By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Use boto3 to create buckets with ACLs enabled

0

Hello. I’m creating a bucket using boto3 with:

s3X = boto3.resource('s3')
s3X.create_bucket(Bucket=’my_bucket_name’)

This creates the bucket but it blocks all public access (and sets ACLs as disabled). I tried modifying the last line as:

s3X.create_bucket(Bucket=’my_bucket_name’, ACL=’public-read-write’)

However, this generates the error message:

botocore.exceptions.ClientError: An error occurred (InvalidBucketAclWithObjectOwnership) when calling the CreateBucket operation: Bucket cannot have ACLs set with ObjectOwnership's BucketOwnerEnforced setting

The instance has the AWS credentials and I was expecting to be able to set up the bucket properties via boto3.

Topics
StorageManagement & Governance
Tags
Amazon Simple Storage ServiceAWS Command Line InterfaceStorage
Language
English
AWS-User-7310704
asked a year ago1041 views
2 Answers
1
Accepted Answer

Sorry, I just checked the documentation and it looks like the default setting is to deny public access.
https://docs.aws.amazon.com/AmazonS3/latest/userguide/access-control-block-public-access.html

By default, new buckets, access points, and objects don't allow public access.

In other words, after the bucket is created, the public access settings need to be disabled and the ACLs set, so the code should look like the following.

s3X.create_bucket(Bucket=’my_bucket_name’,ObjectOwnership='ObjectWriter')
s3X.put_public_access_block(Bucket=bucket_name, PublicAccessBlockConfiguration={'BlockPublicAcls': False,'IgnorePublicAcls': False,'BlockPublicPolicy': False,'RestrictPublicBuckets': False})
s3X.put_bucket_acl(ACL='public-read-write',Bucket=’my_bucket_name’)
profile picture
EXPERT
Riku_Kobayashi
answered a year ago
  • Riku_Kobayashi EXPERT
    a year ago

    Your code is trying to create an S3 bucket with "resource". As per the following documentation, "client" is used to create S3 buckets. https://boto3.amazonaws.com/v1/documentation/api/latest/reference/services/s3.html#client

    So the full code is as follows.

    import boto3

s3X = boto3.client('s3')
s3X.create_bucket(Bucket=’my_bucket_name’,ObjectOwnership='ObjectWriter')
s3X.put_public_access_block(Bucket=bucket_name, PublicAccessBlockConfiguration={'BlockPublicAcls': False,'IgnorePublicAcls': False,'BlockPublicPolicy': False,'RestrictPublicBuckets': False})
s3X.put_bucket_acl(ACL='public-read-write',Bucket=’my_bucket_name’)
  • Riku_Kobayashi EXPERT
    a year ago

    Since "resource" does not seem to have "put_public_access_block", I created a code to use "client" as well.

    import boto3

s3X = boto3.resource('s3')
s3X.create_bucket(Bucket='my-bucket-name',ObjectOwnership='ObjectWriter',CreateBucketConfiguration={'LocationConstraint': 'ap-northeast-1'})

client = boto3.client('s3')
client.put_public_access_block(Bucket='my-bucket-name', PublicAccessBlockConfiguration={'BlockPublicAcls': False,'IgnorePublicAcls': False,'BlockPublicPolicy': False,'RestrictPublicBuckets': False})
client.put_bucket_acl(ACL='public-read-write',Bucket='my-bucket-name')
  • AWS-User-7310704
    a year ago

    @Riku_Kobayashi: Using 'resource' is preferable when integrated into python projects (which is the case), but if resource doesn't have the put_public_access_method (and probably others), I guess that you can use 'client' or a combination of 'client' and 'resource.' Thanks.

0

Try changing the code as follows.
The error occurs when ObjectOwnership is "BucketOwnerEnforced".

s3X.create_bucket(Bucket=’my_bucket_name’, ACL=’public-read-write’, ObjectOwnership='ObjectWriter')

BucketOwnerEnforced" is changed to "ObjectWriter" because ACLs are disabled and an error occurs when ACL settings are inserted.

profile picture
EXPERT
Riku_Kobayashi
answered a year ago
  • AWS-User-7310704
    a year ago

    Still generating an error message: 'botocore.exceptions.ClientError: An error occurred (InvalidBucketAclWithBlockPublicAccessError) when calling the CreateBucket operation: Bucket cannot have public ACLs set with BlockPublicAccess enabled'

  • Riku_Kobayashi EXPERT
    a year ago

    Sorry, I just checked the documentation and it looks like the default setting is to deny public access. https://docs.aws.amazon.com/AmazonS3/latest/userguide/access-control-block-public-access.html

    By default, new buckets, access points, and objects don't allow public access.

    In other words, after the bucket is created, the public access settings need to be disabled and the ACLs set, so the code should look like the following.

    s3X.create_bucket(Bucket=’my_bucket_name’,ObjectOwnership='ObjectWriter')
s3X.put_public_access_block(Bucket=bucket_name, PublicAccessBlockConfiguration={'BlockPublicAcls': False,'IgnorePublicAcls': False,'BlockPublicPolicy': False,'RestrictPublicBuckets': False})
s3X.put_bucket_acl(ACL='public-read-write',Bucket=’my_bucket_name’)

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content