Access control lists (ACLs)

Written by

Updated at September 23, 2024

Permission recipient ID
ACL operations
Permission types
Predefined ACLs
Public groups
- AllUsers
- AuthenticatedUsers
Inheritance of bucket access permissions by Yandex Cloud public groups
- Viewing bucket access permissions inherited from a folder
- See also

Object Storage incorporates multiple mechanisms for managing access to resources. To learn how these mechanisms interact, see Access management methods in Object Storage: Overview.

An Object Storage ACL is a list of permissions for each object and bucket. It is stored directly in Object Storage.

Permissions granted to a bucket apply to all objects it contains. With ACLs, you can also extend access permissions to individual objects.

Warning

A bucket inherits the same access permissions in IAM as those of the folder and cloud where it is located.

For example, if a user has the viewer role in IAM for the folder containing the bucket, they can view its content, even though such permissions are not provided in the bucket ACL.

By default, Object Storage creates an empty ACL for each new object or bucket. Users with the appropriate access permissions can edit and upload ACLs for Object Storage buckets and objects.

You can use ACLs to grant permissions to a Yandex Cloud user, service account, user group, or public group (the group of all internet users, the group of all authenticated Yandex Cloud users). To do this, you need to know the permission grantee's ID. When granting permissions, you can use predefined ACLs, which contain common permission sets.

In the management console, you can only grant permissions to service accounts created in the same directory as the bucket. You can grant permissions to service accounts belonging to other directories using the YC CLI (only for the ACL bucket), AWS CLI, Terraform, or API.

To view the ACL structure description, see ACL XML schema. You can set up to 100 rules per ACL.

Note

ACLs uploaded for objects apply immediately. ACLs uploaded for buckets, as well as access permissions updated in the IAM service, apply with a delay. For more information about delays, see the IAM documentation.

Permission recipient ID

Yandex Cloud user

You can get the ID in the following ways:
- In the IAM section of the management console.
- Using the IAM CLI or API.
Service account

To get the ID, go to the Service accounts section in the management console.
Public group

Use the public group URI to grant permissions.
User group

To get the ID, navigate to the Groups tab in the Cloud Organization interface.

You can specify a user group using the Yandex Cloud CLI, AWS CLI, Terraform, and the API. For more information, see Editing a bucket ACL and Editing an object ACL.

ACL operations

In the management console, you can edit ACLs for buckets and objects.
Using an Amazon S3-compatible API, you can upload or download ACLs for buckets or objects.

You cannot delete ACLs. To remove all access permissions, upload an empty ACL.

Permission types

Permissions correspond to user roles in IAM.

Permission	Role in IAM	Description
`READ`	`viewer`	For buckets: Permission to retrieve a list of objects in the bucket, read various bucket settings (lifecycle, CORS, static hosting), and read all objects in the bucket. For objects: Read permission.
`WRITE`	`editor`	For buckets: Writing, rewriting and deleting objects in or from the bucket. You must use it together with `READ`; without it, you cannot grant the `WRITE` permission separately. For objects: This permission is meaningless, because the permission is checked for the bucket when writing an object.
`FULL_CONTROL`	`admin`	Full access to objects and buckets.
`READ_ACP`	`viewer`	ACL read permission. For objects only.
`WRITE_ACP`	`editor`	ACL write permission. For objects only.

Note

If you specify the WRITE permission without READ when creating an ACL, Object Storage will return the 501 Not Implemented error code.

Predefined ACLs

ACL	Description
`private` `bucket-owner-full-control`	Yandex Cloud Users get permissions according to their roles in IAM.
`public-read`	The `AllUsers` public group gets the `READ` permission.
`public-read-write`	The `AllUsers` public group gets the `READ` and `WRITE` permissions.
`authenticated-read`	The `AuthenticatedUsers` public group gets the `READ` permission.

Predefined ACLs can be applied to both objects and buckets. When applied to an object, the public-read-write ACL is the same as public-read.

You can upload a predefined ACL using only an Amazon S3-compatible HTTP API. When uploading an ACL, use the X-Amz-Acl HTTP header.

Public groups

AllUsers

This system group includes all internet users.

A permission for AllUsers looks as follows:

<Grantee xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="Group">
    <URI>http://acs.amazonaws.com/groups/global/AllUsers</URI>
</Grantee>

AuthenticatedUsers

This group includes all authenticated Yandex Cloud users: both from your clouds and other users' clouds.

A permission for AuthenticatedUsers looks as follows:

<Grantee xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="Group">
    <URI>http://acs.amazonaws.com/groups/global/AuthenticatedUsers</URI>
</Grantee>

Inheritance of bucket access permissions by Yandex Cloud public groups

A bucket inherits the same access permissions in IAM as those of the folder and cloud where it is located. If a user has permissions to access the folder or cloud the bucket belongs to, they will also have permissions to access the bucket itself.

Warning

Assigning roles to the All users and All authenticated users public groups for the folder or cloud the bucket belongs to is equivalent to granting public access to the bucket:

All authenticated users: All authenticated Yandex Cloud users get access to the bucket, both from your clouds and other users' clouds.
All users: Access is granted to all users.

You can grant the same access permissions to a bucket by adding access permissions for the AuthenticatedUsers and AllUsers groups to the bucket ACL.

Viewing bucket access permissions inherited from a folder

A bucket inherits access permissions from the folder. If you want to know exactly which access permissions your bucket has inherited, get a list of roles for the folder. You can also revoke these roles at any time.

To get a list of folder roles, run this command:

yc resource-manager folder list-access-bindings \
  --id b1g7gvsi89m3********

Result:

+---------+--------------+-----------------------+
| ROLE ID | SUBJECT TYPE |      SUBJECT ID       |
+---------+--------------+-----------------------+
| viewer  | system       | allAuthenticatedUsers |
| viewer  | system       | allUsers              |
+---------+--------------+-----------------------+

The output contains allAuthenticatedUsers and allUsers. This means the users of these groups are granted rights for this folder and all resources it contains, including buckets.

To revoke a role from the All authenticated users public group, run the following command:

yc resource-manager folder remove-access-binding \
  --id b1g7gvsi89m3******** \
  --role viewer \
  --allAuthenticatedUsers

To revoke a role from the All users public group, run the following command:

yc resource-manager folder remove-access-binding \
  --id b1g7gvsi89m3******** \
  --role viewer \
  --allUsers

Access control lists (ACLs)

Permission recipient IDPermission recipient ID

ACL operationsACL operations

Permission typesPermission types

Predefined ACLsPredefined ACLs

Public groupsPublic groups

AllUsersAllUsers

AuthenticatedUsersAuthenticatedUsers

Inheritance of bucket access permissions by Yandex Cloud public groupsInheritance of bucket access permissions by Yandex Cloud public groups

Viewing bucket access permissions inherited from a folderViewing bucket access permissions inherited from a folder

See alsoSee also

Was the article helpful?