Contact UsTry it for free
© 2026 Direct Cursus Technology L.L.C.

Uploading objects into an Yandex Object Storage bucket using an ephemeral access key

Written by
Updated at February 24, 2026

Ephemeral access keys are temporary keys with a limited lifespan that provide a secure way to access Yandex Object Storage resources without having to store static keys. In this tutorial, you will learn how to create ephemeral keys and use them to create buckets and upload objects via the AWS CLI.

To upload objects to an Object Storage bucket using an ephemeral access key:

  1. Get your cloud ready.
  2. Create a service account.
  3. Create an ephemeral access key.
  4. Configure the AWS CLI.
  5. Create a bucket.
  6. Upload an object to the bucket.

If you no longer need the resources you created, delete them.

Get your cloud ready

Sign up for Yandex Cloud and create a billing account:

  1. Navigate to the management console and log in to Yandex Cloud or create a new account.
  2. On the Yandex Cloud Billing page, make sure you have a billing account linked and it has the ACTIVE or TRIAL_ACTIVE status. If you do not have a billing account, create one and link a cloud to it.

If you have an active billing account, you can navigate to the cloud page to create or select a folder for your infrastructure.

Learn more about clouds and folders here.

The infrastructure support cost includes:

Set up your environment

Install and configure the AWS CLI.

Create a service account

Create a service account you will use to create a bucket and upload objects. Assign it the storage.editor role for the folder.

  1. In the management console, select Identity and Access Management.
  2. Click Create service account.
  3. In the Name field, specify ephemeral-sa.
  4. Click Add role and select storage.editor.
  5. Click Create.

If you do not have the Yandex Cloud CLI installed yet, install and initialize it.

By default, the CLI uses the folder specified when creating the profile. To change the default folder, use the yc config set folder-id <folder_ID> command. You can also set a different folder for any specific command using the --folder-name or --folder-id parameter.

  1. Create a service account:

    yc iam service-account create \
  --name ephemeral-sa

    Result:

    id: ajeab0cnib1p********
folder_id: b0g12ga82bcv********
created_at: "2025-10-03T09:44:35.989446Z"
name: ephemeral-sa

  2. Assign the storage.editor role for the folder to the service account:

    yc resource-manager folder add-access-binding <folder_name> \
  --service-account-name ephemeral-sa \
  --role storage.editor

    Result:

    effective_deltas:
  - action: ADD
    access_binding:
      role_id: storage.editor
      subject:
        id: ajeab0cnib1p********
        type: serviceAccount
  1. Create a service account named ephemeral-sa. Do it by using the create REST API method for the ServiceAccount resource or the ServiceAccountService/Create gRPC API call.
  2. Assign the storage.editor role for the current folder to the the service account. Do it by using the setAccessBindings REST API method for the Folder resource or the FolderService/SetAccessBindings gRPC API call.

To manage access to the bucket, your service account must have the storage.admin role.

To work with objects in an encrypted bucket, a user or service account must have the following roles for the encryption key in addition to the storage.configurer role:

  • kms.keys.encrypter: To read the key, encrypt and upload objects.
  • kms.keys.decrypter: To read the key, decrypt and download objects.
  • kms.keys.encrypterDecrypter: This role includes the kms.keys.encrypter and kms.keys.decrypter permissions.

For more information, see Key Management Service service roles.

Create an ephemeral access key

Create an ephemeral access key for the ephemeral-sa service account.

If you do not have the Yandex Cloud CLI installed yet, install and initialize it.

By default, the CLI uses the folder specified when creating the profile. To change the default folder, use the yc config set folder-id <folder_ID> command. You can also set a different folder for any specific command using the --folder-name or --folder-id parameter.

  1. Get the service account ID:

    yc iam service-account get --name ephemeral-sa --format json | jq -r .id

  2. Create an ephemeral access key:

    yc iam access-key issue-ephemeral \
  --subject-id <service_account_ID> \
  --session-name ephemeral-key-storage \
  --duration 2h

    Where:

    • --subject-id: ID of the ephemeral-sa service account you got in the previous step.
    • --session-name: Session name.
    • --duration: Key lifetime.

    Result:

    access_key_id: ajelprpohp8t********
secret: YCOs05v-KRXqhYpUINdWArH4MINhMyJ6CGU********
session_token: s1.9muilY********
expires_at: "2025-12-16T06:23:51.383485065Z"

  3. Save access_key_id, the secret key, and session_token.

    Alert

    You will not be able to get these values again.

Configure the AWS CLI

Configure the AWS CLI to work with the ephemeral access key.

  1. Create a new profile in the ~/.aws/credentials file:

    [ephemeral-profile]
aws_access_key_id     = <key_ID>
aws_secret_access_key = <secret_key>
aws_session_token     = <session_token>

    In this profile, specify the values you got when creating the ephemeral key:

    • aws_access_key_id: access_key_id key ID.
    • aws_secret_access_key: secret key.
    • aws_session_token: session_token.

  2. Configure the Object Storage endpoint for the new profile:

    aws configure set endpoint_url https://storage.yandexcloud.net/ --profile ephemeral-profile

    Note

    Instead of setting the endpoint, you can specify it when running commands using --endpoint-url.

  3. Check your configuration:

    aws s3 ls --profile ephemeral-profile

    If the configuration is correct, the command will run without errors.

Create a bucket

Create a bucket to store objects.

Run this command with the bucket name specified:

aws s3 mb s3://<bucket_name> \
  --profile ephemeral-profile

Result:

make_bucket: my-bucket

For more information, see Creating a bucket.

Upload an object to the bucket

Upload an object to the new bucket.

  1. Create a test file:

    echo "Hello, Yandex Cloud!" > test-file.txt

  2. Run the command below to upload the file, stating the path to the local file, bucket name, and key for storing the object in the bucket:

    aws s3 cp test-file.txt \
  s3://<bucket_name>/test-file.txt \
  --profile ephemeral-profile

    Result:

    upload: ./test-file.txt to s3://my-bucket/test-file.txt

  3. Make sure the object has been uploaded successfully:

    aws s3 ls s3://<bucket_name>/ \
  --profile ephemeral-profile

    Result:

    2025-10-03 09:45:12         23 test-file.txt

For more information, see Uploading an object.

How to delete the resources you created

To stop paying for the resources you created:

See also

Previous
Configuring CI/CD between Cloud Functions and GitHub
Next
Overview