Creating a bucket
To create a bucket, you need the minimum storage.editor
role for the folder.
- In the management console
, select the folder you want to create a bucket in. - Select Object Storage.
- In the top panel, click Create bucket.
- On the bucket creation page:
-
Enter a name for the bucket according to the naming requirements.
By default, a bucket with a dot in the name is only available over HTTP. To provide HTTPS support for your bucket, upload your own security certificate to Object Storage.
-
Limit the maximum bucket size, if required.
If the value is
0
, the maximum size is not limited and is similar to the enabled No limit option. -
Set the public public access parameters to read objects in the bucket, get a list of objects, and read bucket settings:
Restricted
: Authorized Yandex Cloud users onlyPublic
: All users
Warning
Public access is granted to an unlimited number of anonymous users. Use it only when other access grant mechanisms are not available.
-
Select the default storage class:
Standard
.Cold
.Ice
.
"Cold" classes are for long-term storage of objects you intend to use less frequently. The "colder" the storage, the cheaper it is to store data in, but the more expensive it is to read from and write to it.
-
Add labels, if required:
- Click Add label.
- Enter a label in
key: value
format. - Click Enter.
-
Click Create bucket to complete the operation.
-
If you do not have the Yandex Cloud command line interface yet, install and initialize it.
The folder specified in the CLI profile is used by default. You can specify a different folder using the --folder-name
or --folder-id
parameter.
-
View a description of the CLI command to create a bucket:
yc storage bucket create --help
-
Create a bucket in the default folder:
yc storage bucket create --name <bucket_name>
Where
--name
is the name of the bucket. This is a required parameter. For more information, see Bucket naming rules.By default, a bucket with a dot in the name is only available over HTTP. To provide HTTPS support for your bucket, upload your own security certificate to Object Storage.
Result:
name: example folder_id: b1gmit33ngp6******** anonymous_access_flags: read: false list: false default_storage_class: STANDARD versioning: VERSIONING_DISABLED max_size: "53687091200" acl: {} created_at: "2022-12-16T14:05:12.196007Z"
Optional parameters
-
--default-storage-class
: Storage class. Possible values:standard
: Standard storage. It is installed by default.cold
: Cold storage.ice
: Ice storage.
"Cold" classes are designed to store objects that you plan to use less frequently for longer periods of time. The "colder" your storage is, the less you pay for storing data; however, the costs of reading and writing data increase.
-
--max-size
: Maximum bucket size, in bytes. Default value:0
(unlimited). -
Parameters for enabling public access to a bucket:
--public-read
: Enables public access to reading bucket objects.--public-list
: Enables public access to viewing the list of bucket objects.--public-config-read
: Enables public access to reading bucket settings.
By default, no public access to buckets is allowed.
Warning
Public access is granted to an unlimited number of anonymous users. Use it only when other access grant mechanisms are not available.
-
Parameters to configure the bucket ACL:
-
--acl
: Predefined ACL. For a list of possible values, see Predefined ACLs. You cannot use this parameter together with--grants
. -
--grants
: Configures permissions for individual users, service accounts, user groups, and public groups (a group of all internet users or a group of all authenticated Yandex Cloud users). You cannot use this parameter together with the--acl
parameter. The parameter value is specified in the following format:grant-type=<permission_grantee_type>,grantee-id=<grantee_ID>,permission=<permission_type>
, where:grant-type
: Permission grantee type. The possible values are:grant-type-account
: User, service account, or user group.grant-type-all-authenticated-users
: Public group that includes all authenticated Yandex Cloud users.grant-type-all-users
: Public group that includes all internet users.
grantee-id
: ID of the user, service account, or user group you need to grant a permission to. Specified only ifgrant-type=grant-type-account
.permission
: ACL permission type. Possible values:permission-full-control
,permission-write
,permission-read
. For more information about permissions, see Permission types.
To configure multiple permissions, specify the
--grants
parameter multiple times.
By default, an empty ACL is created for each new bucket.
-
For more information about the
yc storage bucket create
command, see the YC CLI reference. -
If you do not have the AWS CLI yet, install and configure it.
To create a bucket, assign the storage.editor
role to the service account used by the AWS CLI.
In the terminal, run this command:
aws s3api create-bucket \
--endpoint-url=https://storage.yandexcloud.net \
--bucket <bucket_name>
Where:
--endpoint-url
: Object Storage endpoint--bucket
: Bucket name
Note
By default, a bucket with a dot in the name is only available over HTTP. To provide HTTPS support for your bucket, upload your own security certificate to Object Storage. For more information, see Bucket naming rules.
Result:
{
"Location": "/<bucket_name>"
}
The new bucket will have the following parameters:
- No limitations to the maximum size.
- Limited access to read objects, get a list of objects, and read bucket setting.
- Storage class:
Standard
.
Optional parameters
You can apply a predefined ACL to a bucket or configure permissions for individual users, service accounts, user groups and public groups (e.g., a group of all internet users or a group of all authenticated Yandex Cloud users). These settings are not compatible: a bucket should have either a predefined ACL or a set of individual permissions.
