Get object ACLs

Lists an object's ACLs.

You must have READ permission to download an object, and you must have FULL_CONTROL permission to retrieve an object's ACLs.

Query string parameters

Parameter Description Required
acl You can use this only if you are using the GET Object method to list an object's ACLs. No

See signed URL query string parameters for information on the parameters you include when creating and using signed URLs.

Request headers

See common request headers.

Request body elements

This request does not include an XML document in the request body.

Request syntax

The following syntax applies to GET Object requests that use the acl query string parameter.

GET /OBJECT_NAME?acl HTTP/1.1
Host: BUCKET_NAME.storage.googleapis.com
Content-Length: 0
Content-Type: TYPE
Authorization: AUTHENTICATION_STRING

Response headers

The request can return a variety of response headers depending on the request headers you use, including: Cache-Control, Content-Length, Content-Type, Content-Disposition, ETag, and Last-Modified.

Response body elements

The following response body elements are applicable only if you use the acl query string parameter to list an object's ACLs.

Element Description
Owner Container for object owner information.
ID The Google Storage ID of the object owner or the Google Storage ID of the user or group for whom the ACLs apply.
Name Comment field for GroupByEmail, GroupById, UserByEmail, and UserById.
AccessControlList Container for the ACLs you are retrieving.
Entries Container for the ACL entries you are retrieving.
Entry The ACL entry you are retrieving.
Scope The scope to which the ACLs apply.
Permission The permission that has been granted. Can be any of the Cloud Storage permissions, including READ, WRITE, or FULL_CONTROL
EmailAddress A user account email address or a Google group email address.
Domain A Google Workspace or Cloud Identity domain.

Example

The following example lists the ACLs for an object named paris.jpg that is in a bucket named travel-maps. In this sample, every user account that is in the example.com domain has READ permission on the object, which means any user who can sign in with an @example.com email address can download the paris.jpg object. To specify a domain as a scope, the domain must be associated with a Google Workspace or Cloud Identity account. The ACL also grants a user FULL_CONTROL permission on the paris.jpg object, which lets that user download the object and change the ACLs on the object. The user is represented by their Google Storage ID.

Request

GET /paris.jpg?acl HTTP/1.1
Host: travel-maps.storage.googleapis.com
Content-Length: 0
Authorization: Bearer ya29.AHES6ZRVmB7fkLtd1XTmq6mo0S1wqZZi3-Lh_s-6Uw7p8vtgSwg

Response

HTTP/1.1 200 OK
Content-Length: 485
Content-Type: application/xml
Date: Fri, 19 Feb 2010 14:05:08 GMT

<?xml version="1.0" encoding="UTF-8"?>
<AccessControlList>
  <Owner>
    <ID>84fac329bceSAMPLE777d5d22b8SAMPLE77d85ac2SAMPLE2dfcf7c4adf34da46</ID>
    <Name></Name>
  </Owner>
  <Entries>
    <Entry>
      <Scope type="UserById">
        <ID>84fac329bceSAMPLE777d5d22b8SAMPLE77d85ac2SAMPLE2dfcf7c4adf34da46</ID>
        <Name></Name>
      </Scope>
      <Permission>FULL_CONTROL</Permission>
    </Entry>
    <Entry>
      <Scope type="UserById">
        <ID>76fac329bceSAMPLE777d5d22b8SAMPLE77d85ac2SAMPLE2dfcf7c4adf34da79</ID>
        <Name>joe@gmail.com</Name>
      </Scope>
      <Permission>FULL_CONTROL</Permission>
    </Entry>
    <Entry>
      <Scope type="GroupByDomain">
        <Domain>example.com</Domain>
      </Scope>
      <Permission>READ</Permission>
    </Entry>
    </Entries>
  </AccessControlList>