Contact UsGet started

Assigning an access policy in Object Storage for a service connection

Written by
Updated at May 5, 2025

Warning

The VPC Private Endpoints feature is at the Preview stage. To request access to the feature, contact your account manager.

Bucket policies set permissions for operations with buckets, objects, and object groups.

The minimum role required to apply or modify an access policy is storage.configurer. For more information, see the role description.

To assign an access policy in Object Storage for a service connection:

  1. In the management console, select the folder where you configured the VPC service connection.

  2. Select Object Storage.

  3. Select the bucket from the list.

  4. In the left-hand menu, go to the Security tab.

  5. At the top of the screen, navigate to the Access policy tab.

  6. Click Configure access.

  7. Enter a bucket policy ID, e.g., private-endpoint-policy.

  8. Set up a rule:

    1. Enter a rule ID, e.g., private-endpoint-rule.

    2. Configure rule settings:

      • Result: Enable.

      • Selection principle: Include users.

      • User: All users.

      • Action: Select All actions.

      • Resource<bucket_name>/*.

        Click Add resource and enter <bucket_name>.

        Note

        A bucket resource does not include resources of all its objects. To make sure a bucket policy rule refers to the bucket and all the objects, specify them as separate resources, e.g., samplebucket and samplebucket/*.

    3. Add a condition for the rule:

      • In the Key field, select private-endpoint-id.
      • In the Operator field, select StringEquals.
      • In the Value field, specify the service connection (Private Endpoint) ID, e.g., enpd7rq1s3f5********.

  9. Click Save.

Note

To manage a policy using the AWS CLI, a service account needs the storage.admin role.

If you do not have the AWS CLI yet, install and configure it.

  1. Describe your bucket policy configuration as a JSON data schema:

    {
  "Version": "2012-10-17",
  "Statement": {
    "Effect": "Allow",
    "Principal": "*",
    "Action": "*",
    "Resource": [
      "arn:aws:s3:::<bucket_name>/*",
      "arn:aws:s3:::<bucket_name>"
    ],
    "Condition": {
      "StringEquals": {
        "yc:private-endpoint-id": "<connection_ID>"
      }
    }
  }
}

    Where:

    • <bucket_name>: Name of the bucket in Object Storage to which you need to apply the access policy, e.g., my-s3-bucket.
    • <connection_ID>: Service connection ID (private endpoint), e.g., enpd7rq1s3f5********.

  2. Save the final configuration to a file named policy.json.

  3. Run this command:

    aws s3api put-bucket-policy \
  --endpoint https://storage.yandexcloud.net \
  --bucket <bucket_name> \
  --policy file://policy.json

Once the bucket policy is applied, you can access the bucket only from the VPC cloud network in which you created the relevant service connection (Private Endpoint).

Learn more about managing a bucket policy in Bucket policy management.

Previous
Getting information about a service connection
Next
Deleting a service connection