download free 30 days trial version buy bucket explorer
Documentation  Download  Purchase  Support  FAQs   Forum   ScreenShots & Demos

Amazon S3 - Bucket Logging Grantee

Amazon S3 allows you to set Grantee on the S3 Bucket Logs , who is the person being granted Logging Permissions on the Bucket. Grantee is the person who is allowed to access the bucket logs. Grantee can be different from the Bucket owner. You can specify the Grantee by their email address or canonical user Id. You can also customize the permission level by giving READ, WRITE or FULL_CONTROL permission. The Bucket Owner automatically gets FULL_CONTROL on all the Logs delivered to that Bucket.

You can set Grantee on the Buckets logs by sending an HTTP PUT Request to Amazon S3 Server. To send the HTTP PUT Request to set Grantee, you can consider one of the two options:

  1. Set Grantee on S3 Bucket Logs using Amazon S3 API - PUT Bucket Logging - If you are a programmer, you can write a program to use S3 supported API- PUT Bucket Logging in your application code to set Grantee.
  2. Set Grantee on S3 Bucket Logs using Bucket Explorer - The other way to set Grantee without having to write any code would be to use Bucket Explorer's UI. Using Bucket Explorer, you can perform such actions on Amazon S3 Buckets with mouse clicks.

Set Grantee using REST API PUT Bucket logging

You can grant access to other people on Amazon S3 Bucket Logging by sending PUT Request, along with  Grantee request element. You can also specify the type of access the grantee gets on the logs using the Permissions request element.

Grantee Values

The following ways lets you specify the person (grantee) to whom you’re assigning access rights using request elements.

Set Grantee using REST API PUT Bucket logging using the person’s ID:

Syntax:


<Grantee xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="CanonicalUser">
<ID> ID </ID>
<DisplayName> GranteesEmail </DisplayName>
</Grantee>
 

DisplayName is optional and ignored in the request.

Set Grantee using REST API PUT Bucket logging by using the Email Address:

Syntax:


<Grantee xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="AmazonCustomerByEmail">
<EmailAddress> Grantees@email.com </EmailAddress>
</Grantee>
 

The grantee is resolved to the CanonicalUser and in response to a GET Object acl request, appears as CanonicalUser.

Set Grantee using REST API PUT Bucket logging by URI:

Syntax:


<Grantee xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="Group">
<URI> http://acs.amazonaws.com/groups/global/AuthenticatedUsers </URI>
</Grantee>
 

Syntax:


PUT ?logging HTTP/1.1
Host: mybucket.s3.amazonaws.com
Content-Length: 214
Date: Wed, 25 Nov 2012 12:00:00 GMT
Authorization: AWS AKIAIOSFODNN7EXAMPLE:xQE0diMbLRepdf3YB+FIEXAMPLE=

<?xmlversion="1.0" encoding="UTF-8"?>
<BucketLoggingStatus xmlns=" http://doc.s3.amazonaws.com/2006-03-01 ">
<LoggingEnabled>
<TargetBucket>mybucketlogs</TargetBucket>
<TargetPrefix>mybucket-access_log-/</TargetPrefix>
<TargetGrants>
<Grant>
<Grantee xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:type="AmazonCustomerByEmail">
<EmailAddress> myuser@company.com </EmailAddress>
</Grantee>
<Permission>READ</Permission>
</Grant>
</TargetGrants>
</LoggingEnabled>
</BucketLoggingStatus>
 

Set Grantee using Bucket Explorer

While the “PUT Bucket logging” API of AWS allows you to set grantee by writing code, Bucket Explorer lets you do that easily with point and click on its User Interface.

How to Set Target Grants on Bucket Logs?

Bucket Logging is the process in which the operations performed on the bucket will be logged by Amazon S3. You can choose your target bucket where S3 Bucket access logs will be delivered. The target bucket may be the same as the bucket that is being logged or a different bucket. Bucket Explorer allows you to share log files with your friends through Email address. You can share your log files with more than one authenticated user by adding their Email addresses. Here you can give distinct permissions like Read, Write, and Full Control on shared log files.

Steps to Set Target Grants on Bucket Logs:

  1. Run Bucket Explorer.
  2. Right click on the bucket on which you want to set logging and choose “Bucket Logging Operation -> Set Logging” option.
  3. It will open a dialog box entitled “ Bucket Logging for $bucketname$”.
  4. If the bucket has already been logged, it will display the target bucket name; otherwise, it will show Not Logged .
  5. By default, the bucket name is set as prefix. You can also change this to your desired string.
  6. Select the target bucket from the combo box where you want to deliver the log files.
  7. Click on “ Set Grantee” button.
  8. It will open Set Grantee panel. Click on “ Add access by Email Id/Canonical Id button.
  9. Enter valid Email Id of user/Canonical Id of account with whom you want to share the log files.
  10. Set the permissions for the user with whom you are sharing the logged bucket.
  11. Click on “ Ok” button to save the permission you have assigned.