDHasBeenSet()) {
std::cout << "ID: "
<< grantee.GetID() << std::endl;
}
if (grantee.URIHasBeenSet()) {
std::cout << "URI: "
<< grantee.GetURI() << std::endl;
}
std::cout << "Permission: " <<
getPermissionString(grant.GetPermission()) <<
std::endl << std::endl;
}
}
return outcome.IsSuccess();
}
//! Routine which converts a built-in type enumeration to a human-readable string.
/*!
\param type: Type enumeration.
\return String: Human-readable string
*/
Aws::String getGranteeTypeString(const Aws::S3::Model::Type &type) {
switch (type) {
case Aws::S3::Model::Type::AmazonCustomerByEmail:
return "Email address of an AWS account";
case Aws::S3::Model::Type::CanonicalUser:
return "Canonical user ID of an AWS account";
case Aws::S3::Model::Type::Group:
return "Predefined Amazon S3 group";
case Aws::S3::Model::Type::NOT_SET:
return "Not set";
default:
return "Type unknown";
}
}
//! Routine which converts a built-in type enumeration to a human-readable string.
/*!
\param permission: Permission enumeration.
\return String: Human-readable string
*/
Aws::String getPermissionString(const Aws::S3::Model::Permission &permission) {
switch (permission) {
case Aws::S3::Model::Permission::FULL_CONTROL:
return "Can read this object's data and its metadata, "
"and read/write this object's permissions";
case Aws::S3::Model::Permission::NOT_SET:
return "Permission not set";
case Aws::S3::Model::Permission::READ:
return "Can read this object's data and its metadata";
case Aws::S3::Model::Permission::READ_ACP:
return "Can read this object's permissions";
// case Aws::S3::Model::Permission::WRITE // Not applicable.
case Aws::S3::Model::Permission::WRITE_ACP:
return "Can write this object's permissions";
default:
return "Permission unknown";
}
}
```
ACL は、新規に作成するか、既存の ACL のアクセス許可付与設定を編集することで変更できます。更新された ACL は、`PutObjectAcl` メソッドに渡すことで新しい現在の ACL になります。
次のコードでは、`GetObjectAcl` で取得した ACL に新しいアクセス許可付与設定を追加しています。ユーザー (被付与者) には、オブジェクトに対する READ アクセス許可が付与されます。変更された ACL は `PutObjectAcl` に渡され、新たな ACL として適用されます。
```
bool AwsDoc::S3::putObjectAcl(const Aws::String &bucketName, const Aws::String &objectKey, const Aws::String &ownerID,
const Aws::String &granteePermission, const Aws::String &granteeType,
const Aws::String &granteeID, const Aws::String &granteeEmailAddress,
const Aws::String &granteeURI, const Aws::S3::S3ClientConfiguration &clientConfig) {
Aws::S3::S3Client s3Client(clientConfig);
Aws::S3::Model::Owner owner;
owner.SetID(ownerID);
Aws::S3::Model::Grantee grantee;
grantee.SetType(setGranteeType(granteeType));
if (!granteeEmailAddress.empty()) {
grantee.SetEmailAddress(granteeEmailAddress);
}
if (!granteeID.empty()) {
grantee.SetID(granteeID);
}
if (!granteeURI.empty()) {
grantee.SetURI(granteeURI);
}
Aws::S3::Model::Grant grant;
grant.SetGrantee(grantee);
grant.SetPermission(setGranteePermission(granteePermission));
Aws::Vector grants;
grants.push_back(grant);
Aws::S3::Model::AccessControlPolicy acp;
acp.SetOwner(owner);
acp.SetGrants(grants);
Aws::S3::Model::PutObjectAclRequest request;
request.SetAccessControlPolicy(acp);
request.SetBucket(bucketName);
request.SetKey(objectKey);
Aws::S3::Model::PutObjectAclOutcome outcome =
s3Client.PutObjectAcl(request);
if (!outcome.IsSuccess()) {
auto error = outcome.GetError();
std::cerr << "Error: putObjectAcl: " << error.GetExceptionName()
<< " - " << error.GetMessage() << std::endl;
} else {
std::cout << "Successfully added an ACL to the object '" << objectKey
<< "' in the bucket '" << bucketName << "'." << std::endl;
}
return outcome.IsSuccess();
}
//! Routine which converts a human-readable string to a built-in type enumeration.
/*!
\param access: Human readable string.
\return Permission: Permission enumeration.
*/
Aws::S3::Model::Permission setGranteePermission(const Aws::String &access) {
if (access == "FULL_CONTROL")
return Aws::S3::Model::Permission::FULL_CONTROL;
if (access == "WRITE")
return Aws::S3::Model::Permission::WRITE;
if (access == "READ")
return Aws::S3::Model::Permission::READ;
if (access == "WRITE_ACP")
return Aws::S3::Model::Permission::WRITE_ACP;
if (access == "READ_ACP")
return Aws::S3::Model::Permission::READ_ACP;
return Aws::S3::Model::Permission::NOT_SET;
}
//! Routine which converts a human-readable string to a built-in type enumeration.
