Contact UsGet started
© 2025 Direct Cursus Technology L.L.C.

Bucket policy

Written by
Updated at May 5, 2025

Object Storage incorporates several access management mechanisms. To learn how these mechanisms interact, see Access management methods in Object Storage: Overview.

Bucket policies set permissions for actions with buckets, objects, and object groups.

A policy applies when a user makes a request to a resource. As a result, the request is either executed or rejected.

Enabling public access to bucket operations does not override the restrictions set in the access policies.

Note

If a bucket policy with no rules is applied to the bucket, access is denied to all users. To disable request verification for a bucket policy, delete it.

You can set up a bucket policy in the management console or describe it in JSON format using a special scheme to provide through one of the software tools: the Yandex Cloud CLI, AWS CLI, Terraform, or API. Learn more about policy management in this guide.

If you want to assign an access policy to a bucket and connect to this bucket from a Hive Metastore or Yandex Managed Service for Apache Airflow™ cluster, you will need some additional infrastructure setup. For more information, see these guides for Metastore and Managed Service for Apache Airflow™.

Policy components

A bucket policy consists of rules that comprise the following basic elements:

Resource

Bucket, object in a bucket (<bucket_name>/some/key), or prefix (<bucket_name>/some/path/*), including an empty prefix to indicate all bucket objects (<bucket_name>/*). You can specify multiple resources in a rule.

Note

A bucket resource does not include resources of all its objects. To make sure a bucket policy rule refers to the bucket and all the objects, specify them as separate resources, e.g., samplebucket and samplebucket/*.

If you describe a policy in JSON format, a resource must have the arn:aws:s3::: prefix, e.g., arn:aws:s3:::<bucket_name>.

If the resource name contains ?, *, or $, enclose each one of these characters in curly braces ({}) preceded with $. For example, a record mapped to a bucket named my?bucket will read my${?}bucket.

Action

Operations with a resource that will be either denied or allowed by the rule. For more information, see Actions.

Result

Denies or allows the requested action. First, the request is checked against the Deny action filter. If there is a match, the request is rejected and no further checks are performed. If it meets the Allow action filter criteria, the request is allowed. If the request does not trigger any of the filters, it is rejected.

Principal

Grantee of the requested permission. It can be an IAM user, federated user, service account, anonymous user, or user group.

Condition

Establishes the cases when the rule applies.

Note

The aws:sourceip condition supports a special procedure for verifying reverse proxy server IP addresses.

If multiple conditions are specified simultaneously for a rule or multiple keys are specified simultaneously within a single condition, then such conditions and keys will apply with the AND logic.

If multiple values are specified simultaneously for one condition key, such values will apply with the OR logic.

For more information, see Conditions.

Bucket access via the management console

If a bucket has an access policy configured, access to the bucket via the Yandex Cloud management console is disabled by default. To enable bucket access, you need to add a rule in the Statement section to allow any requests to <bucket_name>/* or <bucket_name> from the management console.

Example of a rule for a specific Yandex Cloud user:

{
  "Effect": "Allow",
  "Principal": {
    "CanonicalUser": "<user_ID>"
  },
  "Action": "*",
  "Resource": [
    "arn:aws:s3:::<bucket_name>/*",
    "arn:aws:s3:::<bucket_name>"
  ],
  "Condition": {
    "StringLike": {
      "aws:referer": "https://console.yandex.cloud/folders/*/storage/buckets/your-bucket-name*"
    }
  }
}
Example of using the console.cloud.yandex.* domain together with console.yandex.cloud

If you are using the old domain (console.cloud.yandex.*) together with the new one (console.yandex.cloud), set the following policy rules:

{
  "Effect": "Allow",
  "Principal": {
    "CanonicalUser": "<user_ID>"
  },
  "Action": "*",
  "Resource": [
    "arn:aws:s3:::<bucket_name>/*",
    "arn:aws:s3:::<bucket_name>"
  ],
  "Condition": {
    "StringLike": {
      "aws:referer": [
        "https://console.cloud.yandex.*/folders/*/storage/buckets/your-bucket-name*",
        "https://console.yandex.cloud/folders/*/storage/buckets/your-bucket-name*"
      ]
    }
  }
}

You can retrieve the user ID by following this guide in the Yandex Identity and Access Management documentation.

Bucket access via a chain of reverse proxy servers

For Object Storage to work with requests sent over a series of reverse proxy servers, the aws:sourceip condition checks both the IP address the request came from and the IP addresses of reverse proxy servers, e.g., those provided in the X-Forwarded-For header.

