How to create s3 bucket with --acl public-read parameter?

0

With its latest update, Amazon has adopted a configuration where S3 Block Public Access will be automatically enabled and access control lists will be disabled for all new buckets.
However, I'd like to create a bucket with public access explicitly, instead of the default settings. As can be seen in the AWS CLI create-bucket documentation, I want to create an S3 bucket using the --acl public-read and --object-ownership BucketOwnerPreferred commands. For example as follows:

aws s3api create-bucket --acl public-read-write --bucket mybucket --region us-west-2 --create-bucket-configuration LocationConstraint=us-west-2 --object-ownership BucketOwnerPreferred

No matter which method I try, I kept getting the Bucket cannot have public ACLs set with BlockPublicAccess enabled error consistently.
I can create an S3 bucket using only the --object-ownership BucketOwnerPreferred parameter, without using the --acl public-read parameter.
Alternatively, I can also execute the command using the --acl private parameter instead of the --acl public-read parameter.
However, I'm unable to create an S3 bucket using both the --acl public-read parameter and the --object-ownership BucketOwnerPreferred parameter simultaneously.

The topic I want to learn about is this: will the --acl public-read command no longer be usable when creating an S3 bucket? If it's not usable, why is there information about this command shared on the documentation page? I would greatly appreciate your assistance if you could help me with this.
ps: I'm aware that the put-public-access-block parameter can be used to grant permission after creating the bucket. However, I specifically want to create the bucket with public access right from the start.

2 Answers
2

I under stand you r use case and I've previously answered this question for cloudformation/cdk at here.

It'd be two step process via s3api, here below is how would you do it(my cli is setup for us-east-1 and I created bucket in us-east-2):

      aws s3api create-bucket --bucket <mybucket>--region us-east-1 --create-bucket-configuration LocationConstraint="us-east-2" --object-ownership BucketOwnerPreferred --profile <cli_profile>

      aws s3api delete-public-access-block --bucket <mybucket> --profile <cli_profile>

Refer: Create Bucket API

Enter image description here

Hope it helps.

Comment here if you have additional questions, happy to help.

Abhishek

profile pictureAWS
EXPERT
answered a year ago
1
Accepted Answer

As stated in the documentation you provided:

S3 Block Public Access - If your specific use case requires granting public access to your S3 resources, you can disable Block Public Access. You can create a new bucket with Block Public Access enabled, then separately call the DeletePublicAccessBlock API. To use this operation, you must have the s3:PutBucketPublicAccessBlock permission. By default, all Block Public Access settings are enabled for new buckets. To avoid inadvertent exposure of your resources, we recommend keeping the S3 Block Public Access settings enabled. For more information about S3 Block Public Access, see Blocking public access to your Amazon S3 storage in the Amazon S3 User Guide.

You must first create the bucket and then disable the Block Public Access Configuration.

Be aware that you can grant public access to the whole bucket without even enabling ACLs. And it's the recommended way.

Hope this answers your question. If I can still help somehow let know.

answered a year ago
profile pictureAWS
EXPERT
reviewed a year ago
profile pictureAWS
EXPERT
reviewed a year ago
  • "You must first create the bucket and then disable the Block Public Access Configuration." First of all, thanks for your answer. As I understand from your answer, then I conclude that we cannot use the --acl public-read/write command when creating an s3 bucket under default conditions. Am I right?

  • Yes, I also got to that conclusion. This option of the command might be removed or changed somehow in the future.

  • "Be aware that you can grant public access to the whole bucket without even enabling ACLs. And it's the recommended way."

    How????

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions