Bucket policy

Written by

Updated at November 21, 2024

Policy components
Bucket access via the management console
Sample configurations
- See also

Object Storage incorporates multiple mechanisms for managing access to resources. To learn how these mechanisms interact, see Access management methods in Object Storage: Overview.

Bucket policies set permissions for actions with buckets, objects, and object groups.

A policy is triggered when a user makes a request to a resource. As a result, the request is either executed or rejected.

Enabling public access to bucket operations does not override the restrictions set in the access policies.

Note

If a bucket policy with no rules is applied to the bucket, access is denied to all users. To disable request verification for a bucket policy, delete it.

You can set up a bucket policy in the management console or describe it in JSON format using a special scheme to provide the settings through one of the software tools: the Yandex Cloud CLI, AWS CLI, Terraform, or API. To learn more about policy management, see this guide.

Warning

If a bucket communicates with a Hive Metastore cluster, do not assign it a bucket policy; otherwise, the cluster will not be able to write any data to the bucket.

Policy components

A bucket policy consists of rules, a rule consisting of the following basic elements:

Resource

Bucket, object in a bucket (<bucket_name>/some/key), or prefix (<bucket_name>/some/path/*), including an empty prefix to indicate all bucket objects (<bucket_name>/*). You can specify multiple resources in a rule.

Note

A bucket resource does not include resources of all its objects. To make sure a bucket policy rule refers to the bucket and all objects, specify them as separate resources, such as samplebucket and samplebucket/*.

If you describe a policy in JSON format, a resource must have the arn:aws:s3::: prefix, e.g., arn:aws:s3:::<bucket_name>.

If the resource name contains ?, *, or $, enclose each one of these characters in curly braces ({}) preceded with $. For example, a record mapped to a bucket named my?bucket will read my${?}bucket.

Action

Operations with a resource that will be either denied or allowed by the rule. For more information, see Actions.

Result

Denies or allows the requested action. First, the request is checked against the Deny action filter. If there is a match, the request is rejected and no further checks are performed. If it meets the Allow action filter criteria, the request is allowed. If the request does not trigger any of the filters, it is rejected.

Principal

Grantee of the requested permission. It can be an IAM user, federated user, service account, anonymous user, or user group. You can specify a user group in the policy using the Yandex Cloud CLI, AWS CLI, Terraform, and the API.

Condition

Establishes the cases in which the rule will apply.

If multiple conditions are specified simultaneously for a rule or multiple keys are specified simultaneously within a single condition, then such conditions and keys will apply with the AND logic.

If multiple values are specified simultaneously for one condition key, such values will apply with the OR logic.

For more information, see Conditions.

Bucket access via the management console

If a bucket has an access policy configured, access to the bucket via the Yandex Cloud management console is disabled by default. To enable bucket access, you need to add a rule in the Statement section to allow any requests to <bucket_name>/* or <bucket_name> from the management console.

Example of a rule for a specific Yandex Cloud user:

{
  "Effect": "Allow",
  "Principal": {
    "CanonicalUser": "<user_ID>"
  },
  "Action": "*",
  "Resource": [
    "arn:aws:s3:::<bucket_name>/*",
    "arn:aws:s3:::<bucket_name>"
  ],
  "Condition": {
    "StringLike": {
      "aws:referer": "https://console.yandex.cloud/folders/*/storage/buckets/your-bucket-name*"
    }
  }
}

Example of using the console.cloud.yandex.* domain together with console.yandex.cloud

If you are using the old domain (console.cloud.yandex.*) together with the new one (console.yandex.cloud), set the following policy rules:

{
  "Effect": "Allow",
  "Principal": {
    "CanonicalUser": "<user_ID>"
  },
  "Action": "*",
  "Resource": [
    "arn:aws:s3:::<bucket_name>/*",
    "arn:aws:s3:::<bucket_name>"
  ],
  "Condition": {
    "StringLike": {
      "aws:referer": [
        "https://console.cloud.yandex.*/folders/*/storage/buckets/your-bucket-name*",
        "https://console.yandex.cloud/folders/*/storage/buckets/your-bucket-name*"
      ]
    }
  }
}

You can retrieve the user ID by following this guide in the Yandex Identity and Access Management documentation.

Sample configurations

Rule that allows an anonymous user to read objects in the bucket over an encrypted connection:

{
  "Id": "epd4limdp3dg********",
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "f1qqoehl1q53********",
      "Effect": "Allow",
      "Principal": "*",
      "Action": "s3:GetObject",
      "Resource": "arn:aws:s3:::<bucket_name>/*",
      "Condition": {
        "Bool": {
          "aws:SecureTransport": "true"
        }
      }
    }
  ]
}

Rule that allows downloading objects only from a specified range of IP addresses:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": "*",
      "Action": "s3:GetObject",
      "Resource": "arn:aws:s3:::<bucket_name>/*",
      "Condition": {
        "IpAddress": {
          "aws:SourceIp": "100.101.102.128/30"
        }
      }
    }
  ]
}

Rule that prohibits downloading objects from the specified IP address:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": "*",
      "Action": "*",
      "Resource": "arn:aws:s3:::<bucket_name>/*"
    },
    {
      "Effect": "Deny",
      "Principal": "*",
      "Action": "s3:GetObject",
      "Resource": "arn:aws:s3:::<bucket_name>/*",
      "Condition": {
        "IpAddress": {
          "aws:SourceIp": "100.101.102.103"
        }
      }
    }
  ]
}

Rule that provides different users with full access only to specific folders – each user to their own:

{
  "Version":"2012-10-17",
  "Statement":[
    {
      "Sid":"User1PermissionsResource",
      "Effect":"Allow",
      "Principal": {
        "CanonicalUser": "<user_ID>"
      },
      "Action": "*",
      "Resource":["arn:aws:s3:::<bucket_name>/user1path/*"]
    },
    {
      "Sid":"User1PermissionsPrefix",
      "Effect":"Allow",
      "Principal": {
          "CanonicalUser": "<user_ID>"
      },
      "Action": "s3:ListBucket",
      "Resource":["arn:aws:s3:::<bucket_name>"],
      "Condition": {
        "StringLike": {
          "s3:prefix": "user1path/*"
        }
      }
    },
    {
      "Sid":"User2PermissionsResource",
      "Effect":"Allow",
      "Principal": {
        "CanonicalUser": "<user_ID>"
      },
      "Action": "*",
      "Resource":["arn:aws:s3:::<bucket_name>/user2path/*"]
    },
    {
      "Sid":"User2PermissionsPrefix",
      "Effect":"Allow",
      "Principal": {
        "CanonicalUser": "<user_ID>"
      },
      "Action": "s3:ListBucket",
      "Resource":["arn:aws:s3:::<bucket_name>"],
      "Condition": {
        "StringLike": {
          "s3:prefix": "user2path/*"
        }
      }
    }
  ]
}

Rule that provides each user and service account with full access to a folder with the name matching the user ID or service account ID:

{
  "Version":"2012-10-17",
  "Statement":[
    {
      "Sid": "OwnDirPermissions",
      "Effect": "Allow",
      "Principal": "*",
      "Action": "*",
      "Resource": ["arn:aws:s3:::<bucket_name>/${aws:userid}/*"]
    }
  ]
}

Bucket policy

Policy componentsPolicy components

Bucket access via the management consoleBucket access via the management console

Sample configurationsSample configurations

See alsoSee also

Was the article helpful?

Policy components

Bucket access via the management console

Sample configurations

See also