Yandex Cloud
Search
Contact UsGet started
  • Blog
  • Pricing
  • Documentation
  • All Services
  • System Status
    • Featured
    • Infrastructure & Network
    • Data Platform
    • Containers
    • Developer tools
    • Serverless
    • Security
    • Monitoring & Resources
    • ML & AI
    • Business tools
  • All Solutions
    • By industry
    • By use case
    • Economics and Pricing
    • Security
    • Technical Support
    • Customer Stories
    • Cloud credits to scale your IT product
    • Gateway to Russia
    • Cloud for Startups
    • Education and Science
    • Yandex Cloud Partner program
  • Blog
  • Pricing
  • Documentation
© 2025 Direct Cursus Technology L.L.C.
Yandex Object Storage
    • Overview
    • Bucket
    • Object
    • Bucket versioning
    • Object lock
    • Partial object updates
    • Encryption
    • Object lifecycles
    • CORS
    • Hosting static websites
    • Pre-signed URLs
    • Multipart upload
    • Access control list (ACL)
    • Bucket policy
    • Uploading files via an HTML form
    • Storage class
    • Bucket actions logging mechanism
    • Backups
    • TLS protocol
    • Labels
    • S3 Select query language
    • Quotas and limits
  • Terraform reference
  • Monitoring metrics
  • Audit Trails events
  • Bucket logs
  • Release notes
  • FAQ

In this article:

  • Policy components
  • Bucket access via the management console
  • Bucket access via a chain of reverse proxy servers
  • Configuration examples
  • See also
  1. Concepts
  2. Bucket policy

Bucket policy

Written by
Yandex Cloud
Updated at May 5, 2025
  • Policy components
  • Bucket access via the management console
  • Bucket access via a chain of reverse proxy servers
  • Configuration examples
    • See also

Object Storage incorporates several access management mechanisms. To learn how these mechanisms interact, see Access management methods in Object Storage: Overview.

Bucket policies set permissions for actions with buckets, objects, and object groups.

A policy applies when a user makes a request to a resource. As a result, the request is either executed or rejected.

Enabling public access to bucket operations does not override the restrictions set in the access policies.

Note

If a bucket policy with no rules is applied to the bucket, access is denied to all users. To disable request verification for a bucket policy, delete it.

You can set up a bucket policy in the management console or describe it in JSON format using a special scheme to provide through one of the software tools: the Yandex Cloud CLI, AWS CLI, Terraform, or API. Learn more about policy management in this guide.

If you want to assign an access policy to a bucket and connect to this bucket from a Hive Metastore or Yandex Managed Service for Apache Airflow™ cluster, you will need some additional infrastructure setup. For more information, see these guides for Metastore and Managed Service for Apache Airflow™.

Policy componentsPolicy components

A bucket policy consists of rules that comprise the following basic elements:

Resource

Bucket, object in a bucket (<bucket_name>/some/key), or prefix (<bucket_name>/some/path/*), including an empty prefix to indicate all bucket objects (<bucket_name>/*). You can specify multiple resources in a rule.

Note

A bucket resource does not include resources of all its objects. To make sure a bucket policy rule refers to the bucket and all the objects, specify them as separate resources, e.g., samplebucket and samplebucket/*.

If you describe a policy in JSON format, a resource must have the arn:aws:s3::: prefix, e.g., arn:aws:s3:::<bucket_name>.

If the resource name contains ?, *, or $, enclose each one of these characters in curly braces ({}) preceded with $. For example, a record mapped to a bucket named my?bucket will read my${?}bucket.

Action

Operations with a resource that will be either denied or allowed by the rule. For more information, see Actions.

Result

Denies or allows the requested action. First, the request is checked against the Deny action filter. If there is a match, the request is rejected and no further checks are performed. If it meets the Allow action filter criteria, the request is allowed. If the request does not trigger any of the filters, it is rejected.

Principal

Grantee of the requested permission. It can be an IAM user, federated user, service account, anonymous user, or user group.

Condition

Establishes the cases when the rule applies.

Note

The aws:sourceip condition supports a special procedure for verifying reverse proxy server IP addresses.

If multiple conditions are specified simultaneously for a rule or multiple keys are specified simultaneously within a single condition, then such conditions and keys will apply with the AND logic.

If multiple values are specified simultaneously for one condition key, such values will apply with the OR logic.

For more information, see Conditions.

Bucket access via the management consoleBucket access via the management console

If a bucket has an access policy configured, access to the bucket via the Yandex Cloud management console is disabled by default. To enable bucket access, you need to add a rule in the Statement section to allow any requests to <bucket_name>/* or <bucket_name> from the management console.

Example of a rule for a specific Yandex Cloud user:

{
  "Effect": "Allow",
  "Principal": {
    "CanonicalUser": "<user_ID>"
  },
  "Action": "*",
  "Resource": [
    "arn:aws:s3:::<bucket_name>/*",
    "arn:aws:s3:::<bucket_name>"
  ],
  "Condition": {
    "StringLike": {
      "aws:referer": "https://console.yandex.cloud/folders/*/storage/buckets/your-bucket-name*"
    }
  }
}
Example of using the console.cloud.yandex.* domain together with console.yandex.cloud

If you are using the old domain (console.cloud.yandex.*) together with the new one (console.yandex.cloud), set the following policy rules:

{
  "Effect": "Allow",
  "Principal": {
    "CanonicalUser": "<user_ID>"
  },
  "Action": "*",
  "Resource": [
    "arn:aws:s3:::<bucket_name>/*",
    "arn:aws:s3:::<bucket_name>"
  ],
  "Condition": {
    "StringLike": {
      "aws:referer": [
        "https://console.cloud.yandex.*/folders/*/storage/buckets/your-bucket-name*",
        "https://console.yandex.cloud/folders/*/storage/buckets/your-bucket-name*"
      ]
    }
  }
}

You can retrieve the user ID by following this guide in the Yandex Identity and Access Management documentation.