/*!
\param type: Human readable string.
\return Type: Type enumeration.
*/
Aws::S3::Model::Type setGranteeType(const Aws::String &type) {
if (type == "Amazon customer by email")
return Aws::S3::Model::Type::AmazonCustomerByEmail;
if (type == "Canonical user")
return Aws::S3::Model::Type::CanonicalUser;
if (type == "Group")
return Aws::S3::Model::Type::Group;
return Aws::S3::Model::Type::NOT_SET;
}
```
[GitHub](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/cpp/example_code/s3/get_put_object_acl.cpp) で完全な例をご覧ください。
## バケットのアクセスコントロールリストを管理する
多くの場合、バケットに対するアクセス許可を設定するには、バケットポリシーを定義することをお勧めします。ただし、希望すればバケットに対してアクセスコントロールリストを使用することも可能です。
バケットに対するアクセスコントロールリストの管理は、オブジェクトに使用されるものと同じです。`GetBucketAcl` メソッドでバケットの現在の ACL を取得し、`PutBucketAcl` メソッドで新しい ACL をバケットに適用します。
次のコードでは、バケットに対する ACL の取得および設定方法を示しています。
```
//! Routine which demonstrates setting the ACL for an S3 bucket.
/*!
\param bucketName: Name of a bucket.
\param ownerID: The canonical ID of the bucket owner.
See https://docs.aws.amazon.com/AmazonS3/latest/userguide/finding-canonical-user-id.html for more information.
\param granteePermission: The access level to enable for the grantee.
\param granteeType: The type of grantee.
\param granteeID: The canonical ID of the grantee.
\param granteeEmailAddress: The email address associated with the grantee's AWS account.
\param granteeURI: The URI of a built-in access group.
\param clientConfig: Aws client configuration.
\return bool: Function succeeded.
*/
bool AwsDoc::S3::getPutBucketAcl(const Aws::String &bucketName,
const Aws::String &ownerID,
const Aws::String &granteePermission,
const Aws::String &granteeType,
const Aws::String &granteeID,
const Aws::String &granteeEmailAddress,
const Aws::String &granteeURI,
const Aws::S3::S3ClientConfiguration &clientConfig) {
bool result = ::putBucketAcl(bucketName, ownerID, granteePermission, granteeType,
granteeID,
granteeEmailAddress,
granteeURI,
clientConfig);
if (result) {
result = ::getBucketAcl(bucketName, clientConfig);
}
return result;
}
//! Routine which demonstrates setting the ACL for an S3 bucket.
/*!
\param bucketName: Name of from bucket.
\param ownerID: The canonical ID of the bucket owner.
See https://docs.aws.amazon.com/AmazonS3/latest/userguide/finding-canonical-user-id.html for more information.
\param granteePermission: The access level to enable for the grantee.
\param granteeType: The type of grantee.
\param granteeID: The canonical ID of the grantee.
\param granteeEmailAddress: The email address associated with the grantee's AWS account.
\param granteeURI: The URI of a built-in access group.
\param clientConfig: Aws client configuration.
\return bool: Function succeeded.
*/
bool putBucketAcl(const Aws::String &bucketName,
const Aws::String &ownerID,
const Aws::String &granteePermission,
const Aws::String &granteeType,
const Aws::String &granteeID,
const Aws::String &granteeEmailAddress,
const Aws::String &granteeURI,
const Aws::S3::S3ClientConfiguration &clientConfig) {
Aws::S3::S3Client s3Client(clientConfig);
Aws::S3::Model::Owner owner;
owner.SetID(ownerID);
Aws::S3::Model::Grantee grantee;
grantee.SetType(setGranteeType(granteeType));
if (!granteeEmailAddress.empty()) {
grantee.SetEmailAddress(granteeEmailAddress);
}
if (!granteeID.empty()) {
grantee.SetID(granteeID);
}
if (!granteeURI.empty()) {
grantee.SetURI(granteeURI);
}
Aws::S3::Model::Grant grant;
grant.SetGrantee(grantee);
grant.SetPermission(setGranteePermission(granteePermission));
Aws::Vector grants;
grants.push_back(grant);
Aws::S3::Model::AccessControlPolicy acp;
acp.SetOwner(owner);
acp.SetGrants(grants);
Aws::S3::Model::PutBucketAclRequest request;
request.SetAccessControlPolicy(acp);
request.SetBucket(bucketName);
Aws::S3::Model::PutBucketAclOutcome outcome =
s3Client.PutBucketAcl(request);
if (!outcome.IsSuccess()) {
const Aws::S3::S3Error &error = outcome.GetError();
std::cerr << "Error: putBucketAcl: " << error.GetExceptionName()
<< " - " << error.GetMessage() << std::endl;
} else {
std::cout << "Successfully added an ACL to the bucket '" << bucketName
<< "'." << std::endl;
}
return outcome.IsSuccess();
}
//! Routine which demonstrates getting the ACL for an S3 bucket.
