CAL - AWS S3 Get ACL subflow

  • Release version: Yokohama
  • Updated January 30, 2025
  • 2 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of CAL - AWS S3 Get ACL subflow

    This subflow enables ServiceNow customers to retrieve the Access Control List (ACL) details for a specified Amazon Web Services (AWS) S3 bucket. It provides detailed permission and ownership information about the bucket, which is essential for managing and auditing access control within AWS S3 storage resources.

    Show full answer Show less

    Subscription and Role Requirements

    • Subscription: Requires Integration Hub Enterprise or App Engine subscription to use in custom flows.
    • User Roles: Requires delegated development roles or assigned roles to the user to access Flow Designer features.
    • Cloud Permission: Caller must have the AWS permission s3:GetBucketAcl to execute this subflow.

    Inputs

    The subflow requires the following inputs to operate:

    • Bucket Name: The name of the AWS S3 bucket to query.
    • Use MID Server: Boolean flag to indicate if a MID Server should be used for outbound calls.
    • MID Server: Reference to the MID Server record for executing the call if applicable.
    • Credential Alias: Alias for the AWS credentials to authenticate the request.

    Outputs

    The subflow returns comprehensive ACL details and status information, which can be used as inputs for subsequent actions in your flow. Key outputs include:

    • Is Access Denied: Indicates whether the server authorized the ACL retrieval call.
    • Bucket Region: AWS datacenter location of the bucket.
    • Error Code: AWS client error code if the call fails.
    • Permission Flags: Multiple boolean flags indicating if the bucket owner, public users, or authenticated AWS users have various permissions such as write, list, full control, and ACL read/write access.
    • Owner Information: Includes the canonical user ID and display name of the bucket owner (display name may be unavailable for federated logins).

    Practical Benefits for ServiceNow Customers

    By integrating this subflow, customers can automate the retrieval and evaluation of S3 bucket permissions directly within ServiceNow workflows. This streamlines security audits, compliance checks, and access management for AWS S3 resources without manual AWS console intervention. The detailed ACL outputs enable precise control and visibility over who can access or modify bucket contents and permissions.

    Subflow that retrieves the Access Control List (ACL) details for the specified Amazon Web Services (AWS) S3 bucket.

    Roles and availability

    Subscription requirements
    To use this subflow in custom flows, you must obtain an Integration Hub Enterprise subscription or an App Engine subscription. For more information, see Request Integration Hub.
    Role requirements
    This subflow requires roles granted by delegated development or assigned to the user. For more information, see User access to Flow Designer.

    Cloud permission

    To execute this subflow, the caller must have the s3:GetBucketAcl cloud permission.

    Inputs

    Provide a value for each input that your action needs. To add dynamic values, you can also select data pills using the pill picker.

    Bucket Name
    Data type: String

    Name of the AWS S3 bucket.

    Use MID
    Data type: True/False

    Selection to indicate whether to use a MID Server to make the outbound calls.

    MID Server
    Data type: Record

    MID Server for making the outbound calls.

    Credential Alias
    Data type: Record

    Credential alias for the AWS credential.

    Outputs

    You can use these outputs as inputs for other actions.

    Is Access Denied
    Data type: True/False
    Server authorization status of the call.
    • True: The server has authorized the call
    • False: The server didn't authorize the call
    Bucket Region
    Data type: String

    Datacenter where the specified AWS S3 bucket is hosted.

    Error Code
    Data type: String

    Client error code returned for the failed call.

    Owner write
    Data type: True/False

    The bucket owner can write into the bucket.

    Owner full control
    Data type: True/False

    The owner has all the permissions for the bucket.

    Owner listing
    Data type: True/False

    The bucket owner can list the contents of the bucket.

    Public write
    Data type: True/False

    Anyone (public access) can write into the bucket.

    Public listing
    Data type: True/False

    Anyone (public access) can list the contents of the bucket.

    Public full control
    Data type: True/False

    Everyone (public access) has all the permissions.

    Auth Users Write
    Data type: True/False

    Authenticated user groups (users with an AWS account) can write into the bucket.

    Auth Users Full Control
    Data type: True/False

    Authenticated user groups (users with an AWS account) have all the permissions for the bucket.

    Owner Read ACL
    Data type: True/False

    Owner of the bucket can read the bucket ACL.

    Owner Write ACL
    Data type: True/False

    Owner of the bucket can write or update the bucket ACL.

    Public Read ACL
    Data type: True/False

    Anyone (public access) can read the bucket ACL.

    Public Write ACL
    Data type: True/False

    Anyone (public access) can write or update the bucket ACL.

    Auth Users Read ACL
    Data type: True/False

    Authenticated user groups (users with an AWS account) can read the bucket ACL.

    Auth Users Write ACL
    Data type: True/False

    Authenticated user groups (users with an AWS account) can write or update the bucket ACL.

    Auth Users Listing
    Data type: True/False

    Authenticated user group (users with an AWS account) can list the contents of the bucket.

    Owner ID
    Data type: String

    Canonical user ID of the AWS account.

    Owner Display Name
    Data type: String

    Display name of the resource owner.

    For federated login, the subflow doesn't return any Owner Display Name.