Yandex Cloud
Search
Contact UsGet started
  • Blog
  • Pricing
  • Documentation
  • All Services
  • System Status
    • Featured
    • Infrastructure & Network
    • Data Platform
    • Containers
    • Developer tools
    • Serverless
    • Security
    • Monitoring & Resources
    • ML & AI
    • Business tools
  • All Solutions
    • By industry
    • By use case
    • Economics and Pricing
    • Security
    • Technical Support
    • Customer Stories
    • Cloud credits to scale your IT product
    • Gateway to Russia
    • Cloud for Startups
    • Education and Science
    • Yandex Cloud Partner program
  • Blog
  • Pricing
  • Documentation
© 2025 Direct Cursus Technology L.L.C.
Yandex Object Storage
    • Overview
    • Bucket
    • Object
    • Bucket versioning
    • Object lock
    • Partial object updates
    • Encryption
    • Object lifecycles
    • CORS
    • Hosting static websites
    • Pre-signed URLs
    • Multipart upload
    • Access control list (ACL)
    • Bucket policy
    • Uploading files via an HTML form
    • Storage class
    • Bucket actions logging mechanism
    • Backups
    • TLS protocol
    • Labels
    • S3 Select query language
    • Quotas and limits
  • Terraform reference
  • Monitoring metrics
  • Audit Trails events
  • Bucket logs
  • Release notes
  • FAQ

In this article:

  • Permission grantee’s ID
  • ACL operations
  • Permission types
  • Predefined ACLs
  • Public groups
  • AllUsers
  • AuthenticatedUsers
  • Inheritance of bucket access permissions by Yandex Cloud public groups
  • Viewing bucket access permissions inherited from a folder
  • See also
  1. Concepts
  2. Access control list (ACL)

Access control list (ACL)

Written by
Yandex Cloud
Updated at May 5, 2025
  • Permission grantee’s ID
  • ACL operations
  • Permission types
  • Predefined ACLs
  • Public groups
    • AllUsers
    • AuthenticatedUsers
  • Inheritance of bucket access permissions by Yandex Cloud public groups
    • Viewing bucket access permissions inherited from a folder
    • See also

Object Storage incorporates several access management mechanisms. To learn how these mechanisms interact, see Access management methods in Object Storage: Overview.

An Object Storage ACL is a list of permissions for each object and bucket. It is stored directly in Object Storage.

Permissions granted to a bucket apply to all objects it contains. With ACLs, you can also extend access permissions to individual objects.

Warning

A bucket inherits the access permissions in IAM from the folder and cloud where it is located.

For example, a user with the viewer role in IAM for the folder containing the bucket can view its content, even if this permission is not specified in the bucket ACL.

By default, Object Storage creates an empty ACL for each new object or bucket. Users with the appropriate access permissions can edit and upload ACLs for Object Storage buckets and objects.

You can use ACLs to grant permissions to a Yandex Cloud user, service account, user group, or public group (the group of all internet users, the group of all authenticated Yandex Cloud users). To do this, you need to know the permission grantee's ID. When granting permissions, you can use predefined ACLs, which contain common permission sets.

In the management console, you can only grant permissions to service accounts created in the same folder as the bucket. You can grant permissions to service accounts belonging to other folders using the YC CLI (only for ACL buckets), AWS CLI, Terraform, or API.

To view the ACL structure description, see ACL XML schema. You can set up to 100 rules per ACL.

Note

ACLs uploaded for objects apply immediately. ACLs uploaded for buckets, as well as access permissions updated in IAM, apply with a delay. For more information about delays, see the IAM documentation.

Permission grantee’s IDPermission grantee’s ID

  • Yandex Cloud user

    You can get the ID in the following ways:

    • In the IAM section of the management console.
    • Using the CLI or IAM API.
  • Service account

    To get the ID, in the management console, select Identity and Access Management from the list of services. In the left-hand panel, select Service accounts and select the service account.

  • Public group

    Use the public group URI to grant permissions.

  • User group

    To get the ID, navigate to the Groups tab in the Cloud Center interface.

ACL operationsACL operations

  • In the management console, you can edit ACLs for buckets and objects.

  • Using an Amazon S3-compatible API, you can upload or download ACLs for buckets or objects.

