Editing a bucket's ACL
Object Storage incorporates multiple mechanisms for managing access to resources. To learn how these mechanisms interact, see Access management methods in Object Storage: Overview.
Note
-
In the management console
, select Object Storage from the list of services. -
Select the bucket you need and click
→ Object ACL. -
In the ACL editing window, grant or revoke the appropriate permissions.
Note
In the management console, you can only grant permissions to service accounts created in the same directory as the bucket. You can grant permissions to service accounts belonging to other directories using the YC CLI (only for the ACL bucket), AWS CLI, Terraform, or API.
If you do not have the Yandex Cloud command line interface yet, install and initialize it.
The folder specified in the CLI profile is used by default. You can specify a different folder using the --folder-name
or --folder-id
parameter.
Before configuring an ACL, view a description of the CLI command to edit a bucket:
yc storage bucket update --help
To view a bucket's current ACL, run this command:
yc storage bucket get <bucket_name> --with-acl
You can apply a predefined ACL to a bucket or configure permissions for individual users, service accounts, user groups and public groups (e.g., a group of all internet users or a group of all authenticated Yandex Cloud users). These settings are not compatible: a bucket should have either a predefined ACL or a set of individual permissions.
- Predefined ACL
-
Run this command:
yc storage bucket update --name <bucket_name> --acl <predefined_ACL>
Where:
--name
: Bucket name.--acl
: Predefined ACL. For the list of values, see Predefined ACLs.
Result:
name: my-bucket folder_id: csgeoelk7fl1******** default_storage_class: STANDARD versioning: VERSIONING_DISABLED max_size: "1073741824" acl: grants: - permission: PERMISSION_READ grant_type: GRANT_TYPE_ALL_USERS created_at: "2022-12-14T19:10:05.957940Z"
- Setting up individual permissions
-
-
To grant ACL permissions to a Yandex Cloud user, service account, or user group, get their IDs:
- User.
- Service account
- User group: Navigate to the Groups
tab in the Cloud Center interface.
-
Run this command:
yc storage bucket update --name <bucket_name> \ --grants grant-type=<permission_grantee_type>,grantee-id=<grantee_ID>,permission=<permission_type>
Where:
grant-type
: Permission grantee type. The possible values are:grant-type-account
: User, service account, or user group.grant-type-all-authenticated-users
: Public group that includes all authenticated Yandex Cloud users.grant-type-all-users
: Public group that includes all internet users.
grantee-id
: ID of the user, service account, or user group you need to grant a permission to. Specified only ifgrant-type=grant-type-account
.permission
: ACL permission type. The possible values are:permission-read
: Permission to access the list of objects in the bucket, read various bucket settings (lifecycle, CORS, or static hosting), and read all objects in the bucket.permission-write
: Permission to write, overwrite, and delete objects in the bucket. Can only be used together withpermission-read
.permission-full-control
: Full access to the bucket and the objects in it.
For more information about permissions, see Permission types.
To configure multiple permissions, specify the
--grants
parameter multiple times. For example, to grant a write permission for a bucket, run the following command:yc storage bucket update --name <bucket_name> \ --grants grant-type=<permission_grantee_type>,grantee-id=<grantee_ID>,permission=permission-read \ --grants grant-type=<permission_grantee_type>,grantee-id=<grantee_ID>,permission=permission-write
-
If you do not have the AWS CLI yet, install and configure it.
Note
To manage bucket ACL settings, assign the storage.admin
role to the service account used by the AWS CLI.
View the bucket's current ACL:
aws s3api get-bucket-acl \
--endpoint https://storage.yandexcloud.net \
--bucket <bucket_name>
Where:
--bucket
: Bucket name.--endpoint
: Object Storage endpoint.
You can apply a predefined ACL to a bucket or configure permissions for individual users, service accounts, user groups and public groups (e.g., a group of all internet users or a group of all authenticated Yandex Cloud users). These settings are not compatible: a bucket should have either a predefined ACL or a set of individual permissions.
- Predefined ACL
-
Run this command:
aws s3api put-bucket-acl \ --endpoint https://storage.yandexcloud.net \ --bucket <bucket_name> \ --acl <predefined_ACL>
Where:
--endpoint
: Object Storage endpoint.--bucket
: Bucket name.--acl
: Predefined ACL. For the list of values, see Predefined ACLs.
- Setting up individual permissions
-
-
To grant ACL permissions to a Yandex Cloud user, service account, or user group, get their IDs:
- User.
