add acl where needed, update docs

Sage-Bionetworks · May 18, 2021 · b10f3a8 · b10f3a8
1 parent b37e145
commit b10f3a8
Show file tree

Hide file tree

Showing 2 changed files with 9 additions and 3 deletions.
diff --git a/docs/S3Storage.rst b/docs/S3Storage.rst
@@ -102,7 +102,9 @@ Using credentials with the awscli
 ---------------------------------
 This example illustrates obtaining STS credentials and using them with the awscli command line tool.
 The first command outputs the credentials as shell commands to execute which will then be picked up
-by subsequent aws cli commands.
+by subsequent aws cli commands. Note that the bucket-owner-full-control ACL is required when putting
+an object via STS credentials. This ensures that the object ownership will be transferred to the
+owner of the AWS bucket.
 
   .. code-block::
 
@@ -116,12 +118,14 @@ by subsequent aws cli commands.
     # if the above are executed in the shell, the awscli will automatically apply them
 
     # e.g. copy a file directly to the bucket using the exported credentials
-    $ aws s3 cp /path/to/local/file $SYNAPSE_STS_S3_LOCATION
+    $ aws s3 cp /path/to/local/file $SYNAPSE_STS_S3_LOCATION --acl bucket-owner-full-control
 
 Using credentials with boto3 in python
 --------------------------------------
 This example illustrates retrieving STS credentials and using them with boto3 within python code,
-in this case to upload a file.
+in this case to upload a file.  Note that the bucket-owner-full-control ACL is required when putting
+an object via STS credentials. This ensures that the object ownership will be transferred to the
+owner of the AWS bucket.
 
   .. code-block::
 
@@ -133,6 +137,7 @@ in this case to upload a file.
         Filename='/path/to/local/file,
         Bucket='my-external-synapse-bucket',
         Key='path/within/bucket/file',
+        ExtraArgs={'ACL': 'bucket-owner-full-control'},
     )
 
 Automatic transfers to/from STS storage locations using boto3 with synapseclient

diff --git a/tests/integration/synapseclient/core/test_external_storage.py b/tests/integration/synapseclient/core/test_external_storage.py
@@ -155,6 +155,7 @@ def test_sts_external_storage_location(self):
             Filename=temp_file.name,
             Bucket=bucket_name,
             Key=remote_key,
+            ExtraArgs={'ACL': 'bucket-owner-full-control'},
         )
 
         # now read the file using our read credentials