Bucket policy
Object Storage incorporates multiple mechanisms for managing access to resources. To learn how these mechanisms interact, see Access management methods in Object Storage: Overview.
Bucket policies set permissions for actions with buckets, objects, and object groups.
A policy is triggered when a user makes a request to a resource. As a result, the request is either executed or rejected.
Enabling public access to bucket operations does not override the restrictions set in the access policies.
Note
If a bucket policy with no rules is applied to the bucket, access is denied to all users. To disable request verification for a bucket policy, delete it.
You can set up a bucket policy in the management console or describe it in JSON format using a special scheme to provide the settings through one of the software tools: the Yandex Cloud CLI, AWS CLI, Terraform, or API. To learn more about policy management, see this guide.
If you want to assign an access policy to a bucket and connect to it from a Hive Metastore or Yandex Managed Service for Apache Airflow™ cluster, you will need some additional infrastructure setup.
Policy components
A bucket policy consists of rules, a rule consisting of the following basic elements:
- Resource
-
Bucket, object in a bucket (
<bucket_name>/some/key
), or prefix (<bucket_name>/some/path/*
), including an empty prefix to indicate all bucket objects (<bucket_name>/*
). You can specify multiple resources in a rule.Note
A bucket resource does not include resources of all its objects. To make sure a bucket policy rule refers to the bucket and all objects, specify them as separate resources, such as
samplebucket
andsamplebucket/*
.If you describe a policy in JSON format, a resource must have the
arn:aws:s3:::
prefix, e.g.,arn:aws:s3:::<bucket_name>
.If the resource name contains
?
,*
, or$
, enclose each one of these characters in curly braces ({}
) preceded with$
. For example, a record mapped to a bucket namedmy?bucket
will readmy${?}bucket
. - Action
-
Operations with a resource that will be either denied or allowed by the rule. For more information, see Actions.
- Result
-
Denies or allows the requested action. First, the request is checked against the
Deny
action filter. If there is a match, the request is rejected and no further checks are performed. If it meets theAllow
action filter criteria, the request is allowed. If the request does not trigger any of the filters, it is rejected. - Principal
-
Grantee of the requested permission. It can be an IAM user, federated user, service account, anonymous user, or user group. You can specify a user group in the policy using the Yandex Cloud CLI, AWS CLI, Terraform, and the API.
- Condition
-
Establishes the cases in which the rule will apply.
Note
The
aws:sourceip
condition supports a special procedure for verifying reverse proxy server IP addresses.If multiple conditions are specified simultaneously for a rule or multiple keys are specified simultaneously within a single condition, then such conditions and keys will apply with the
AND
logic.If multiple values are specified simultaneously for one condition key, such values will apply with the
OR
logic.For more information, see Conditions.
Bucket access via the management console
If a bucket has an access policy configured, access to the bucket via the Yandex Cloud management console is disabled by default. To enable bucket access, you need to add a rule in the Statement
section to allow any requests to <bucket_name>/*
or <bucket_name>
from the management console.
Example of a rule for a specific Yandex Cloud user:
{
"Effect": "Allow",
"Principal": {
"CanonicalUser": "<user_ID>"
},
"Action": "*",
"Resource": [
"arn:aws:s3:::<bucket_name>/*",
"arn:aws:s3:::<bucket_name>"
],
"Condition": {
"StringLike": {
"aws:referer": "https://console.yandex.cloud/folders/*/storage/buckets/your-bucket-name*"
}
}
}
Example of using the console.cloud.yandex.* domain together with console.yandex.cloud
If you are using the old domain (console.cloud.yandex.*
) together with the new one (console.yandex.cloud
), set the following policy rules:
{
"Effect": "Allow",
"Principal": {
"CanonicalUser": "<user_ID>"
},
"Action": "*",
"Resource": [
"arn:aws:s3:::<bucket_name>/*",
"arn:aws:s3:::<bucket_name>"
],
"Condition": {
"StringLike": {
"aws:referer": [
"https://console.cloud.yandex.*/folders/*/storage/buckets/your-bucket-name*",
"https://console.yandex.cloud/folders/*/storage/buckets/your-bucket-name*"
]
}
}
}
You can retrieve the user ID by following this guide in the Yandex Identity and Access Management documentation.
