Editing an object's ACL
Object Storage incorporates multiple mechanisms for managing access to resources. To learn how these mechanisms interact, see Access management methods in Object Storage: Overview.
To control access to an object in an Object Storage bucket, you can use an ACL.
Note
If an ACL has been set for an object, it will be completely overwritten once you apply the changes.
-
In the management console
, select the appropriate folder. -
Select Object Storage.
-
Click the bucket name.
-
To edit an ACL, click
to the right of the object name and select Object ACL.You can also click the object name, click
on the page that opens, and select Object ACL. -
In the ACL editing window that opens, grant or revoke the appropriate permissions.
Note
In the management console, you can only grant permissions to service accounts created in the same directory as the bucket. You can grant permissions to service accounts belonging to other directories using the YC CLI (only for the ACL bucket), AWS CLI, Terraform, or API.
If you do not have the AWS CLI yet, install and configure it.
Note
To manage object ACLs, assign the storage.admin
role to the service account through which the AWS CLI works.
View the object's current ACL:
aws s3api get-object-acl \
--endpoint https://storage.yandexcloud.net \
--bucket <bucket_name> \
--key <object_key>
Where:
--endpoint
: Object Storage endpoint.--bucket
: Bucket name.--key
: Object key.
You can apply a predefined ACL to an object or configure permissions for individual users, service accounts, user groups, and public groups (e.g., a group of all internet users or a group of all authenticated Yandex Cloud users). These settings are not compatible: an object should have either a predefined ACL or a set of individual permissions.
Predefined ACL
Run this command:
aws s3api put-object-acl \
--endpoint https://storage.yandexcloud.net \
--bucket <bucket_name> \
--key <object_key> \
--acl <predefined_ACL>
Where:
--endpoint
: Object Storage endpoint.--bucket
: Bucket name.--key
: Object key.--acl
: Predefined ACL. For the list of values, see Predefined ACLs.
Setting up individual permissions
-
To grant ACL permissions to a Yandex Cloud user, service account, or user group, get their ID:
- User.
- Service account.
- User group: Navigate to the Groups
tab in the Cloud Organization interface.
-
Run this command:
aws s3api put-object-acl \ --endpoint https://storage.yandexcloud.net \ --bucket <bucket_name> \ --key <object_key> \ <permission_type> <permission_grantee>
Where:
-
--endpoint
: Object Storage endpoint. -
--bucket
: Bucket name. -
--key
: Object key. -
Possible types of ACL permissions:
--grant-read
: Read access to the object.--grant-full-control
: Full access to the object.--grant-read-acp
: Read access to the object's ACL.--grant-write-acp
: Edit access to the object's ACL.
You can set multiple permissions within the same command.
-
The possible permission grantees are:
id=<grantee_ID>
: ID of the user, service account, or user group you need to grant a permission to.uri=http://acs.amazonaws.com/groups/global/AuthenticatedUsers
: Public group that includes all authenticated Yandex Cloud users.uri=http://acs.amazonaws.com/groups/global/AllUsers
: Public group that includes all internet users.
-
Note
Terraform uses a service account to interact with Object Storage. Assign to the service account the required role, e.g., storage.admin
, for the folder where you are going to create resources.
Terraform
For more information about the provider resources, see the documentation on the Terraform
If you change the configuration files, Terraform automatically detects which part of your configuration is already deployed, and what should be added or removed.
If you don't have Terraform, install it and configure the Yandex Cloud provider.
To edit an object's ACL:
-
Open the Terraform configuration file and add the
acl
parameter to the object description:... resource "yandex_storage_object" "cute-cat-picture" { access_key = "<static_key_ID>" secret_key = "<secret_key>" bucket = "cat-pictures" key = "cute-cat" source = "/images/cats/cute-cat.jpg" acl = "public-read" } ...
Where:
access_key
: Static access key ID.secret_key
: Private access key value.acl
: Predefined ACL of an object. The default value isprivate
: Yandex Cloud users get permissions based on their roles in IAM.
For more information about the
yandex_storage_object
resource parameters in Terraform, see the provider documentation . -
Check the configuration using this command:
terraform validate
If the configuration is correct, you will get this message:
Success! The configuration is valid.
-
Run this command:
terraform plan
The terminal will display a list of resources with parameters. No changes will be made at this step. If the configuration contains any errors, Terraform will point them out.
-
Apply the configuration changes:
terraform apply
-
Confirm the changes: type
yes
into the terminal and click Enter.You can check the security group update in the management console
.
To edit an object's ACL, use the objectPutAcl S3 API method.
To upload an object an install an ACL, use the upload S3 API method with the X-Amz-Acl
, X-Amz-Grant-Read
, X-Amz-Grant-Read-Acp
, X-Amz-Grant-Write-Acp
, and X-Amz-Grant-Full-Control
headers.