How to make 10,000 files in S3 public

amazon-s3 amazon-web-services

I have a folder in a bucket with 10,000 files. There seems to be no way to upload them and make them public straight away. So I uploaded them all, they're private, and I need to make them all public.

I've tried the aws console, it just gives an error (works fine with folders with less files).

I've tried using S3 organizing in Firefox, same thing.

Is there some software or some script I can run to make all these public?

Every tool I tried crashed, so I ended up writing a PHP script that took a few hours and just looped through every object in the bucket and made it public.

moka

You can generate a bucket policy (see example below) which gives access to all the files in the bucket. The bucket policy can be added to a bucket through AWS console.

{
    "Id": "...",
    "Statement": [ {
        "Sid": "...",
        "Action": [
            "s3:GetObject"
        ],
        "Effect": "Allow",
        "Resource": "arn:aws:s3:::bucket/*",
        "Principal": {
            "AWS": [ "*" ]
        }
    } ]
}

Also look at following policy generator tool provided by Amazon.

http://awspolicygen.s3.amazonaws.com/policygen.html

This did not work for me. Some objects are still returning the 'access denied' response even with the bucket policy in place. It's copy-pasted from the above with only the bucket name changed. I guess it's time to write a script to loop through all 1.3 million objects... kinda irritating

you need to change "bucket" to the name of your bucket

I resent having to do it this way. That's some ugly JSON.

Just a note: It may seem obvious, but you can also choose to limit access to specific folders: bucket/avatars/*. (Don't forget the * at the end. I did and I ran around in circles for a while.)

@Benjamin What is "basic" configuration for you is inappropriate for others, because everyone's security requirements are different. AWS provides a uniform way to customize these policies. Therefore, one must take the time to learn security policies properly and not shy away from a few simple lines of JSON.

David Roussel

If you are uploading for the first time, you can set the files to be public on upload on the command line:

aws s3 sync . s3://my-bucket/path --acl public-read

As documented in Using High-Level s3 Commands with the AWS Command Line Interface

Unfortunately it only applies the ACL when the files are uploaded. It does not (in my testing) apply the ACL to already uploaded files.

If you do want to update existing objects, you used to be able to sync the bucket to itself, but this seems to have stopped working.

[Not working anymore] This can be done from the command line:

aws s3 sync s3://my-bucket/path s3://my-bucket/path --acl public-read

(So this no longer answers the question, but leaving answer for reference as it used to work.)

Is this command effected on files that already uploaded but not yet public read?

When I tested it, it seems to only add the ACL to newly synced files.

Thank you for replay, I tested it also. Does there any ways to batch change the permission of uploaded files?

Oh, no wonder. I was confused by this. Really appreciated you clarifying.

Answer updated to include how to change existing files.

Daniel Von Fange

I had to change several hundred thousand objects. I fired up an EC2 instance to run this, which makes it all go faster. You'll want to install the aws-sdk gem first.

Here's the code:

require 'rubygems'
require 'aws-sdk'


# Change this stuff.
AWS.config({
    :access_key_id => 'YOURS_HERE',
    :secret_access_key => 'YOURS_HERE',
})
bucket_name = 'YOUR_BUCKET_NAME'


s3 = AWS::S3.new()
bucket = s3.buckets[bucket_name]
bucket.objects.each do |object|
    puts object.key
    object.acl = :public_read
end

The simple way is to upload them with the public_read flag set in the first place, but failing that, this is a good option.

This code snipped is outdated, refer to my answer

ksarunas

I had the same problem, solution by @DanielVonFange is outdated, as new version of SDK is out.

Adding code snippet that works for me right now with AWS Ruby SDK:

require 'aws-sdk'

Aws.config.update({
  region: 'REGION_CODE_HERE',
  credentials: Aws::Credentials.new(
    'ACCESS_KEY_ID_HERE',
    'SECRET_ACCESS_KEY_HERE'
  )
})
bucket_name = 'BUCKET_NAME_HERE'

s3 = Aws::S3::Resource.new
s3.bucket(bucket_name).objects.each do |object|
  puts object.key
  object.acl.put({ acl: 'public-read' })
end

Fantastic answer - just the script I needed in a tight spot

@ksarunas In my case, I need to change the public to private permissions so replace public-read with private and the access got changed but still, I'm able to access the URL?

