使用 aACLs 管理 Amazon S3 儲存貯體的存取控制清單 ( AWS SDK) - AWS SDK 程式碼範例

文件 AWS SDK AWS 範例 SDK 儲存庫中有更多可用的 GitHub 範例。

本文為英文版的機器翻譯版本,如內容有任何歧義或不一致之處,概以英文版為準。

使用 aACLs 管理 Amazon S3 儲存貯體的存取控制清單 ( AWS SDK)

下列程式碼範例示範如何管理 Amazon S3 儲存貯體的存取控制清單 (ACLs)。

.NET
AWS SDK for .NET
注意

還有更多 on GitHub。尋找完整範例,並了解如何在 AWS 程式碼範例儲存庫中設定和執行。

using System; using System.Collections.Generic; using System.Threading.Tasks; using Amazon.S3; using Amazon.S3.Model; /// <summary> /// This example shows how to manage Amazon Simple Storage Service /// (Amazon S3) access control lists (ACLs) to control Amazon S3 bucket /// access. /// </summary> public class ManageACLs { public static async Task Main() { string bucketName = "amzn-s3-demo-bucket1"; string newBucketName = "amzn-s3-demo-bucket2"; string keyName = "sample-object.txt"; string emailAddress = "someone@example.com"; // If the AWS Region where your bucket is located is different from // the Region defined for the default user, pass the Amazon S3 bucket's // name to the client constructor. It should look like this: // RegionEndpoint bucketRegion = RegionEndpoint.USEast1; IAmazonS3 client = new AmazonS3Client(); await TestBucketObjectACLsAsync(client, bucketName, newBucketName, keyName, emailAddress); } /// <summary> /// Creates a new Amazon S3 bucket with a canned ACL, then retrieves the ACL /// information and then adds a new ACL to one of the objects in the /// Amazon S3 bucket. /// </summary> /// <param name="client">The initialized Amazon S3 client object used to call /// methods to create a bucket, get an ACL, and add a different ACL to /// one of the objects.</param> /// <param name="bucketName">A string representing the original Amazon S3 /// bucket name.</param> /// <param name="newBucketName">A string representing the name of the /// new bucket that will be created.</param> /// <param name="keyName">A string representing the key name of an Amazon S3 /// object for which we will change the ACL.</param> /// <param name="emailAddress">A string representing the email address /// belonging to the person to whom access to the Amazon S3 bucket will be /// granted.</param> public static async Task TestBucketObjectACLsAsync( IAmazonS3 client, string bucketName, string newBucketName, string keyName, string emailAddress) { try { // Create a new Amazon S3 bucket and specify canned ACL. var success = await CreateBucketWithCannedACLAsync(client, newBucketName); // Get the ACL on a bucket. await GetBucketACLAsync(client, bucketName); // Add (replace) the ACL on an object in a bucket. await AddACLToExistingObjectAsync(client, bucketName, keyName, emailAddress); } catch (AmazonS3Exception amazonS3Exception) { Console.WriteLine($"Exception: {amazonS3Exception.Message}"); } } /// <summary> /// Creates a new Amazon S3 bucket with a canned ACL attached. /// </summary> /// <param name="client">The initialized client object used to call /// PutBucketAsync.</param> /// <param name="newBucketName">A string representing the name of the /// new Amazon S3 bucket.</param> /// <returns>Returns a boolean value indicating success or failure.</returns> public static async Task<bool> CreateBucketWithCannedACLAsync(IAmazonS3 client, string newBucketName) { var request = new PutBucketRequest() { BucketName = newBucketName, BucketRegion = S3Region.EUWest1, // Add a canned ACL. CannedACL = S3CannedACL.LogDeliveryWrite, }; var response = await client.PutBucketAsync(request); return response.HttpStatusCode == System.Net.HttpStatusCode.OK; } /// <summary> /// Retrieves the ACL associated with the Amazon S3 bucket name in the /// bucketName parameter. /// </summary> /// <param name="client">The initialized client object used to call /// PutBucketAsync.</param> /// <param name="bucketName">The Amazon S3 bucket for which we want to get the /// ACL list.</param> /// <returns>Returns an S3AccessControlList returned from the call to /// GetACLAsync.</returns> public static async Task<S3AccessControlList> GetBucketACLAsync(IAmazonS3 client, string bucketName) { GetACLResponse response = await client.GetACLAsync(new GetACLRequest { BucketName = bucketName, }); return response.AccessControlList; } /// <summary> /// Adds a new ACL to an existing object in the Amazon S3 bucket. /// </summary> /// <param name="client">The initialized client object used to call /// PutBucketAsync.</param> /// <param name="bucketName">A string representing the name of the Amazon S3 /// bucket containing the object to which we want to apply a new ACL.</param> /// <param name="keyName">A string representing the name of the object /// to which we want to apply the new ACL.</param> /// <param name="emailAddress">The email address of the person to whom /// we will be applying to whom access will be granted.</param> public static async Task AddACLToExistingObjectAsync(IAmazonS3 client, string bucketName, string keyName, string emailAddress) { // Retrieve the ACL for an object. GetACLResponse aclResponse = await client.GetACLAsync(new GetACLRequest { BucketName = bucketName, Key = keyName, }); S3AccessControlList acl = aclResponse.AccessControlList; // Retrieve the owner. Owner owner = acl.Owner; // Clear existing grants. acl.Grants.Clear(); // Add a grant to reset the owner's full permission // (the previous clear statement removed all permissions). var fullControlGrant = new S3Grant { Grantee = new S3Grantee { CanonicalUser = acl.Owner.Id }, }; acl.AddGrant(fullControlGrant.Grantee, S3Permission.FULL_CONTROL); // Specify email to identify grantee for granting permissions. var grantUsingEmail = new S3Grant { Grantee = new S3Grantee { EmailAddress = emailAddress }, Permission = S3Permission.WRITE_ACP, }; // Specify log delivery group as grantee. var grantLogDeliveryGroup = new S3Grant { Grantee = new S3Grantee { URI = "http://acs.amazonaws.com/groups/s3/LogDelivery" }, Permission = S3Permission.WRITE, }; // Create a new ACL. var newAcl = new S3AccessControlList { Grants = new List<S3Grant> { grantUsingEmail, grantLogDeliveryGroup }, Owner = owner, }; // Set the new ACL. We're throwing away the response here. _ = await client.PutACLAsync(new PutACLRequest { BucketName = bucketName, Key = keyName, AccessControlList = newAcl, }); } }