- Service account.
- User group: Navigate to the Groups
tab in the Cloud Center interface.
-
Run this command:
aws s3api put-bucket-acl \ --endpoint https://storage.yandexcloud.net \ --bucket <bucket_name> \ <permission_type> <permission_grantee>
Where:
-
--bucket
: Bucket name. -
--endpoint
: Object Storage endpoint. -
Possible types of ACL permissions:
--grant-read
: Permission to access the list of objects in the bucket, read various bucket settings (lifecycle, CORS, static hosting), and read all objects in the bucket.--grant-write
: Permission to write, overwrite, and delete objects in the bucket. Can only be used together with--grant-read
.--grant-full-control
: Full access to the bucket and the objects in it.
For more information about permissions, see Permission types.
-
The possible permission grantees are:
id=<grantee_ID>
: ID of the user, service account, or user group you need to grant a permission to.uri=http://acs.amazonaws.com/groups/global/AuthenticatedUsers
: Public group that includes all authenticated Yandex Cloud users.uri=http://acs.amazonaws.com/groups/global/AllUsers
: Public group that includes all internet users.
To configure multiple permissions, specify the settings, permission type, and permission grantee multiple times. For example, to grant a write permission for a bucket, run the following command:
aws s3api put-bucket-acl \ --endpoint https://storage.yandexcloud.net \ --bucket <bucket_name> \ --grant-read id=<grantee_ID> \ --grant-write id=<grantee_ID>
-
-
Note
Terraform uses a service account to interact with Object Storage. Assign to the service account the required role, e.g., storage.admin
, for the folder where you are going to create resources.
If you don't have Terraform, install it and configure the Yandex Cloud provider.
Before you start, retrieve the static access keys: a secret key and a key ID used for authentication in Object Storage.
-
In the configuration file, describe the parameters of the resources you want to create:
resource "yandex_storage_bucket" "test" { access_key = "<static_key_ID>" secret_key = "<secret_key>" bucket = "<bucket_name>" grant { id = "<user_ID>" type = "CanonicalUser" permissions = ["FULL_CONTROL"] } grant { type = "Group" permissions = ["READ", "WRITE"] uri = "http://acs.amazonaws.com/groups/global/AllUsers" } }
Where:
access_key
: Static access key ID.secret_key
: Secret access key value.bucket
: Bucket name. This is a required parameter.grant
: ACL settings. This is an optional parameter. To manage this parameter, the service account for which the static access keys were obtained must have thestorage.admin
role for a bucket or folder.-
type
: Permission grantee type. The possible values are:CanonicalUser
: For a user, service account, or user group.Group
: For a public group.
-
permissions
: Type of ACL permissions. The possible values are:READ
: Permission to access the list of objects in the bucket, read various bucket settings (lifecycle, CORS, static hosting), and read all objects in the bucket.WRITE
: Permission to write, overwrite, and delete objects in the bucket. Can only be used together withREAD
, e.g.,permissions = ["READ", "WRITE"]
.FULL_CONTROL
: Full access to the bucket and the objects in it.
For more information about permissions, see Permission types.
-
id
: ID of the user, service account, or user group. Used with theCanonicalUser
type of permission grantee.You can get the IDs in any of the following ways:
- User.
- Service account.
- User group: Navigate to the Groups
tab in the Cloud Center interface.
-
uri
: Public group ID. Used with theGroup
type of permission grantee. The possible values are:http://acs.amazonaws.com/groups/global/AllUsers
: All internet users.http://acs.amazonaws.com/groups/global/AuthenticatedUsers
: All authenticated Yandex Cloud users.
-
Instead of
grant
, you can specifyacl
, i.e., the predefined ACL of the bucket. The default value isprivate
: Yandex Cloud users get permissions based on their roles in IAM.For more information about the resources you can create with Terraform, see the provider documentation
. -
Make sure the configuration files are correct.
-
In the command line, go to the folder where you created the configuration file.
-
Run a check using this command:
terraform plan
If the configuration is described correctly, the terminal will display a list of created resources and their parameters. If the configuration contains any errors, Terraform will point them out.
-
-
Deploy cloud resources.
-
If the configuration does not contain any errors, run this command:
terraform apply
-
Confirm that you want to create the resources.
All the resources you need will then be created in the specified folder. You can check the new resources and their settings using the management console
. -
To edit a bucket's ACL, use the update REST API method for the Bucket resource, the BucketService/Update gRPC API call, or the bucketPutAcl S3 API method.