Bucket access via a chain of reverse proxy serversBucket access via a chain of reverse proxy servers

For Object Storage to work with requests sent over a series of reverse proxy servers, the aws:sourceip condition checks both the IP address the request came from and the IP addresses of reverse proxy servers, e.g., those provided in the X-Forwarded-For header.

First a request is checked against the Deny access policy rules. If at least one IP address meets the Deny rule criteria, the request is denied. No further checks are performed.

Then the request is checked against the Allow access policy rules. If at least one IP address meets the Allow rule criteria, the request is allowed.

Example of bucket access configuration via a chain of reverse proxy servers
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "the-allowing-rule",
      "Effect": "Allow",
      "Principal": "*",
      "Action": "*",
      "Resource": "arn:aws:s3:::sample-bucket/*",
      "Condition": {
        "IpAddress": {
          "aws:sourceip": [
            "192.168.1.1",
            "192.168.1.2"
          ]
        }
      }
    },
    {
      "Sid": "the-denying-rule",
      "Effect": "Deny",
      "Principal": "*",
      "Action": "*",
      "Resource": "arn:aws:s3:::sample-bucket/*",
      "Condition": {
        "IpAddress": {
          "aws:sourceip": [
            "192.168.1.11",
            "192.168.1.12"
          ]
        }
      }
    }
  ]
}

If the bucket receives a request with the X-Forwarded-For: 192.168.1.1, 192.168.1.2, 192.168.1.12 header, this request will be denied as its header has the IP address specified in the Deny rule.

If the bucket receives a request with the X-Forwarded-For: 192.168.2.100, 192.168.2.1, 192.168.1.2 header, this request will be allowed as its header has no IP addresses specified in the Deny rule but contains the IP address specified in the Allow rule.

Configuration examplesConfiguration examples

  • Allow an anonymous user to read bucket objects over an encrypted connection
  • Allow downloading objects only from a specified IP address range
  • Deny downloading objects from a specified IP address
  • Grant users full access to specific folders
  • Provide each user or service account with full access to a folder

Rule that allows an anonymous user to read bucket objects over an encrypted connection:Rule that allows an anonymous user to read bucket objects over an encrypted connection:

{
  "Id": "epd4limdp3dg********",
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "f1qqoehl1q53********",
      "Effect": "Allow",
      "Principal": "*",
      "Action": "s3:GetObject",
      "Resource": "arn:aws:s3:::<bucket_name>/*",
      "Condition": {
        "Bool": {
          "aws:SecureTransport": "true"
        }
      }
    }
  ]
}

Rule that allows downloading objects only from a specified range of IP addresses:Rule that allows downloading objects only from a specified range of IP addresses:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": "*",
      "Action": "s3:GetObject",
      "Resource": "arn:aws:s3:::<bucket_name>/*",
      "Condition": {
        "IpAddress": {
          "aws:SourceIp": "100.101.102.128/30"
        }
      }
    }
  ]
}

Rule that denies downloading objects from a specified IP address:Rule that denies downloading objects from a specified IP address:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": "*",
      "Action": "*",
      "Resource": "arn:aws:s3:::<bucket_name>/*"
    },
    {
      "Effect": "Deny",
      "Principal": "*",
      "Action": "s3:GetObject",
      "Resource": "arn:aws:s3:::<bucket_name>/*",
      "Condition": {
        "IpAddress": {
          "aws:SourceIp": "100.101.102.103"
        }
      }
    }
  ]
}

Rule that provides different users with full access only to their respective folders:Rule that provides different users with full access only to their respective folders:

{
  "Version":"2012-10-17",
  "Statement":[
    {
      "Sid":"User1PermissionsResource",
      "Effect":"Allow",
      "Principal": {
        "CanonicalUser": "<user_ID>"
      },
      "Action": "*",
      "Resource":["arn:aws:s3:::<bucket_name>/user1path/*"]
    },
    {
      "Sid":"User1PermissionsPrefix",
      "Effect":"Allow",
      "Principal": {
          "CanonicalUser": "<user_ID>"
      },
      "Action": "s3:ListBucket",
      "Resource":["arn:aws:s3:::<bucket_name>"],
      "Condition": {
        "StringLike": {
          "s3:prefix": "user1path/*"
        }
      }
    },
    {
      "Sid":"User2PermissionsResource",
      "Effect":"Allow",
      "Principal": {
        "CanonicalUser": "<user_ID>"
      },
      "Action": "*",
      "Resource":["arn:aws:s3:::<bucket_name>/user2path/*"]
    },
    {
      "Sid":"User2PermissionsPrefix",
      "Effect":"Allow",
      "Principal": {
        "CanonicalUser": "<user_ID>"
      },
      "Action": "s3:ListBucket",
      "Resource":["arn:aws:s3:::<bucket_name>"],
      "Condition": {
        "StringLike": {
          "s3:prefix": "user2path/*"
        }
      }
    }
  ]
}

Rule that provides each user and service account with full access to a folder with the name matching the user ID or service account ID:Rule that provides each user and service account with full access to a folder with the name matching the user ID or service account ID:

{
  "Version":"2012-10-17",
  "Statement":[
    {
      "Sid": "OwnDirPermissions",
      "Effect": "Allow",
      "Principal": "*",
      "Action": "*",
      "Resource": ["arn:aws:s3:::<bucket_name>/${aws:userid}/*"]
    }
  ]
}

See alsoSee also

  • Managing a bucket policy

Was the article helpful?

Previous
Access control list (ACL)
Next
Uploading files via an HTML form
© 2025 Direct Cursus Technology L.L.C.