Selcuk

Just wanted to add that with the new S3 Console you can select your folder(s) and select Make public to make all files inside the folders public. It works as a background task so it should handle any number of files.

https://i.stack.imgur.com/sRKaI.png

Unfortunately it takes a long time and you can't close the browser while the command is runner. Your browser is sending 2 requests for each file, in my case the two requests took 500ms. If you have a lot of files it'll take a long time =(

And, there's another problem: this will make fully public. If you only want public-read access, that's a problem.

BE VERY AWARE - I did this Make Public and the "progress bar" that pops up is so subtle, I thought it was done. I checked and probably spent an hour working on this before I realized you click Make Public and small subtle "progress bar shows up"... grrr... since I closed the browser window about 10 times, I assume that killed it each time. I'm running it now - it is pretty quick - maybe 20 minutes for 120k images

Alexander Vitanov

Using the cli:

aws s3 ls s3://bucket-name --recursive > all_files.txt && grep .jpg all_files.txt > files.txt && cat files.txt | awk '{cmd="aws s3api put-object-acl --acl public-read --bucket bucket-name --key "$4;system(cmd)}'

couldn't you just use a pipe to grep instead of writing to disk with all files.txt? This can be

aws s3 ls s3://bucket-name --recursive | grep .jpg | awk '{cmd="aws s3api put-object-acl --acl public-read --bucket bucket-name --key "$4;system(cmd)}'

@sakurashinken answer works perfectly. If you see this. This is the one to use.

Eric Anderson

Had this need myself but the number of files makes it WAY to slow to do in serial. So I wrote a script that does it on iron.io's IronWorker service. Their 500 free compute hours per month are enough to handle even large buckets (and if you do exceed that the pricing is reasonable). Since it is done in parallel it completes in less than a minute for the 32,000 objects I had. Also I believe their servers run on EC2 so the communication between the job and S3 is quick.

Anybody is welcome to use my script for their own needs.

willbt

Have a look at BucketExplorer it manages bulk operations very well and is a solid S3 Client.

It's also now possible to bulk change permissions in Cyberduck (free) via the Info palette.

BucketExplorer is only useful if you have permission to list all buckets. Much better to use the CLI or an SDK for this operation and leave your users with restricted permissions.

Tahbaza

You would think they would make public read the default behavior, wouldn't you? : ) I shared your frustration while building a custom API to interface with S3 from a C# solution. Here is the snippet that accomplishes uploading an S3 object and setting it to public-read access by default:

public void Put(string bucketName, string id, byte[] bytes, string contentType, S3ACLType acl) {
     string uri = String.Format("https://{0}/{1}", BASE_SERVICE_URL, bucketName.ToLower());
     DreamMessage msg = DreamMessage.Ok(MimeType.BINARY, bytes);
     msg.Headers[DreamHeaders.CONTENT_TYPE] = contentType;
     msg.Headers[DreamHeaders.EXPECT] = "100-continue";
     msg.Headers[AWS_ACL_HEADER] = ToACLString(acl);
     try {
        Plug s3Client = Plug.New(uri).WithPreHandler(S3AuthenticationHeader);
        s3Client.At(id).Put(msg);
     } catch (Exception ex) {
        throw new ApplicationException(String.Format("S3 upload error: {0}", ex.Message));
     }
}

The ToACLString(acl) function returns public-read, BASE_SERVICE_URL is s3.amazonaws.com and the AWS_ACL_HEADER constant is x-amz-acl. The plug and DreamMessage stuff will likely look strange to you as we're using the Dream framework to streamline our http communications. Essentially we're doing an http PUT with the specified headers and a special header signature per aws specifications (see this page in the aws docs for examples of how to construct the authorization header).

To change an existing 1000 object ACLs you could write a script but it's probably easier to use a GUI tool to fix the immediate issue. The best I've used so far is from a company called cloudberry for S3; it looks like they have a free 15 day trial for at least one of their products. I've just verified that it will allow you to select multiple objects at once and set their ACL to public through the context menu. Enjoy the cloud!

mike

If your filenames have spaces, we can take Alexander Vitanov's answer above and run it through jq:

#!/bin/bash
# make every file public in a bucket example
bucket=www.example.com
IFS=$'\n' && for tricky_file in $(aws s3api list-objects --bucket "${bucket}" | jq -r '.Contents[].Key')
do
  echo $tricky_file
  aws s3api put-object-acl --acl public-read --bucket "${bucket}" --key "$tricky_file"
done

How to make 10,000 files in S3 public

Follow WeChat

Want to stay one step ahead of the latest teleworks?

相似问题

Platform

Support

Contact US