Editing a bucket ACL

Written by

Improved by

Updated at May 5, 2025

Object Storage incorporates several access management mechanisms. To learn how these mechanisms interact, see Access management methods in Object Storage: Overview.

Note

If your bucket already has a configured ACL, it will be completely overwritten once you apply the changes.

Management console

Yandex Cloud CLI

AWS CLI

Terraform

API

In the management console, select Object Storage from the list of services.
In the bucket row, click and select Configure ACL.

Alternatively, you can click the bucket name, then, on the page that opens, click at the top right and select Configure ACL.

In the ACL editing window that opens, grant or revoke the relevant permissions:
1. Select the subjects you need from the list. To do this, place the cursor in the subject input field, then select the required user, service account, user group, system group, or public group in the form that appears. If required, use the relevant tabs in the form or the search bar to find a subject by name or email address.
  
  To grant permissions for multiple subjects at the same time, select them one by one.
2. Specify the relevant permission type for the selected subjects and click Add.
3. To grant different types of permission to subjects, repeat the two previous steps.
4. To revoke a subject's permission, click Cancel in the permission row.
5. Click Save.
Note

In the management console, you can only grant permissions to service accounts created in the same folder as the bucket. You can grant permissions to service accounts belonging to other folders using the YC CLI (only for ACL buckets), AWS CLI, Terraform, or API.

If you do not have the Yandex Cloud CLI yet, install and initialize it.

The folder specified when creating the CLI profile is used by default. To change the default folder, use the yc config set folder-id <folder_ID> command. You can specify a different folder using the --folder-name or --folder-id parameter.

Before configuring an ACL, see the description of the CLI command for editing a bucket:

yc storage bucket update --help

To view the current ACL of a bucket, run this command:

yc storage bucket get <bucket_name> --with-acl

You can apply a predefined ACL to a bucket or configure permissions for individual users, service accounts, user groups, and public groups, such as a group of all internet users or a group of all authenticated Yandex Cloud users. You cannot use these settings together: a bucket can have either a predefined ACL or individual permissions.

Predefined ACL

Run this command:

yc storage bucket update --name <bucket_name> --acl <predefined_ACL>

Where:

--name: Bucket name.
--acl: Predefined ACL. To view a list of values, see Predefined ACLs.

Result:

name: my-bucket
folder_id: csgeoelk7fl1********
default_storage_class: STANDARD
versioning: VERSIONING_DISABLED
max_size: "1073741824"
acl:
  grants:
    - permission: PERMISSION_READ
      grant_type: GRANT_TYPE_ALL_USERS
created_at: "2022-12-14T19:10:05.957940Z"

Setting up individual permissions

To grant ACL permissions to a Yandex Cloud user, service account, or user group, get their IDs:
- User.
- Service account.
- User group: Navigate to the Groups tab in the Cloud Center interface.
Run this command:
```
yc storage bucket update --name <bucket_name> \
  --grants grant-type=<permission_grantee_type>,grantee-id=<grantee_ID>,permission=<permission_type>
```
Where:
- grant-type: Permission grantee type. The possible values are as follows:
  - grant-type-account: User, service account, or user group.
  - grant-type-all-authenticated-users: Public group that includes all authenticated Yandex Cloud users.
  - grant-type-all-users: Public group that includes all internet users.
- grantee-id: ID of the user, service account, or user group you need to grant a permission to. It is specified only if grant-type=grant-type-account.
- permission: ACL permission type. The possible values are:
  - permission-read: Permission to access the list of objects in the bucket, read various bucket settings (lifecycle, CORS, and static hosting), and read all objects in the bucket.
  - permission-write: Permission to write, overwrite, and delete objects in the bucket. It can only be used together with permission-read.
  - permission-full-control: Full access to the bucket and objects in it.
    For more information about permissions, see Permission types.
To configure multiple permissions, specify the --grants parameter multiple times. For example, to grant a write permission for a bucket, run this command:
```
yc storage bucket update --name <bucket_name> \
  --grants grant-type=<permission_grantee_type>,grantee-id=<grantee_ID>,permission=permission-read \
  --grants grant-type=<permission_grantee_type>,grantee-id=<grantee_ID>,permission=permission-write
```

If you do not have the AWS CLI yet, install and configure it.

Note

To manage bucket ACL settings, assign the storage.admin role to the service account used by the AWS CLI.

View the bucket's current ACL:

aws s3api get-bucket-acl \
  --endpoint https://storage.yandexcloud.net \
  --bucket <bucket_name>

Where:

--bucket: Bucket name.
--endpoint: Object Storage endpoint.

Predefined ACL

Run this command:

  aws s3api put-bucket-acl \
    --endpoint https://storage.yandexcloud.net \
    --bucket <bucket_name> \
    --acl <predefined_ACL>

Where:

--endpoint: Object Storage endpoint.
--bucket: Bucket name.
--acl: Predefined ACL. For the list of values, see Predefined ACLs.

