aws --endpoint-url=https://s3-api.us-geo.objectstorage.softlayer.net s3api put-object-acl --bucket mytestbucket --key foo.txt --acl public-read-write
aws --endpoint-url=https://s3-api.us-geo.objectstorage.softlayer.net s3api get-object-acl --bucket mytestbucket --key foo.txt
{
"Owner": {
"DisplayName": "b25ce81dcaa1498db3d1c802b3fdd",
"ID": "b25ce81dcaa1498db3d1c802b3fdd"
},
"Grants": [
{
"Grantee": {
"Type": "Group",
"URI": "ttp://acs.amazonaws.com/groups/global/AllUsers"
},
"Permission": "READ"
},
{
"Grantee": {
"Type": "CanonicalUser",
"DisplayName": "b25ce81dcaa1498db3d1c802b3fdd",
"ID": "b25ce81dcaa1498db3d1c802b3fdd"
},
"Permission": "FULL_CONTROL"
}
]
}
Using ACLs to grant specific accounts WRITE permission is only possible at the bucket level. Objects can still be granted PUBLIC-READ-WRITE permissions using a canned ACL, but only READ permissions will be set.
Object ACLs are limited to granting specific accounts READ, READ_ACP (read ACL), or WRITE_ACP (write ACL) permissions, and FULL_CONTROL grants all three permissions. That said, the CLI commands you are issuing up there are correct, and AWS has the same limitations for object ACLs.
For more information on creating object ACLs, see the API documentation.