:doc:`S3 <../../s3>` / Client / get_object_acl

**************
get_object_acl
**************



.. py:method:: S3.Client.get_object_acl(**kwargs)

  

  .. note::

    

    This operation is not supported for directory buckets.

    

   

  Returns the access control list (ACL) of an object. To use this operation, you must have ``s3:GetObjectAcl`` permissions or ``READ_ACP`` access to the object. For more information, see `Mapping of ACL permissions and access policy permissions <https://docs.aws.amazon.com/AmazonS3/latest/userguide/acl-overview.html#acl-access-policy-permission-mapping>`__ in the *Amazon S3 User Guide*

   

  This functionality is not supported for Amazon S3 on Outposts.

   

  By default, GET returns ACL information about the current version of an object. To return ACL information about a different version, use the versionId subresource.

   

  .. note::

    

    If your bucket uses the bucket owner enforced setting for S3 Object Ownership, requests to read ACLs are still supported and return the ``bucket-owner-full-control`` ACL with the owner being the account that created the bucket. For more information, see `Controlling object ownership and disabling ACLs <https://docs.aws.amazon.com/AmazonS3/latest/userguide/about-object-ownership.html>`__ in the *Amazon S3 User Guide*.

    

   

  The following operations are related to ``GetObjectAcl``:

   

  
  * `GetObject <https://docs.aws.amazon.com/AmazonS3/latest/API/API_GetObject.html>`__
   
  * `GetObjectAttributes <https://docs.aws.amazon.com/AmazonS3/latest/API/API_GetObjectAttributes.html>`__
   
  * `DeleteObject <https://docs.aws.amazon.com/AmazonS3/latest/API/API_DeleteObject.html>`__
   
  * `PutObject <https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutObject.html>`__
  

   

  .. warning::

     

    You must URL encode any signed header values that contain spaces. For example, if your header value is ``my file.txt``, containing two spaces after ``my``, you must URL encode this value to ``my%20%20file.txt``.

    

  

  See also: `AWS API Documentation <https://docs.aws.amazon.com/goto/WebAPI/s3-2006-03-01/GetObjectAcl>`_  


  **Request Syntax**
  ::

    response = client.get_object_acl(
        Bucket='string',
        Key='string',
        VersionId='string',
        RequestPayer='requester',
        ExpectedBucketOwner='string'
    )
    
  :type Bucket: string
  :param Bucket: **[REQUIRED]** 

    The bucket name that contains the object for which to get the ACL information.

     

    **Access points** - When you use this action with an access point for general purpose buckets, you must provide the alias of the access point in place of the bucket name or specify the access point ARN. When you use this action with an access point for directory buckets, you must provide the access point name in place of the bucket name. When using the access point ARN, you must direct requests to the access point hostname. The access point hostname takes the form *AccessPointName*-*AccountId*.s3-accesspoint.*Region*.amazonaws.com. When using this action with an access point through the Amazon Web Services SDKs, you provide the access point ARN in place of the bucket name. For more information about access point ARNs, see `Using access points <https://docs.aws.amazon.com/AmazonS3/latest/userguide/using-access-points.html>`__ in the *Amazon S3 User Guide*.

    

  
  :type Key: string
  :param Key: **[REQUIRED]** 

    The key of the object for which to get the ACL information.

    

  
  :type VersionId: string
  :param VersionId: 

    Version ID used to reference a specific version of the object.

     

    .. note::

      

      This functionality is not supported for directory buckets.

      

    

  
  :type RequestPayer: string
  :param RequestPayer: 

    Confirms that the requester knows that they will be charged for the request. Bucket owners need not specify this parameter in their requests. If either the source or destination S3 bucket has Requester Pays enabled, the requester will pay for the corresponding charges. For information about downloading objects from Requester Pays buckets, see `Downloading Objects in Requester Pays Buckets <https://docs.aws.amazon.com/AmazonS3/latest/dev/ObjectsinRequesterPaysBuckets.html>`__ in the *Amazon S3 User Guide*.

     

    .. note::

      

      This functionality is not supported for directory buckets.

