Using the Node.js SDK for IBM Cloud Object Storage, I can successfully create new objects with the public-read ACL setting.
var params = {Bucket: 'bucket', Key: 'key', Body: stream, ACL: 'public-read`};
s3.upload(params, function(err, data) {
console.log(err, data);
});
Files can be accessed without authentication once uploaded.
However, once a file is uploaded, trying to update the ACL permissions to turn a private file to public-read fails with Access Denied errors.
var params = {Bucket: 'bucket', Key: 'key', Body: stream, ACL: 'public-read`};
s3.putObjectAcl(params, function(err, data) {
console.log(err, data);
})
This is the error message return in the response.
{
"errorMessage": "Access Denied",
"errorType": "Error"
}
Retrieving the ACL using getObjectAcl also fails with the same issue.
Authentication credentials must have the Manager role to access and modify ACLs for existing objects.
Check the role assigned to your service identifier. If you can create new objects, you may have the Writer role rather than the Manager.
More details on the permissions model can be found here: https://console.bluemix.net/docs/services/cloud-object-storage/iam/buckets.html#bucket-permissions