CAL - AWS S3 Get ACL subflow

  • Release version: Zurich
  • Updated July 31, 2025
  • 2 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of CAL - AWS S3 Get ACL subflow

    This subflow is designed to retrieve the Access Control List (ACL) details for a specified Amazon Web Services (AWS) S3 bucket. It enables ServiceNow customers to programmatically access bucket permissions and ownership information, which is critical for managing and auditing S3 bucket access within their cloud environment.

    Show full answer Show less

    Subscription and Role Requirements

    • Subscription: Requires Integration Hub Enterprise or App Engine subscription to use within custom flows.
    • User Roles: Requires delegated development roles or appropriate user roles for accessing Flow Designer.
    • Cloud Permission: The caller must have the s3:GetBucketAcl permission in AWS to execute the subflow.

    Inputs

    To execute the subflow, you provide the following inputs:

    • Bucket Name: The AWS S3 bucket name as a string.
    • Use MID Server: Boolean to indicate if a MID Server is used for outbound calls.
    • MID Server: Reference to the MID Server record if used.
    • Credential Alias: The AWS credential alias record to authenticate the request.

    Outputs

    The subflow returns detailed ACL information that can be used in subsequent actions or flows, including:

    • Authorization Status: Indicates if the call was authorized (true/false).
    • Bucket Region: AWS datacenter region hosting the bucket.
    • Error Code: Client error code if the call fails.
    • Permissions: Multiple booleans indicating the bucket permissions for owners, public users, and authenticated users, such as read, write, full control, and list capabilities.
    • ACL Read/Write Permissions: Whether the owner, public users, and authenticated users can read or update the bucket ACL.
    • Owner Information: Canonical user ID and display name of the bucket owner (display name may be unavailable for federated login).

    Practical Use for ServiceNow Customers

    This subflow enables automated governance and compliance checks by providing visibility into who can access and modify your S3 buckets. It helps ensure security policies are enforced and access permissions are correctly configured. Integrating this subflow into your workflows allows for real-time auditing and alerting based on ACL changes or unauthorized access attempts.

    Subflow that retrieves the Access Control List (ACL) details for the specified Amazon Web Services (AWS) S3 bucket.

    Roles and availability

    Subscription requirements
    To use this subflow in custom flows, you must obtain an Integration Hub Enterprise subscription or an App Engine subscription. For more information, see Request Integration Hub.
    Role requirements
    This subflow requires roles granted by delegated development or assigned to the user. For more information, see User access to Flow Designer.

    Cloud permission

    To execute this subflow, the caller must have the s3:GetBucketAcl cloud permission.

    Inputs

    Provide a value for each input that your action needs. To add dynamic values, you can also select data pills using the pill picker.

    Bucket Name
    Data type: String

    Name of the AWS S3 bucket.

    Use MID
    Data type: True/False

    Selection to indicate whether to use a MID Server to make the outbound calls.

    MID Server
    Data type: Record

    MID Server for making the outbound calls.

    Credential Alias
    Data type: Record

    Credential alias for the AWS credential.

    Outputs

    You can use these outputs as inputs for other actions.

    Is Access Denied
    Data type: True/False
    Server authorization status of the call.
    • True: The server has authorized the call
    • False: The server didn't authorize the call
    Bucket Region
    Data type: String

    Datacenter where the specified AWS S3 bucket is hosted.

    Error Code
    Data type: String

    Client error code returned for the failed call.

    Owner write
    Data type: True/False

    The bucket owner can write into the bucket.

    Owner full control
    Data type: True/False

    The owner has all the permissions for the bucket.

    Owner listing
    Data type: True/False

    The bucket owner can list the contents of the bucket.

    Public write
    Data type: True/False

    Anyone (public access) can write into the bucket.

    Public listing
    Data type: True/False

    Anyone (public access) can list the contents of the bucket.

    Public full control
    Data type: True/False

    Everyone (public access) has all the permissions.

    Auth Users Write
    Data type: True/False

    Authenticated user groups (users with an AWS account) can write into the bucket.

    Auth Users Full Control
    Data type: True/False

    Authenticated user groups (users with an AWS account) have all the permissions for the bucket.

    Owner Read ACL
    Data type: True/False

    Owner of the bucket can read the bucket ACL.

    Owner Write ACL
    Data type: True/False

    Owner of the bucket can write or update the bucket ACL.

    Public Read ACL
    Data type: True/False

    Anyone (public access) can read the bucket ACL.

    Public Write ACL
    Data type: True/False

    Anyone (public access) can write or update the bucket ACL.

    Auth Users Read ACL
    Data type: True/False

    Authenticated user groups (users with an AWS account) can read the bucket ACL.

    Auth Users Write ACL
    Data type: True/False

    Authenticated user groups (users with an AWS account) can write or update the bucket ACL.

    Auth Users Listing
    Data type: True/False

    Authenticated user group (users with an AWS account) can list the contents of the bucket.

    Owner ID
    Data type: String

    Canonical user ID of the AWS account.

    Owner Display Name
    Data type: String

    Display name of the resource owner.

    For federated login, the subflow doesn't return any Owner Display Name.