기계 번역으로 제공되는 번역입니다. 제공된 번역과 원본 영어의 내용이 상충하는 경우에는 영어 버전이 우선합니다. # Amazon S3 액세스 권한 관리 Amazon S3 버킷 또는 객체에 대한 액세스 권한은 액세스 제어 목록(ACL)에 정의되어 있습니다. ACL은 버킷/객체의 소유자와 권한 부여 목록을 지정합니다. 각 권한 부여에는 사용자(또는 수혜자)와 버킷/객체에 대한 사용자의 액세스 권한(예: READ 또는 WRITE 권한)이 지정됩니다. ## 사전 조건 시작하기 전에 [AWS SDK for C\$1\$1사용 시작하기](getting-started.md)를 읽어보시기 바랍니다. 예제 코드를 다운로드하고 [코드 예제 시작하기](getting-started-code-examples.md)에 설명된 대로 솔루션을 빌드합니다. 예제를 실행하려면 코드에서 요청을 만드는 데 사용하는 사용자 프로필에 AWS (서비스 및 작업에 대한) 적절한 권한이 있어야 합니다. 자세한 내용은 자격 [AWS 증명 제공을](credentials.md) 참조하세요. ## 객체의 액세스 제어 목록 관리 `S3Client` 메서드 `GetObjectAcl`를 직접적으로 호출하여 객체에 대한 액세스 제어 목록을 검색할 수 있습니다. 이 메서드는 객체와 버킷의 이름을 허용합니다. 반환 값에는 ACL의 `Owner` 및 `Grants` 목록이 포함됩니다. ``` bool AwsDoc::S3::getObjectAcl(const Aws::String &bucketName, const Aws::String &objectKey, const Aws::S3::S3ClientConfiguration &clientConfig) { Aws::S3::S3Client s3Client(clientConfig); Aws::S3::Model::GetObjectAclRequest request; request.SetBucket(bucketName); request.SetKey(objectKey); Aws::S3::Model::GetObjectAclOutcome outcome = s3Client.GetObjectAcl(request); if (!outcome.IsSuccess()) { const Aws::S3::S3Error &err = outcome.GetError(); std::cerr << "Error: getObjectAcl: " << err.GetExceptionName() << ": " << err.GetMessage() << std::endl; } else { Aws::Vector grants = outcome.GetResult().GetGrants(); for (auto it = grants.begin(); it != grants.end(); it++) { std::cout << "For object " << objectKey << ": " << std::endl << std::endl; Aws::S3::Model::Grant grant = *it; Aws::S3::Model::Grantee grantee = grant.GetGrantee(); if (grantee.TypeHasBeenSet()) { std::cout << "Type: " << getGranteeTypeString(grantee.GetType()) << std::endl; } if (grantee.DisplayNameHasBeenSet()) { std::cout << "Display name: " << grantee.GetDisplayName() << std::endl; } if (grantee.EmailAddressHasBeenSet()) { std::cout << "Email address: " << grantee.GetEmailAddress() << std::endl; } if (grantee.IDHasBeenSet()) { std::cout << "ID: " << grantee.GetID() << std::endl; } if (grantee.URIHasBeenSet()) { std::cout << "URI: " << grantee.GetURI() << std::endl; } std::cout << "Permission: " << getPermissionString(grant.GetPermission()) << std::endl << std::endl; } } return outcome.IsSuccess(); } //! Routine which converts a built-in type enumeration to a human-readable string. /*! \param type: Type enumeration. \return String: Human-readable string */ Aws::String getGranteeTypeString(const Aws::S3::Model::Type &type) { switch (type) { case Aws::S3::Model::Type::AmazonCustomerByEmail: return "Email address of an AWS account"; case Aws::S3::Model::Type::CanonicalUser: return "Canonical user ID of an AWS account"; case Aws::S3::Model::Type::Group: return "Predefined Amazon S3 group"; case Aws::S3::Model::Type::NOT_SET: return "Not set"; default: return "Type unknown"; } } //! Routine which converts a built-in type enumeration to a human-readable string. /*! \param permission: Permission enumeration. \return String: Human-readable string */ Aws::String getPermissionString(const Aws::S3::Model::Permission &permission) { switch (permission) { case Aws::S3::Model::Permission::FULL_CONTROL: return "Can read this object's data and its metadata, " "and read/write this object's permissions"; case Aws::S3::Model::Permission::NOT_SET: return "Permission not set"; case Aws::S3::Model::Permission::READ: return "Can read this object's data and its metadata"; case Aws::S3::Model::Permission::READ_ACP: return "Can read this object's permissions"; // case Aws::S3::Model::Permission::WRITE // Not applicable. case Aws::S3::Model::Permission::WRITE_ACP: return "Can write this object's permissions"; default: return "Permission unknown"; } } ``` ACL은 새 ACL을 생성하거나 현재 ACL에 지정된 권한 부여를 변경하여 수정할 수 있습니다. 