      

    

  
  :type ExpectedBucketOwner: string
  :param ExpectedBucketOwner: 

    The account ID of the expected bucket owner. If the account ID that you provide does not match the actual owner of the bucket, the request fails with the HTTP status code ``403 Forbidden`` (access denied).

    

  
  
  :rtype: dict
  :returns: 
    
    **Response Syntax**

    
    ::

      {
          'Owner': {
              'DisplayName': 'string',
              'ID': 'string'
          },
          'Grants': [
              {
                  'Grantee': {
                      'DisplayName': 'string',
                      'EmailAddress': 'string',
                      'ID': 'string',
                      'Type': 'CanonicalUser'|'AmazonCustomerByEmail'|'Group',
                      'URI': 'string'
                  },
                  'Permission': 'FULL_CONTROL'|'WRITE'|'WRITE_ACP'|'READ'|'READ_ACP'
              },
          ],
          'RequestCharged': 'requester'
      }
      
    **Response Structure**

    

    - *(dict) --* 
      

      - **Owner** *(dict) --* 

        Container for the bucket owner's ID.

        
        

        - **DisplayName** *(string) --* 
        

        - **ID** *(string) --* 

          Container for the ID of the owner.

          
    
      

      - **Grants** *(list) --* 

        A list of grants.

        
        

        - *(dict) --* 

          Container for grant information.

          
          

          - **Grantee** *(dict) --* 

            The person being granted permissions.

            
            

            - **DisplayName** *(string) --* 
            

            - **EmailAddress** *(string) --* 
            

            - **ID** *(string) --* 

              The canonical user ID of the grantee.

              
            

            - **Type** *(string) --* 

              Type of grantee

              
            

            - **URI** *(string) --* 

              URI of the grantee group.

              
        
          

          - **Permission** *(string) --* 

            Specifies the permission given to the grantee.

            
      
    
      

      - **RequestCharged** *(string) --* 

        If present, indicates that the requester was successfully charged for the request. For more information, see `Using Requester Pays buckets for storage transfers and usage <https://docs.aws.amazon.com/AmazonS3/latest/userguide/RequesterPaysBuckets.html>`__ in the *Amazon Simple Storage Service user guide*.

         

        .. note::

          

          This functionality is not supported for directory buckets.

          

        
  
  **Exceptions**
  
  *   :py:class:`S3.Client.exceptions.NoSuchKey`

  

  **Examples**

  The following example retrieves access control list (ACL) of an object.
  ::

    response = client.get_object_acl(
        Bucket='examplebucket',
        Key='HappyFace.jpg',
    )
    
    print(response)

  
  Expected Output:
  ::

    {
        'Grants': [
            {
                'Grantee': {
                    'DisplayName': 'owner-display-name',
                    'ID': 'examplee7a2f25102679df27bb0ae12b3f85be6f290b936c4393484be31bebcc',
                    'Type': 'CanonicalUser',
                },
                'Permission': 'WRITE',
            },
            {
                'Grantee': {
                    'DisplayName': 'owner-display-name',
                    'ID': 'examplee7a2f25102679df27bb0ae12b3f85be6f290b936c4393484be31bebcc',
                    'Type': 'CanonicalUser',
                },
                'Permission': 'WRITE_ACP',
            },
            {
                'Grantee': {
                    'DisplayName': 'owner-display-name',
                    'ID': 'examplee7a2f25102679df27bb0ae12b3f85be6f290b936c4393484be31bebcc',
                    'Type': 'CanonicalUser',
                },
                'Permission': 'READ',
            },
            {
                'Grantee': {
                    'DisplayName': 'owner-display-name',
                    'ID': '852b113eexamplee7a2f25102679df27bb0ae12b3f85be6f290b936c4393484be31bebcc7a2f25102679df27bb0ae12b3f85be6f290b936c4393484be31bebcc',
                    'Type': 'CanonicalUser',
                },
                'Permission': 'READ_ACP',
            },
        ],
        'Owner': {
            'DisplayName': 'owner-display-name',
            'ID': 'examplee7a2f25102679df27bb0ae12b3f85be6f290b936c4393484be31bebcc',
        },
        'ResponseMetadata': {
            '...': '...',
        },
    }

  