/*!
\param bucketName: Name of the s3 bucket.
\param clientConfig: Aws client configuration.
\return bool: Function succeeded.
*/
bool getBucketAcl(const Aws::String &bucketName,
const Aws::S3::S3ClientConfiguration &clientConfig) {
Aws::S3::S3Client s3Client(clientConfig);
Aws::S3::Model::GetBucketAclRequest request;
request.SetBucket(bucketName);
Aws::S3::Model::GetBucketAclOutcome outcome =
s3Client.GetBucketAcl(request);
if (!outcome.IsSuccess()) {
const Aws::S3::S3Error &err = outcome.GetError();
std::cerr << "Error: getBucketAcl: "
<< err.GetExceptionName() << ": " << err.GetMessage() << std::endl;
} else {
const Aws::Vector &grants =
outcome.GetResult().GetGrants();
for (const Aws::S3::Model::Grant &grant: grants) {
const Aws::S3::Model::Grantee &grantee = grant.GetGrantee();
std::cout << "For bucket " << bucketName << ": "
<< std::endl << std::endl;
if (grantee.TypeHasBeenSet()) {
std::cout << "Type: "
<< getGranteeTypeString(grantee.GetType()) << std::endl;
}
if (grantee.DisplayNameHasBeenSet()) {
std::cout << "Display name: "
<< grantee.GetDisplayName() << std::endl;
}
if (grantee.EmailAddressHasBeenSet()) {
std::cout << "Email address: "
<< grantee.GetEmailAddress() << std::endl;
}
if (grantee.IDHasBeenSet()) {
std::cout << "ID: "
<< grantee.GetID() << std::endl;
}
if (grantee.URIHasBeenSet()) {
std::cout << "URI: "
<< grantee.GetURI() << std::endl;
}
std::cout << "Permission: " <<
getPermissionString(grant.GetPermission()) <<
std::endl << std::endl;
}
}
return outcome.IsSuccess();
}
//! Routine which converts a built-in type enumeration to a human-readable string.
/*!
\param permission: Permission enumeration.
\return String: Human-readable string.
*/
Aws::String getPermissionString(const Aws::S3::Model::Permission &permission) {
switch (permission) {
case Aws::S3::Model::Permission::FULL_CONTROL:
return "Can list objects in this bucket, create/overwrite/delete "
"objects in this bucket, and read/write this "
"bucket's permissions";
case Aws::S3::Model::Permission::NOT_SET:
return "Permission not set";
case Aws::S3::Model::Permission::READ:
return "Can list objects in this bucket";
case Aws::S3::Model::Permission::READ_ACP:
return "Can read this bucket's permissions";
case Aws::S3::Model::Permission::WRITE:
return "Can create, overwrite, and delete objects in this bucket";
case Aws::S3::Model::Permission::WRITE_ACP:
return "Can write this bucket's permissions";
default:
return "Permission unknown";
}
}
//! Routine which converts a human-readable string to a built-in type enumeration
/*!
\param access: Human readable string.
\return Permission: Permission enumeration.
*/
Aws::S3::Model::Permission setGranteePermission(const Aws::String &access) {
if (access == "FULL_CONTROL")
return Aws::S3::Model::Permission::FULL_CONTROL;
if (access == "WRITE")
return Aws::S3::Model::Permission::WRITE;
if (access == "READ")
return Aws::S3::Model::Permission::READ;
if (access == "WRITE_ACP")
return Aws::S3::Model::Permission::WRITE_ACP;
if (access == "READ_ACP")
return Aws::S3::Model::Permission::READ_ACP;
return Aws::S3::Model::Permission::NOT_SET;
}
//! Routine which converts a built-in type enumeration to a human-readable string.
/*!
\param type: Type enumeration.
\return bool: Human-readable string.
*/
Aws::String getGranteeTypeString(const Aws::S3::Model::Type &type) {
switch (type) {
case Aws::S3::Model::Type::AmazonCustomerByEmail:
return "Email address of an AWS account";
case Aws::S3::Model::Type::CanonicalUser:
return "Canonical user ID of an AWS account";
case Aws::S3::Model::Type::Group:
return "Predefined Amazon S3 group";
case Aws::S3::Model::Type::NOT_SET:
return "Not set";
default:
return "Type unknown";
}
}
Aws::S3::Model::Type setGranteeType(const Aws::String &type) {
if (type == "Amazon customer by email")
return Aws::S3::Model::Type::AmazonCustomerByEmail;
if (type == "Canonical user")
return Aws::S3::Model::Type::CanonicalUser;
if (type == "Group")
return Aws::S3::Model::Type::Group;
return Aws::S3::Model::Type::NOT_SET;
}
```
[GitHub](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/cpp/example_code/s3/get_put_bucket_acl.cpp) で完全な例をご覧ください。