Note
Predefined ACL
aws s3api create-bucket \
--endpoint-url=https://storage.yandexcloud.net \
--bucket <bucket_name> \
--acl <predefined_ACL>
Where --acl
is a predefined ACL. For the list of values, see Predefined ACLs.
Individual permissions
aws s3api create-bucket \
--endpoint-url=https://storage.yandexcloud.net \
--bucket <bucket_name> \
<permission_type> <permission_grantee>
Where:
-
Possible types of ACL permissions:
--grant-read
: Permission to access the list of objects in the bucket, read various bucket settings (lifecycle, CORS, static hosting), and read all objects in the bucket.--grant-write
: Permission to write, overwrite, and delete objects in the bucket. Can only be used together with--grant-read
.--grant-full-control
: Full access to the bucket and the objects in it.
You can set multiple permissions within the same command.
-
The possible permission grantees are:
id=<grantee_ID>
: ID of the user, service account, or user group you need to grant a permission to.uri=http://acs.amazonaws.com/groups/global/AuthenticatedUsers
: Public group that includes all authenticated Yandex Cloud users.uri=http://acs.amazonaws.com/groups/global/AllUsers
: Public group that includes all internet users.
By default, an empty ACL is created for each new bucket.
For more information about the aws s3api create-bucket
command, see the AWS documentation
Note
Terraform uses a service account to interact with Object Storage. Assign to the service account the required role, e.g., storage.admin
, for the folder where you are going to create resources.
With Terraform
Terraform is distributed under the Business Source License
For more information about the provider resources, see the documentation on the Terraform
If you don't have Terraform, install it and configure the Yandex Cloud provider.
-
In the configuration file, describe the parameters of the resources you want to create:
terraform { required_providers { yandex = { source = "yandex-cloud/yandex" } } required_version = ">= 0.13" } // Configuring a provider provider "yandex" { token = "<IAM_or_OAuth_token>" cloud_id = "<cloud_ID>" folder_id = "<folder_ID>" zone = "ru-central1-a" } // Creating a service account resource "yandex_iam_service_account" "sa" { name = "<service_account_name>" } // Assigning a role to a service account resource "yandex_resourcemanager_folder_iam_member" "sa-admin" { folder_id = "<folder_ID>" role = "storage.admin" member = "serviceAccount:${yandex_iam_service_account.sa.id}" } // Creating a static access key resource "yandex_iam_service_account_static_access_key" "sa-static-key" { service_account_id = yandex_iam_service_account.sa.id description = "static access key for object storage" } // Creating a bucket using a key resource "yandex_storage_bucket" "test" { access_key = yandex_iam_service_account_static_access_key.sa-static-key.access_key secret_key = yandex_iam_service_account_static_access_key.sa-static-key.secret_key bucket = "<bucket_name>" max_size = <maximum_bucket_size> default_storage_class = "<storage_class>" anonymous_access_flags { read = <true|false> list = <true|false> config_read = <true|false> } tags = { <key_1> = "<value_1>" <key_2> = "<value_2>" ... <key_n> = "<value_n>" } }
Where:
-
yandex_iam_service_account
: Description of the service account to create and use the bucket:-
name
: Service account name -
bucket
: Bucket nameBy default, a bucket with a dot in the name is only available over HTTP. To provide HTTPS support for your bucket, upload your own security certificate to Object Storage.
-
max_size
: Maximum bucket size, in bytes. -
default_storage_class
: Storage class. Possible values:standard
: Standard storage.cold
: Cold storage.ice
: Ice storage.
"Cold" classes are designed to store objects that you plan to use less frequently for longer periods of time. The "colder" your storage is, the less you pay for storing data; however, the costs of reading and writing data increase.
-
anonymous_access_flags
: Access settings:read
: Public access to read bucket objects.list
: Public access to view the list of bucket objects.config_read
: Public access to read bucket settings.
-
tags
: Bucket labels inkey = "value"
format.
-
name
: Required parameter. Other parameters are optional. By default, themax-size
value is0
, public access to the bucket is disabled, and the storage class is set tostandard
.For more information about the
yandex_storage_bucket
resource parameters in Terraform, see the relevant provider documentation . -
-
Create resources:
-
In the terminal, change to the folder where you edited the configuration file.
-
Make sure the configuration file is correct using the command:
terraform validate
If the configuration is correct, the following message is returned:
Success! The configuration is valid.
-
Run the command:
terraform plan
The terminal will display a list of resources with parameters. No changes are made at this step. If the configuration contains errors, Terraform will point them out.
-
Apply the configuration changes:
terraform apply
-
Confirm the changes: type
yes
in the terminal and press Enter.
-
Terraform will create all the required resources. You can check the new resources and their configuration using the management console
To create a bucket, use the create REST API method for the Bucket resource, the BucketService/Create gRPC API call, or the create S3 API method.