Access control list (ACL)

Written by

Updated at May 5, 2025

Permission grantee’s ID
ACL operations
Permission types
Predefined ACLs
Public groups
- AllUsers
- AuthenticatedUsers
Inheritance of bucket access permissions by Yandex Cloud public groups
- Viewing bucket access permissions inherited from a folder
- See also

Object Storage incorporates several access management mechanisms. To learn how these mechanisms interact, see Access management methods in Object Storage: Overview.

An Object Storage ACL is a list of permissions for each object and bucket. It is stored directly in Object Storage.

Permissions granted to a bucket apply to all objects it contains. With ACLs, you can also extend access permissions to individual objects.

Warning

A bucket inherits the access permissions in IAM from the folder and cloud where it is located.

For example, a user with the viewer role in IAM for the folder containing the bucket can view its content, even if this permission is not specified in the bucket ACL.

By default, Object Storage creates an empty ACL for each new object or bucket. Users with the appropriate access permissions can edit and upload ACLs for Object Storage buckets and objects.

You can use ACLs to grant permissions to a Yandex Cloud user, service account, user group, or public group (the group of all internet users, the group of all authenticated Yandex Cloud users). To do this, you need to know the permission grantee's ID. When granting permissions, you can use predefined ACLs, which contain common permission sets.

In the management console, you can only grant permissions to service accounts created in the same folder as the bucket. You can grant permissions to service accounts belonging to other folders using the YC CLI (only for ACL buckets), AWS CLI, Terraform, or API.

To view the ACL structure description, see ACL XML schema. You can set up to 100 rules per ACL.

Note

ACLs uploaded for objects apply immediately. ACLs uploaded for buckets, as well as access permissions updated in IAM, apply with a delay. For more information about delays, see the IAM documentation.

Permission grantee’s ID

Yandex Cloud user

You can get the ID in the following ways:
- In the IAM section of the management console.
- Using the CLI or IAM API.
Service account

To get the ID, in the management console, select Identity and Access Management from the list of services. In the left-hand panel, select Service accounts and select the service account.
Public group

Use the public group URI to grant permissions.
User group

To get the ID, navigate to the Groups tab in the Cloud Center interface.

ACL operations

In the management console, you can edit ACLs for buckets and objects.
Using an Amazon S3-compatible API, you can upload or download ACLs for buckets or objects.

You cannot delete ACLs. To remove all access permissions, upload an empty ACL.

Permission types

Permissions match the user roles in IAM.

Permission	Role in IAM	Description
`READ`	`viewer`	For buckets: Permission to retrieve a list of objects in the bucket, read various bucket settings (lifecycle, CORS, static hosting), and read all objects in the bucket. For objects: Read permission.
`WRITE`	`editor`	For buckets: Writing, overwriting, and deleting the bucket’s objects. You must use it together with `READ`; you cannot grant the `WRITE` permission separately. For objects: This permission is meaningless, because the permission is checked for the bucket when writing an object.
`FULL_CONTROL`	`admin`	Full access to objects and buckets.
`READ_ACP`	`viewer`	ACL read permission. For objects only.
`WRITE_ACP`	`editor`	ACL write permission. For objects only.

Note

If you specify the WRITE permission without READ when creating an ACL, Object Storage will return the 501 Not Implemented error code.

Predefined ACLs

ACL	Description
`private` `bucket-owner-full-control`	Yandex Cloud users get permissions according to their roles in IAM.
`public-read`	The `AllUsers` public group gets the `READ` permission.
`public-read-write`	The `AllUsers` public group gets the `READ` and `WRITE` permissions.
`authenticated-read`	The `AuthenticatedUsers` public group gets the `READ` permission.

Predefined ACLs can be applied to both objects and buckets. When applied to an object, the public-read-write ACL is the same as public-read.

You can upload a predefined ACL using only an Amazon S3-compatible HTTP API. When uploading an ACL, use the X-Amz-Acl HTTP header.

Public groups

AllUsers

This system group includes all internet users.

The permission for AllUsers looks as follows:

<Grantee xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="Group">
    <URI>http://acs.amazonaws.com/groups/global/AllUsers</URI>
</Grantee>

AuthenticatedUsers

This group includes all authenticated Yandex Cloud users: both from your cloud and other users' clouds.

The permission for AuthenticatedUsers looks as follows:

<Grantee xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="Group">
    <URI>http://acs.amazonaws.com/groups/global/AuthenticatedUsers</URI>
</Grantee>

Inheritance of bucket access permissions by Yandex Cloud public groups

A bucket inherits the access permissions in IAM from the folder and cloud where it is located. If a user has permissions to access the folder or cloud the bucket belongs to, they will also have permissions to access the bucket itself.

Warning

Assigning roles to the All users and All authenticated users public groups for the folder or cloud the bucket belongs to is equivalent to granting public access to the bucket:

All authenticated users: All authenticated Yandex Cloud users get access to the bucket, both from your cloud and other users' clouds.
All users: Access is granted to all users.

You can grant the same access permissions to a bucket by adding access permissions for the AuthenticatedUsers and AllUsers groups to the bucket ACL.

Viewing bucket access permissions inherited from a folder

A bucket inherits access permissions from the folder. If you want to know which access permissions your bucket has inherited, get a list of roles for the folder. You can also revoke these roles at any time.

To get a list of folder roles, run this command:

yc resource-manager folder list-access-bindings \
  --id b1g7gvsi89m3********

Result:

+---------+--------------+-----------------------+
| ROLE ID | SUBJECT TYPE |      SUBJECT ID       |
+---------+--------------+-----------------------+
| viewer  | system       | allAuthenticatedUsers |
| viewer  | system       | allUsers              |
+---------+--------------+-----------------------+

The output contains allAuthenticatedUsers and allUsers. This means the users of these groups have permissions for this folder and all resources it contains, including buckets.

To revoke a role from the All authenticated users public group, run the following command:

yc resource-manager folder remove-access-binding \
  --id b1g7gvsi89m3******** \
  --role viewer \
  --allAuthenticatedUsers

To revoke a role from the All users public group, run the following command:

yc resource-manager folder remove-access-binding \
  --id b1g7gvsi89m3******** \
  --role viewer \
  --allUsers

Access control list (ACL)

Permission grantee’s IDPermission grantee’s ID

ACL operationsACL operations

Permission typesPermission types

Predefined ACLsPredefined ACLs

Public groupsPublic groups

AllUsersAllUsers

AuthenticatedUsersAuthenticatedUsers

Inheritance of bucket access permissions by Yandex Cloud public groupsInheritance of bucket access permissions by Yandex Cloud public groups

Viewing bucket access permissions inherited from a folderViewing bucket access permissions inherited from a folder

See alsoSee also

Was the article helpful?