업데이트된 ACL은 `PutObjectAcl` 메서드에 전달하여 새로운 현재 ACL이 됩니다. 다음 코드는 `GetObjectAcl`로 검색된 ACL을 사용하고 여기에 새 권한 부여를 추가합니다. 사용자 또는 피부여자에게 객체에 대한 READ 권한이 부여됩니다. 수정된 ACL은 `PutObjectAcl`로 전달되어 새로운 현재 ACL이 됩니다. ``` bool AwsDoc::S3::putObjectAcl(const Aws::String &bucketName, const Aws::String &objectKey, const Aws::String &ownerID, const Aws::String &granteePermission, const Aws::String &granteeType, const Aws::String &granteeID, const Aws::String &granteeEmailAddress, const Aws::String &granteeURI, const Aws::S3::S3ClientConfiguration &clientConfig) { Aws::S3::S3Client s3Client(clientConfig); Aws::S3::Model::Owner owner; owner.SetID(ownerID); Aws::S3::Model::Grantee grantee; grantee.SetType(setGranteeType(granteeType)); if (!granteeEmailAddress.empty()) { grantee.SetEmailAddress(granteeEmailAddress); } if (!granteeID.empty()) { grantee.SetID(granteeID); } if (!granteeURI.empty()) { grantee.SetURI(granteeURI); } Aws::S3::Model::Grant grant; grant.SetGrantee(grantee); grant.SetPermission(setGranteePermission(granteePermission)); Aws::Vector grants; grants.push_back(grant); Aws::S3::Model::AccessControlPolicy acp; acp.SetOwner(owner); acp.SetGrants(grants); Aws::S3::Model::PutObjectAclRequest request; request.SetAccessControlPolicy(acp); request.SetBucket(bucketName); request.SetKey(objectKey); Aws::S3::Model::PutObjectAclOutcome outcome = s3Client.PutObjectAcl(request); if (!outcome.IsSuccess()) { auto error = outcome.GetError(); std::cerr << "Error: putObjectAcl: " << error.GetExceptionName() << " - " << error.GetMessage() << std::endl; } else { std::cout << "Successfully added an ACL to the object '" << objectKey << "' in the bucket '" << bucketName << "'." << std::endl; } return outcome.IsSuccess(); } //! Routine which converts a human-readable string to a built-in type enumeration. /*! \param access: Human readable string. \return Permission: Permission enumeration. */ Aws::S3::Model::Permission setGranteePermission(const Aws::String &access) { if (access == "FULL_CONTROL") return Aws::S3::Model::Permission::FULL_CONTROL; if (access == "WRITE") return Aws::S3::Model::Permission::WRITE; if (access == "READ") return Aws::S3::Model::Permission::READ; if (access == "WRITE_ACP") return Aws::S3::Model::Permission::WRITE_ACP; if (access == "READ_ACP") return Aws::S3::Model::Permission::READ_ACP; return Aws::S3::Model::Permission::NOT_SET; } //! Routine which converts a human-readable string to a built-in type enumeration. /*! \param type: Human readable string. \return Type: Type enumeration. */ Aws::S3::Model::Type setGranteeType(const Aws::String &type) { if (type == "Amazon customer by email") return Aws::S3::Model::Type::AmazonCustomerByEmail; if (type == "Canonical user") return Aws::S3::Model::Type::CanonicalUser; if (type == "Group") return Aws::S3::Model::Type::Group; return Aws::S3::Model::Type::NOT_SET; } ``` [전체 예제](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/cpp/example_code/s3/get_put_object_acl.cpp)는 Github에서 확인하세요. ## 버킷의 액세스 제어 목록 관리 대부분의 경우 버킷의 액세스 권한을 설정할 때 선호하는 방법은 버킷 정책을 정의하는 것입니다. 그러나 버킷은 액세스 제어 목록을 사용하고자 하는 사용자를 위해 이를 지원하기도 합니다. 버킷에 대한 액세스 제어 목록 관리는 객체에 사용되는 것과 동일합니다. `GetBucketAcl` 메서드는 버킷의 현재 ACL을 검색하고 `PutBucketAcl` 메서드는 버킷에 새 ACL을 적용합니다. 