Lists an object's ACLs.
You must have READ
permission to download
an object, and you must have FULL_CONTROL
permission to retrieve
an object's ACLs.
Query string parameters
Parameter | Description | Required |
---|---|---|
acl |
You can use this only if you are using the GET Object method to list an object's ACLs. | No |
See signed URL query string parameters for information on the parameters you include when creating and using signed URLs.
Request headers
Request body elements
This request does not include an XML document in the request body.
Request syntax
The following syntax applies to GET Object requests that use the
acl
query string parameter.
GET /OBJECT_NAME?acl HTTP/1.1 Host: BUCKET_NAME.storage.googleapis.com Content-Length: 0 Content-Type: TYPE Authorization: AUTHENTICATION_STRING
Response headers
The request can return a variety of response headers depending on the request headers you use, including: Cache-Control, Content-Length, Content-Type, Content-Disposition, ETag, and Last-Modified.
Response body elements
The following response body elements are applicable only if you use the
acl
query string parameter to list an object's ACLs.
Element | Description |
---|---|
Owner |
Container for object owner information. |
ID |
The Google Storage ID of the object owner or the Google Storage ID of the user or group for whom the ACLs apply. |
Name |
Comment field for GroupByEmail , GroupById , UserByEmail , and UserById . |
AccessControlList |
Container for the ACLs you are retrieving. |
Entries |
Container for the ACL entries you are retrieving. |
Entry |
The ACL entry you are retrieving. |
Scope |
The scope to which the ACLs apply. |
Permission |
The permission that has been granted. Can be any of the Cloud Storage permissions, including READ , WRITE , or FULL_CONTROL |
EmailAddress |
A user account email address or a Google group email address. |
Domain |
A Google Workspace or Cloud Identity domain. |
Example
The following example lists the ACLs for an object named paris.jpg that is in a
bucket named travel-maps. In this sample, every user account that is in the
example.com domain has READ
permission on the object, which means
any user who can sign in with an @example.com email address can download the
paris.jpg object. To specify a domain as a scope, the domain must be associated
with a Google Workspace or Cloud Identity account. The ACL also grants a user
FULL_CONTROL
permission on the paris.jpg object, which lets that
user download the object and change the ACLs on the object. The user is
represented by their Google Storage ID.
Request
GET /paris.jpg?acl HTTP/1.1 Host: travel-maps.storage.googleapis.com Content-Length: 0 Authorization: Bearer ya29.AHES6ZRVmB7fkLtd1XTmq6mo0S1wqZZi3-Lh_s-6Uw7p8vtgSwg
Response
HTTP/1.1 200 OK Content-Length: 485 Content-Type: application/xml Date: Fri, 19 Feb 2010 14:05:08 GMT <?xml version="1.0" encoding="UTF-8"?> <AccessControlList> <Owner> <ID>84fac329bceSAMPLE777d5d22b8SAMPLE77d85ac2SAMPLE2dfcf7c4adf34da46</ID> <Name></Name> </Owner> <Entries> <Entry> <Scope type="UserById"> <ID>84fac329bceSAMPLE777d5d22b8SAMPLE77d85ac2SAMPLE2dfcf7c4adf34da46</ID> <Name></Name> </Scope> <Permission>FULL_CONTROL</Permission> </Entry> <Entry> <Scope type="UserById"> <ID>76fac329bceSAMPLE777d5d22b8SAMPLE77d85ac2SAMPLE2dfcf7c4adf34da79</ID> <Name>joe@gmail.com</Name> </Scope> <Permission>FULL_CONTROL</Permission> </Entry> <Entry> <Scope type="GroupByDomain"> <Domain>example.com</Domain> </Scope> <Permission>READ</Permission> </Entry> </Entries> </AccessControlList>