First a request is checked against the Deny access policy rules. If at least one IP address meets the Deny rule criteria, the request is denied. No further checks are performed.

Then the request is checked against the Allow access policy rules. If at least one IP address meets the Allow rule criteria, the request is allowed.

Example of bucket access configuration via a chain of reverse proxy servers
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "the-allowing-rule",
      "Effect": "Allow",
      "Principal": "*",
      "Action": "*",
      "Resource": "arn:aws:s3:::sample-bucket/*",
      "Condition": {
        "IpAddress": {
          "aws:sourceip": [
            "192.168.1.1",
            "192.168.1.2"
          ]
        }
      }
    },
    {
      "Sid": "the-denying-rule",
      "Effect": "Deny",
      "Principal": "*",
      "Action": "*",
      "Resource": "arn:aws:s3:::sample-bucket/*",
      "Condition": {
        "IpAddress": {
          "aws:sourceip": [
            "192.168.1.11",
            "192.168.1.12"
          ]
        }
      }
    }
  ]
}

If the bucket receives a request with the X-Forwarded-For: 192.168.1.1, 192.168.1.2, 192.168.1.12 header, this request will be denied as its header has the IP address specified in the Deny rule.

If the bucket receives a request with the X-Forwarded-For: 192.168.2.100, 192.168.2.1, 192.168.1.2 header, this request will be allowed as its header has no IP addresses specified in the Deny rule but contains the IP address specified in the Allow rule.

Configuration examples

Rule that allows an anonymous user to read bucket objects over an encrypted connection:

{
  "Id": "epd4limdp3dg********",
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "f1qqoehl1q53********",
      "Effect": "Allow",
      "Principal": "*",
      "Action": "s3:GetObject",
      "Resource": "arn:aws:s3:::<bucket_name>/*",
      "Condition": {
        "Bool": {
          "aws:SecureTransport": "true"
        }
      }
    }
  ]
}

Rule that allows downloading objects only from a specified range of IP addresses:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": "*",
      "Action": "s3:GetObject",
      "Resource": "arn:aws:s3:::<bucket_name>/*",
      "Condition": {
        "IpAddress": {
          "aws:SourceIp": "100.101.102.128/30"
        }
      }
    }
  ]
}

Rule that denies downloading objects from a specified IP address:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": "*",
      "Action": "*",
      "Resource": "arn:aws:s3:::<bucket_name>/*"
    },
    {
      "Effect": "Deny",
      "Principal": "*",
      "Action": "s3:GetObject",
      "Resource": "arn:aws:s3:::<bucket_name>/*",
      "Condition": {
        "IpAddress": {
          "aws:SourceIp": "100.101.102.103"
        }
      }
    }
  ]
}

Rule that provides different users with full access only to their respective folders:

{
  "Version":"2012-10-17",
  "Statement":[
    {
      "Sid":"User1PermissionsResource",
      "Effect":"Allow",
      "Principal": {
        "CanonicalUser": "<user_ID>"
      },
      "Action": "*",
      "Resource":["arn:aws:s3:::<bucket_name>/user1path/*"]
    },
    {
      "Sid":"User1PermissionsPrefix",
      "Effect":"Allow",
      "Principal": {
          "CanonicalUser": "<user_ID>"
      },
      "Action": "s3:ListBucket",
      "Resource":["arn:aws:s3:::<bucket_name>"],
      "Condition": {
        "StringLike": {
          "s3:prefix": "user1path/*"
        }
      }
    },
    {
      "Sid":"User2PermissionsResource",
      "Effect":"Allow",
      "Principal": {
        "CanonicalUser": "<user_ID>"
      },
      "Action": "*",
      "Resource":["arn:aws:s3:::<bucket_name>/user2path/*"]
    },
    {
      "Sid":"User2PermissionsPrefix",
      "Effect":"Allow",
      "Principal": {
        "CanonicalUser": "<user_ID>"
      },
      "Action": "s3:ListBucket",
      "Resource":["arn:aws:s3:::<bucket_name>"],
      "Condition": {
        "StringLike": {
          "s3:prefix": "user2path/*"
        }
      }
    }
  ]
}

Rule that provides each user and service account with full access to a folder with the name matching the user ID or service account ID:

{
  "Version":"2012-10-17",
  "Statement":[
    {
      "Sid": "OwnDirPermissions",
      "Effect": "Allow",
      "Principal": "*",
      "Action": "*",
      "Resource": ["arn:aws:s3:::<bucket_name>/${aws:userid}/*"]
    }
  ]
}

See also

Previous
Access control list (ACL)
Next
Uploading files via an HTML form