다음 코드는 버킷 ACL을 가져오고 설정하는 방법을 보여줍니다. ``` //! Routine which demonstrates setting the ACL for an S3 bucket. /*! \param bucketName: Name of a bucket. \param ownerID: The canonical ID of the bucket owner. See https://docs.aws.amazon.com/AmazonS3/latest/userguide/finding-canonical-user-id.html for more information. \param granteePermission: The access level to enable for the grantee. \param granteeType: The type of grantee. \param granteeID: The canonical ID of the grantee. \param granteeEmailAddress: The email address associated with the grantee's AWS account. \param granteeURI: The URI of a built-in access group. \param clientConfig: Aws client configuration. \return bool: Function succeeded. */ bool AwsDoc::S3::getPutBucketAcl(const Aws::String &bucketName, const Aws::String &ownerID, const Aws::String &granteePermission, const Aws::String &granteeType, const Aws::String &granteeID, const Aws::String &granteeEmailAddress, const Aws::String &granteeURI, const Aws::S3::S3ClientConfiguration &clientConfig) { bool result = ::putBucketAcl(bucketName, ownerID, granteePermission, granteeType, granteeID, granteeEmailAddress, granteeURI, clientConfig); if (result) { result = ::getBucketAcl(bucketName, clientConfig); } return result; } //! Routine which demonstrates setting the ACL for an S3 bucket. /*! \param bucketName: Name of from bucket. \param ownerID: The canonical ID of the bucket owner. See https://docs.aws.amazon.com/AmazonS3/latest/userguide/finding-canonical-user-id.html for more information. \param granteePermission: The access level to enable for the grantee. \param granteeType: The type of grantee. \param granteeID: The canonical ID of the grantee. \param granteeEmailAddress: The email address associated with the grantee's AWS account. \param granteeURI: The URI of a built-in access group. \param clientConfig: Aws client configuration. \return bool: Function succeeded. */ bool putBucketAcl(const Aws::String &bucketName, const Aws::String &ownerID, const Aws::String &granteePermission, const Aws::String &granteeType, const Aws::String &granteeID, const Aws::String &granteeEmailAddress, const Aws::String &granteeURI, const Aws::S3::S3ClientConfiguration &clientConfig) { Aws::S3::S3Client s3Client(clientConfig); Aws::S3::Model::Owner owner; owner.SetID(ownerID); Aws::S3::Model::Grantee grantee; grantee.SetType(setGranteeType(granteeType)); if (!granteeEmailAddress.empty()) { grantee.SetEmailAddress(granteeEmailAddress); } if (!granteeID.empty()) { grantee.SetID(granteeID); } if (!granteeURI.empty()) { grantee.SetURI(granteeURI); } Aws::S3::Model::Grant grant; grant.SetGrantee(grantee); grant.SetPermission(setGranteePermission(granteePermission)); Aws::Vector grants; grants.push_back(grant); Aws::S3::Model::AccessControlPolicy acp; acp.SetOwner(owner); acp.SetGrants(grants); Aws::S3::Model::PutBucketAclRequest request; request.SetAccessControlPolicy(acp); request.SetBucket(bucketName); Aws::S3::Model::PutBucketAclOutcome outcome = s3Client.PutBucketAcl(request); if (!outcome.IsSuccess()) { const Aws::S3::S3Error &error = outcome.GetError(); std::cerr << "Error: putBucketAcl: " << error.GetExceptionName() << " - " << error.GetMessage() << std::endl; } else { std::cout << "Successfully added an ACL to the bucket '" << bucketName << "'." << std::endl; } return outcome.IsSuccess(); } //! Routine which demonstrates getting the ACL for an S3 bucket. /*! \param bucketName: Name of the s3 bucket. \param clientConfig: Aws client configuration. \return bool: Function succeeded. */ bool getBucketAcl(const Aws::String &bucketName, const Aws::S3::S3ClientConfiguration &clientConfig) { Aws::S3::S3Client s3Client(clientConfig); Aws::S3::Model::GetBucketAclRequest request; request.SetBucket(bucketName); Aws::S3::Model::GetBucketAclOutcome outcome = s3Client.GetBucketAcl(request); if (!outcome.IsSuccess()) { const Aws::S3::S3Error &err = outcome.GetError(); std::cerr << "Error: getBucketAcl: " << err.GetExceptionName() << ": " << err.GetMessage() << std::endl; } else { const Aws::Vector &grants = outcome.GetResult().GetGrants(); for (const Aws::S3::Model::Grant &grant: grants) { const Aws::S3::Model::Grantee &grantee = grant.GetGrantee(); std::cout << "For bucket " << bucketName << ": " << std::endl << std::endl; if (grantee.TypeHasBeenSet()) { std::cout << "Type: " << getGranteeTypeString(grantee.GetType()) << std::endl; } if (grantee.DisplayNameHasBeenSet()) { std::cout << "Display name: " << grantee.GetDisplayName() << std::endl; } if (grantee.EmailAddressHasBeenSet()) { std::cout << "Email address: " << grantee.GetEmailAddress() << std::endl; } if (grantee.IDHasBeenSet()) { std::cout << "ID: " << grantee.GetID() << std::endl; } if (grantee.URIHasBeenSet()) { std::cout << "URI: " << grantee.GetURI() << std::endl; } std::cout << "Permission: " << getPermissionString(grant.GetPermission()) << std::endl << std::endl; } } return outcome.IsSuccess(); } //! Routine which converts a built-in type enumeration to a human-readable string. /*! \param permission: Permission enumeration. \return String: Human-readable string. */ Aws::String getPermissionString(const Aws::S3::Model::Permission &permission) { switch (permission) { case Aws::S3::Model::Permission::FULL_CONTROL: return "Can list objects in this bucket, create/overwrite/delete " "objects in this bucket, and read/write this " "bucket's permissions"; case Aws::S3::Model::Permission::NOT_SET: return "Permission not set"; case Aws::S3::Model::Permission::READ: return "Can list objects in this bucket"; case Aws::S3::Model::Permission::READ_ACP: return "Can read this bucket's permissions"; case Aws::S3::Model::Permission::WRITE: return "Can create, overwrite, and delete objects in this bucket"; case Aws::S3::Model::Permission::WRITE_ACP: return "Can write this bucket's permissions"; default: return "Permission unknown"; } } //! Routine which converts a human-readable string to a built-in type enumeration /*! \param access: Human readable string. \return Permission: Permission enumeration. */ Aws::S3::Model::Permission setGranteePermission(const Aws::String &access) { if (access == "FULL_CONTROL") return Aws::S3::Model::Permission::FULL_CONTROL; if (access == "WRITE") return Aws::S3::Model::Permission::WRITE; if (access == "READ") return Aws::S3::Model::Permission::READ; if (access == "WRITE_ACP") return Aws::S3::Model::Permission::WRITE_ACP; if (access == "READ_ACP") return Aws::S3::Model::Permission::READ_ACP; return Aws::S3::Model::Permission::NOT_SET; } //! Routine which converts a built-in type enumeration to a human-readable string. /*! \param type: Type enumeration. \return bool: Human-readable string. */ Aws::String getGranteeTypeString(const Aws::S3::Model::Type &type) { switch (type) { case Aws::S3::Model::Type::AmazonCustomerByEmail: return "Email address of an AWS account"; case Aws::S3::Model::Type::CanonicalUser: return "Canonical user ID of an AWS account"; case Aws::S3::Model::Type::Group: return "Predefined Amazon S3 group"; case Aws::S3::Model::Type::NOT_SET: return "Not set"; default: return "Type unknown"; } } Aws::S3::Model::Type setGranteeType(const Aws::String &type) { if (type == "Amazon customer by email") return Aws::S3::Model::Type::AmazonCustomerByEmail; if (type == "Canonical user") return Aws::S3::Model::Type::CanonicalUser; if (type == "Group") return Aws::S3::Model::Type::Group; return Aws::S3::Model::Type::NOT_SET; } ``` [전체 예제](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/cpp/example_code/s3/get_put_bucket_acl.cpp)는 Github에서 확인하세요.