    You cannot delete ACLs. To remove all access permissions, upload an empty ACL.

Permission typesPermission types

Permissions match the user roles in IAM.

Permission Role in IAM Description
READ viewer For buckets: Permission to retrieve a list of objects in the bucket, read various bucket settings (lifecycle, CORS, static hosting), and read all objects in the bucket.
For objects: Read permission.
WRITE editor For buckets: Writing, overwriting, and deleting the bucket’s objects.
You must use it together with READ; you cannot grant the WRITE permission separately.
For objects: This permission is meaningless, because the permission is checked for the bucket when writing an object.
FULL_CONTROL admin Full access to objects and buckets.
READ_ACP viewer ACL read permission. For objects only.
WRITE_ACP editor ACL write permission. For objects only.

Note

If you specify the WRITE permission without READ when creating an ACL, Object Storage will return the 501 Not Implemented error code.

Predefined ACLsPredefined ACLs

ACL Description
private
bucket-owner-full-control
Yandex Cloud users get permissions according to their roles in IAM.
public-read The AllUsers public group gets the READ permission.
public-read-write The AllUsers public group gets the READ and WRITE permissions.
authenticated-read The AuthenticatedUsers public group gets the READ permission.

Predefined ACLs can be applied to both objects and buckets. When applied to an object, the public-read-write ACL is the same as public-read.

You can upload a predefined ACL using only an Amazon S3-compatible HTTP API. When uploading an ACL, use the X-Amz-Acl HTTP header.

Public groupsPublic groups

AllUsersAllUsers

This system group includes all internet users.

The permission for AllUsers looks as follows:

<Grantee xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="Group">
    <URI>http://acs.amazonaws.com/groups/global/AllUsers</URI>
</Grantee>

AuthenticatedUsersAuthenticatedUsers

This group includes all authenticated Yandex Cloud users: both from your cloud and other users' clouds.

The permission for AuthenticatedUsers looks as follows:

<Grantee xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="Group">
    <URI>http://acs.amazonaws.com/groups/global/AuthenticatedUsers</URI>
</Grantee>

Inheritance of bucket access permissions by Yandex Cloud public groupsInheritance of bucket access permissions by Yandex Cloud public groups

A bucket inherits the access permissions in IAM from the folder and cloud where it is located. If a user has permissions to access the folder or cloud the bucket belongs to, they will also have permissions to access the bucket itself.

Warning

Assigning roles to the All users and All authenticated users public groups for the folder or cloud the bucket belongs to is equivalent to granting public access to the bucket:

  • All authenticated users: All authenticated Yandex Cloud users get access to the bucket, both from your cloud and other users' clouds.
  • All users: Access is granted to all users.

You can grant the same access permissions to a bucket by adding access permissions for the AuthenticatedUsers and AllUsers groups to the bucket ACL.

Viewing bucket access permissions inherited from a folderViewing bucket access permissions inherited from a folder

A bucket inherits access permissions from the folder. If you want to know which access permissions your bucket has inherited, get a list of roles for the folder. You can also revoke these roles at any time.

  • To get a list of folder roles, run this command:

    yc resource-manager folder list-access-bindings \
      --id b1g7gvsi89m3********
    

    Result:

    +---------+--------------+-----------------------+
    | ROLE ID | SUBJECT TYPE |      SUBJECT ID       |
    +---------+--------------+-----------------------+
    | viewer  | system       | allAuthenticatedUsers |
    | viewer  | system       | allUsers              |
    +---------+--------------+-----------------------+
    

    The output contains allAuthenticatedUsers and allUsers. This means the users of these groups have permissions for this folder and all resources it contains, including buckets.

  • To revoke a role from the All authenticated users public group, run the following command:

    yc resource-manager folder remove-access-binding \
      --id b1g7gvsi89m3******** \
      --role viewer \
      --allAuthenticatedUsers
    
  • To revoke a role from the All users public group, run the following command:

    yc resource-manager folder remove-access-binding \
      --id b1g7gvsi89m3******** \
      --role viewer \
      --allUsers
    

See alsoSee also

  • Editing a bucket ACL
  • Editing an object ACL

Was the article helpful?

Previous
Multipart upload
Next
Bucket policy
© 2025 Direct Cursus Technology L.L.C.