Set ACL for upload to S3 in consolidated configuration
Everyone can contribute. Help move this issue forward while earning points, leveling up and collecting rewards.
Proposal
Copying some of the details from this existing issue but raising this new issue to be clear that this issue also exists for all other S3 backed storage in Gitlab. This also mirrors ongoing work on this issue for container-registry backed by S3.
Currently, Gitlab can use S3 object storage for dependency_proxy, artifacts, uploads, etc. via a consolidated configuration as described here.
As AWS is about to change the default bucket ACL behavior to become incompatible with Gitlab out of the box by flipping to "Bucket owner enforced", I would like to have the option to set an ACL which can override the current default (and non-configurable behavior). The change from AWS is documented here:
Starting in April 2023, Amazon S3 will change the default settings for S3 Block Public Access and Object Ownership (ACLs disabled) for all new S3 buckets. For new buckets created after this update, all S3 Block Public Access settings will be enabled, and S3 access control lists (ACLs) will be disabled. These defaults are the recommended best practices for securing data in Amazon S3. You can adjust these settings after creating your bucket. For more information, see Default settings for new S3 buckets FAQ and Heads-Up: Amazon S3 Security Changes Are Coming in April of 2023 in the AWS News Blog.
To support the new AWS defaults we are required to set the ACL to bucket-owner-full-control or else forego setting any object ACL, but as far as I can see, this isn't possible in the current Gitlab configuration.