Bucket access via a chain of reverse proxy servers
For Object Storage to work with requests sent over a series of reverse proxy serversaws:sourceip
condition checks both the IP address the request came from and the IP addresses of reverse proxy servers, e.g., those provided in the X-Forwarded-For
First a request is checked against the Deny
access policy rules. If at least one IP address meets the Deny
rule criteria, the request is denied. No further checks are performed.
Then the request is checked against the Allow
access policy rules. If at least one IP address meets the Allow
rule criteria, the request is allowed.
An example of bucket access configuration via a chain of reverse proxy servers
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "the-allowing-rule",
"Effect": "Allow",
"Principal": "*",
"Action": "*",
"Resource": "arn:aws:s3:::sample-bucket/*",
"Condition": {
"IpAddress": {
"aws:sourceip": [
"192.168.1.1",
"192.168.1.2"
]
}
}
},
{
"Sid": "the-denying-rule",
"Effect": "Deny",
"Principal": "*",
"Action": "*",
"Resource": "arn:aws:s3:::sample-bucket/*",
"Condition": {
"IpAddress": {
"aws:sourceip": [
"192.168.1.11",
"192.168.1.12"
]
}
}
}
]
}
If the bucket receives a request with the X-Forwarded-For: 192.168.1.1, 192.168.1.2, 192.168.1.12
header, this request will be denied as its header has the IP address specified in the Deny
rule.
If the bucket receives a request with the X-Forwarded-For: 192.168.2.100, 192.168.2.1, 192.168.1.2
header, this request will be allowed as its header has no IP addresses specified in the Deny
rule but contains the IP address specified in the Allow
rule.
Configuration examples
-
Rule that allows an anonymous user to read objects in the bucket over an encrypted connection:
{ "Id": "epd4limdp3dg********", "Version": "2012-10-17", "Statement": [ { "Sid": "f1qqoehl1q53********", "Effect": "Allow", "Principal": "*", "Action": "s3:GetObject", "Resource": "arn:aws:s3:::<bucket_name>/*", "Condition": { "Bool": { "aws:SecureTransport": "true" } } } ] }
-
Rule that allows downloading objects only from a specified range of IP addresses:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": "*", "Action": "s3:GetObject", "Resource": "arn:aws:s3:::<bucket_name>/*", "Condition": { "IpAddress": { "aws:SourceIp": "100.101.102.128/30" } } } ] }
-
Rule that prohibits downloading objects from the specified IP address:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": "*", "Action": "*", "Resource": "arn:aws:s3:::<bucket_name>/*" }, { "Effect": "Deny", "Principal": "*", "Action": "s3:GetObject", "Resource": "arn:aws:s3:::<bucket_name>/*", "Condition": { "IpAddress": { "aws:SourceIp": "100.101.102.103" } } } ] }
-
Rule that provides different users with full access only to specific folders – each user to their own:
{ "Version":"2012-10-17", "Statement":[ { "Sid":"User1PermissionsResource", "Effect":"Allow", "Principal": { "CanonicalUser": "<user_ID>" }, "Action": "*", "Resource":["arn:aws:s3:::<bucket_name>/user1path/*"] }, { "Sid":"User1PermissionsPrefix", "Effect":"Allow", "Principal": { "CanonicalUser": "<user_ID>" }, "Action": "s3:ListBucket", "Resource":["arn:aws:s3:::<bucket_name>"], "Condition": { "StringLike": { "s3:prefix": "user1path/*" } } }, { "Sid":"User2PermissionsResource", "Effect":"Allow", "Principal": { "CanonicalUser": "<user_ID>" }, "Action": "*", "Resource":["arn:aws:s3:::<bucket_name>/user2path/*"] }, { "Sid":"User2PermissionsPrefix", "Effect":"Allow", "Principal": { "CanonicalUser": "<user_ID>" }, "Action": "s3:ListBucket", "Resource":["arn:aws:s3:::<bucket_name>"], "Condition": { "StringLike": { "s3:prefix": "user2path/*" } } } ] }
-
Rule that provides each user and service account with full access to a folder with the name matching the user ID or service account ID:
{ "Version":"2012-10-17", "Statement":[ { "Sid": "OwnDirPermissions", "Effect": "Allow", "Principal": "*", "Action": "*", "Resource": ["arn:aws:s3:::<bucket_name>/${aws:userid}/*"] } ] }