Accessing a bucket using a service connection from Yandex Virtual Private Cloud
Warning
The Service connections functionality (VPC Private Endpoints) is at the Preview stage and will become available for testing from September 26, 2024. To request access, contact your account manager.
To make Object Storage buckets accessible from VPC cloud networks directly, use a VPC service connection. With this connection, Object Storage is accessible via VPC internal IP addresses, no Internet access needed.
To enable access to a bucket using a service connection from VPC:
Create a VPC service connection
To create a service connection, you need one of the following roles:
vpc.privateEndpoints.editor
vpc.privateEndpoints.admin
vpc.privateAdmin
vpc.admin
admin
If you do not have the Yandex Cloud command line interface yet, install and initialize it.
The folder specified in the CLI profile is used by default. You can specify a different folder using the --folder-name
or --folder-id
parameter.
-
View the description of the CLI command to create a service account:
yc vpc private-endpoint create --help
-
Create a service connection to Object Storage in the default folder:
yc vpc private-endpoint create \ --name s3-vpc-link \ --description "Private Endpoint to the Object Storage" \ --network-name default-net \ --object-storage
Where:
--name
: (Optional) Service connection name.--description
: (Optional) Service connection description.--network-name
: Name of the cloud network the service connection will be created in. You can also use network ID in the--network-id
parameter.--object-storage
: Service connection to Object Storage. Other service connection types are not available yet.
When creating a service connection, you can use the following additional parameters:
-
--address-spec
: (Optional) Parameters inkey=value
format for the internal IP address which will be assigned to the service connection:-
address
: (Optional) Private IP address for the service connection. If no IP address is provided, a random one will be assigned from the specified subnet. -
subnet-id
: (Optional) ID of the subnet to provide an IP address for the service connection. If no subnet ID is provided, a random internal IP address will be assigned from one of subnets in the cloud network.Note
To create a service connection, there must be at least one subnet in your network.
-
-
--private-dns-records-enabled
: (Optional) Parameter to create additional DNS resource records to override the public FQDN of the service to which the connection is created.Depending on whether the parameter is used, the following resource records will be created automatically for access to Object Storage:
-
The parameter is not used:
Name Type Value storage.pe.yandexcloud.net A <internal_IP_address_of_the_service_connection> *.storage.pe.yandexcloud.net A <internal_IP_address_of_the_service_connection> -
The parameter is used:
Name Type Value storage.pe.yandexcloud.net A <internal_IP_address_of_the_service_connection> *.storage.pe.yandexcloud.net A <internal_IP_address_of_the_service_connection> storage.yandexcloud.net A <internal_IP_address_of_the_service_connection> *.storage.yandexcloud.net A <internal_IP_address_of_the_service_connection>
-
-
Make sure the service connection was created:
yc vpc private-endpoint list
Command result:
+----------------------+-------------+--------------------------------+ | ID | NAME | DESCRIPTION | +----------------------+-------------+--------------------------------+ | enpd7rq************* | s3-vpc-link | Private Endpoint to the Object | | | | Storage | +----------------------+-------------+--------------------------------+
On how to get the parameters of a service connection you created, see Getting information about a service connection.
Save the service connection ID.
Object Storage buckets are now accessible via the VPC internal IP address without any internet access.
Configure the access policy for the bucket
To restrict access to a bucket to VPC internal IP addresses only, assign a bucket policy for the service connection.
-
In the management console
, select the folder where you configured the VPC service connection. -
Select Object Storage.
-
Select a bucket from the list.
-
Go to the
Security tab in the left-hand menu. -
At the top of the screen, go to the Access policy tab.
-
Click Configure access.
-
Enter a bucket policy ID, e.g.,
private-endpoint-policy
. -
Set up a rule:
-
Enter a rule ID, e.g.,
private-endpoint-rule
. -
Configure rule settings:
-
Result: Enable.
-
Selection principle: Include users.
-
User: All users.
-
Action: Select All actions.
-
Resource —
<bucket_name>/*
.Click Add resource and enter
<bucket_name>
.Note
A bucket resource does not include resources of all its objects. To make sure a bucket policy rule refers to the bucket and all objects, specify them as separate resources, such as
samplebucket
andsamplebucket/*
.
-
-
Add a condition for the rule:
- In the Key field, select
private-endpoint-id
. - In the Operator field, select
StringEquals
. - In the Value field, specify the service connection (Private Endpoint) ID, e.g.,
enpd7rq1s3f5********
.
- In the Key field, select
-
-
Click Save.
Note
To manage a policy using the AWS CLI, a service account must have the storage.admin
role assigned.
If you do not have the AWS CLI yet, install and configure it.
-
Describe your access policy configuration as a data schema in JSON format:
{ "Version": "2012-10-17", "Statement": { "Effect": "Allow", "Principal": "*", "Action": "*", "Resource": [ "arn:aws:s3:::<bucket_name>/*", "arn:aws:s3:::<bucket_name>" ], "Condition": { "StringEquals": { "yc:private-endpoint-id": "<connection_ID>" } } } }
Where:
<bucket_name>
: Name of the bucket in Object Storage to apply the access policy to, e.g.,my-s3-bucket
.<connection_ID>
: Service connection ID (Private Endpoint), e.g.,enpd7rq1s3f5********
.
-
Once complete, save the configuration to a file named
policy.json
. -
Run this command:
aws s3api put-bucket-policy \ --endpoint https://storage.yandexcloud.net \ --bucket <bucket_name> \ --policy file://policy.json
After successfully applying the bucket policy, connection to the bucket will be possible only from the VPC cloud network in which the relevant service connection (Private Endpoint) was created.
To learn more about managing a bucket policy, see Bucket policy management.