Setting up individual permissions

To grant ACL permissions to a Yandex Cloud user, service account, or user group, get their IDs:
- User.
- Service account.
- User group: Navigate to the Groups tab in the Cloud Center interface.
Run this command:
```
aws s3api put-bucket-acl \
  --endpoint https://storage.yandexcloud.net \
  --bucket <bucket_name> \
  <permission_type> <permission_grantee>
```
Where:
- --bucket: Bucket name.
- --endpoint: Object Storage endpoint.
- The possible types of ACL permissions are as follows:
  - --grant-read: Permission to access the list of objects in the bucket, read various bucket settings (lifecycle, CORS, and static hosting), and read all objects in the bucket.
  - --grant-write: Permission to write, overwrite, and delete objects in the bucket. It can only be used together with --grant-read.
  - --grant-full-control: Full access to the bucket and objects in it.
  For more information about permissions, see Permission types.
- The possible permission grantees are as follows:
  - id=<grantee_ID>: ID of the user, service account, or user group you need to grant a permission to.
  - uri=http://acs.amazonaws.com/groups/global/AuthenticatedUsers: Public group that includes all authenticated Yandex Cloud users.
  - uri=http://acs.amazonaws.com/groups/global/AllUsers: Public group that includes all internet users.
To configure multiple permissions, specify the relevant settings, permission type, and permission grantee multiple times. For example, to grant a write permission for a bucket, run this command:
```
aws s3api put-bucket-acl \
  --endpoint https://storage.yandexcloud.net \
  --bucket <bucket_name> \
  --grant-read id=<grantee_ID> \
  --grant-write id=<grantee_ID>
```

Note

Terraform uses a service account to interact with Object Storage. Assign to the service account the required role, e.g., storage.admin, for the folder where you are going to create resources.

If you do not have Terraform yet, install it and configure its Yandex Cloud provider.

Before you start, retrieve the static access keys: a secret key and key ID used for Object Storage authentication.

Note

In addition to static access keys, you can use an IAM token for authentication in Object Storage. For more details, see Creating a bucket and the relevant provider documentation.

In the configuration file, describe the resources you want to create:
```
resource "yandex_storage_bucket" "test" {
  access_key = "<static_key_ID>"
  secret_key = "<secret_key>"
  bucket = "<bucket_name>"
  grant {
    id          = "<user_ID>"
    type        = "CanonicalUser"
    permissions = ["FULL_CONTROL"]
  }

  grant {
    type        = "Group"
    permissions = ["READ", "WRITE"]
    uri         = "http://acs.amazonaws.com/groups/global/AllUsers"
  }
}
```
Where:
- access_key: Static access key ID.
- secret_key: Secret access key value.
- bucket: Bucket name. This is a required parameter.
- grant: ACL settings. This is an optional parameter. To manage it, the service account with static access keys must have the storage.admin role for the bucket or folder.
  - type: Permission grantee type. The possible values are:
    - CanonicalUser: For a user, service account, or user group.
    - Group: For a public group.
  - permissions: Type of ACL permissions. It can take the following values:
    - READ: Permission to access the list of objects in the bucket, read various bucket settings (lifecycle, CORS, and static hosting), and read all objects in the bucket.
    - WRITE: Permission to write, overwrite, and delete objects in the bucket. It can only be used together with READ, e.g., permissions = ["READ", "WRITE"].
    - FULL_CONTROL: Full access to the bucket and objects in it.
    For more information about permissions, see Permission types.
  - id: ID of the user, service account, or user group. It is used with the CanonicalUser type of permission grantee.
    
    You can get the IDs in the following ways:
    - User.
    - Service account.
    - User group: Navigate to the Groups tab in the Cloud Center interface.
  - uri: Public group ID. It is used with the Group type of permission grantee. The possible values are:
    - http://acs.amazonaws.com/groups/global/AllUsers: All internet users.
    - http://acs.amazonaws.com/groups/global/AuthenticatedUsers: All authenticated Yandex Cloud users.
Instead of grant, you can specify acl, i.e., the predefined ACL of the bucket. The default value is private: Yandex Cloud users get permissions based on their roles in IAM.

For more information about the resources you can create with Terraform, see this provider reference.
Make sure the configuration files are correct.
1. In the command line, navigate to the directory where you created the configuration file.
2. Run a check using this command:
```
terraform plan
```
If you described the configuration correctly, the terminal will display a list of the resources being created and their settings. If the configuration contains any errors, Terraform will point them out.
Deploy the cloud resources.
1. If the configuration does not contain any errors, run this command:
```
terraform apply
```
2. Confirm creating the resources.
This will create all resources you need in the specified folder. You can check the new resources and their settings using the management console.

To edit a bucket ACL, use the update REST API method for the Bucket resource, the BucketService/Update gRPC API call, or the bucketPutAcl S3 API method.

Editing a bucket ACL

Was the article helpful?