Contact UsGet started

Accessing a bucket using a service connection from Yandex Virtual Private Cloud

Written by
Updated at October 28, 2024

Warning

The Service connections functionality (VPC Private Endpoints) is at the Preview stage and will become available for testing from September 26, 2024. To request access, contact your account manager.

To make Object Storage buckets accessible from VPC cloud networks directly, use a VPC service connection. With this connection, Object Storage is accessible via VPC internal IP addresses, no Internet access needed.

To enable access to a bucket using a service connection from VPC:

  1. Create a VPC service connection.
  2. Configure the access policy for the bucket.

Create a VPC service connection

To create a service connection, you need one of the following roles:

  • vpc.privateEndpoints.editor
  • vpc.privateEndpoints.admin
  • vpc.privateAdmin
  • vpc.admin
  • admin

If you do not have the Yandex Cloud command line interface yet, install and initialize it.

The folder specified in the CLI profile is used by default. You can specify a different folder using the --folder-name or --folder-id parameter.

  1. View the description of the CLI command to create a service account:

    yc vpc private-endpoint create --help

  2. Create a service connection to Object Storage in the default folder:

    yc vpc private-endpoint create \
  --name s3-vpc-link \
  --description "Private Endpoint to the Object Storage" \
  --network-name default-net \
  --object-storage

    Where:

    • --name: (Optional) Service connection name.
    • --description: (Optional) Service connection description.
    • --network-name: Name of the cloud network the service connection will be created in. You can also use network ID in the --network-id parameter.
    • --object-storage: Service connection to Object Storage. Other service connection types are not available yet.

    When creating a service connection, you can use the following additional parameters:

    • --address-spec: (Optional) Parameters in key=value format for the internal IP address which will be assigned to the service connection:

      • address: (Optional) Private IP address for the service connection. If no IP address is provided, a random one will be assigned from the specified subnet.

      • subnet-id: (Optional) ID of the subnet to provide an IP address for the service connection. If no subnet ID is provided, a random internal IP address will be assigned from one of subnets in the cloud network.

        Note

        To create a service connection, there must be at least one subnet in your network.

    • --private-dns-records-enabled: (Optional) Parameter to create additional DNS resource records to override the public FQDN of the service to which the connection is created.

      Depending on whether the parameter is used, the following resource records will be created automatically for access to Object Storage:

      • The parameter is not used:

        Name Type Value
        storage.pe.yandexcloud.net A <internal_IP_address_of_the_service_connection>
        *.storage.pe.yandexcloud.net A <internal_IP_address_of_the_service_connection>

      • The parameter is used:

        Name Type Value
        storage.pe.yandexcloud.net A <internal_IP_address_of_the_service_connection>
        *.storage.pe.yandexcloud.net A <internal_IP_address_of_the_service_connection>
        storage.yandexcloud.net A <internal_IP_address_of_the_service_connection>
        *.storage.yandexcloud.net A <internal_IP_address_of_the_service_connection>

  3. Make sure the service connection was created:

    yc vpc private-endpoint list

    Command result:

    +----------------------+-------------+--------------------------------+
|          ID          |    NAME     |          DESCRIPTION           |
+----------------------+-------------+--------------------------------+
| enpd7rq************* | s3-vpc-link | Private Endpoint to the Object |
|                      |             | Storage                        |
+----------------------+-------------+--------------------------------+

On how to get the parameters of a service connection you created, see Getting information about a service connection.

Save the service connection ID.

Object Storage buckets are now accessible via the VPC internal IP address without any internet access.

Configure the access policy for the bucket

To restrict access to a bucket to VPC internal IP addresses only, assign a bucket policy for the service connection.

  1. In the management console, select the folder where you configured the VPC service connection.

  2. Select Object Storage.

  3. Select a bucket from the list.

  4. Go to the Security tab in the left-hand menu.

  5. At the top of the screen, go to the Access policy tab.

  6. Click Configure access.

  7. Enter a bucket policy ID, e.g., private-endpoint-policy.

  8. Set up a rule:

    1. Enter a rule ID, e.g., private-endpoint-rule.

    2. Configure rule settings:

      • Result: Enable.

      • Selection principle: Include users.

      • User: All users.

      • Action: Select All actions.

      • Resource<bucket_name>/*.

        Click Add resource and enter <bucket_name>.

        Note

        A bucket resource does not include resources of all its objects. To make sure a bucket policy rule refers to the bucket and all objects, specify them as separate resources, such as samplebucket and samplebucket/*.

    3. Add a condition for the rule:

      • In the Key field, select private-endpoint-id.
      • In the Operator field, select StringEquals.
      • In the Value field, specify the service connection (Private Endpoint) ID, e.g., enpd7rq1s3f5********.

  9. Click Save.

Note

To manage a policy using the AWS CLI, a service account must have the storage.admin role assigned.

If you do not have the AWS CLI yet, install and configure it.

  1. Describe your access policy configuration as a data schema in JSON format:

    {
  "Version": "2012-10-17",
  "Statement": {
    "Effect": "Allow",
    "Principal": "*",
    "Action": "*",
    "Resource": [
      "arn:aws:s3:::<bucket_name>/*",
      "arn:aws:s3:::<bucket_name>"
    ],
    "Condition": {
      "StringEquals": {
        "yc:private-endpoint-id": "<connection_ID>"
      }
    }
  }
}

    Where:

    • <bucket_name>: Name of the bucket in Object Storage to apply the access policy to, e.g., my-s3-bucket.
    • <connection_ID>: Service connection ID (Private Endpoint), e.g., enpd7rq1s3f5********.

  2. Once complete, save the configuration to a file named policy.json.

  3. Run this command:

    aws s3api put-bucket-policy \
  --endpoint https://storage.yandexcloud.net \
  --bucket <bucket_name> \
  --policy file://policy.json

After successfully applying the bucket policy, connection to the bucket will be possible only from the VPC cloud network in which the relevant service connection (Private Endpoint) was created.

To learn more about managing a bucket policy, see Bucket policy management.

See also

Previous
Accessing a bucket using Security Token Service
Next
Managing bucket versioning