Contact UsTry it for free
© 2026 Direct Cursus Technology L.L.C.

Accessing a bucket using a service connection from Yandex Virtual Private Cloud

Written by
Improved by
Updated at March 17, 2026

Warning

The VPC Private Endpoints feature is at the Preview stage. To request access to the feature, contact your account manager.

To make Object Storage buckets accessible from VPC cloud networks directly, use a VPC service connection. With this connection, you can access Object Storage via VPC internal IP addresses without any Internet access.

To enable access to a bucket using a service connection from VPC:

  1. Create a VPC service connection.
  2. Configure a bucket policy.
  3. Configure a restriction for access only from service connections.

Create a VPC service connection

To create a service connection, you need one of the following roles:

  • vpc.privateEndpoints.editor
  • vpc.privateEndpoints.admin
  • vpc.privateAdmin
  • vpc.admin
  • admin

  1. In the management console, navigate to the folder where you want to set up a service connection.

  2. Go to Virtual Private Cloud.

  3. In the left-hand panel, select Service connections.

  4. Click Create connection.

  5. In the Name field, enter a name for the service connection. Make sure to follow these naming requirements:

    • Length: between 3 and 63 characters.
    • It can only contain lowercase Latin letters, numbers, and hyphens.
    • It must start with a letter and cannot end with a hyphen.

  6. Optionally, in the Description field, add a description.

  7. Optionally, add labels:

    1. Click Add label.
    2. Enter a label in key: value format.
    3. Press Enter.

  8. Under Network settings:

    1. In the Network field, specify a network for the new service connection.

    2. To assign a random private IP address, select Automatic in the Address field.

    3. To reserve a list of IP addresses:

      1. In the IP address field, select List.

      2. Click Reserve.

      3. In the window that opens:

        • Specify a name and description for the IP address.
        • Select a subnet.
        • Assign an internal IPv4 address, e.g., 172.16.0.3.
        • Enable Deletion protection for the address to be immune from deletion until you disable protection.
        • Add labels.
        • Click Create.
        • Repeat these steps to reserve additional IP addresses.

    4. In the Service field, select Object Storage.

    5. Optionally, enable Create primary DNS record to automatically create an additional DNS A record for the service's public FQDN. The record will contain the internal IP address allocated to the service connection.

      Depending on whether the parameter is enabled, the following resource records will be created automatically for access to Object Storage:

      • The parameter is not used:

        Name Type Value
        storage.pe.yandexcloud.net A <internal_IP_address_of_service_connection>
        *.storage.pe.yandexcloud.net A <internal_IP_address_of_service_connection>

      • The parameter is used:

        Name Type Value
        storage.pe.yandexcloud.net A <internal_IP_address_of_service_connection>
        *.storage.pe.yandexcloud.net A <internal_IP_address_of_service_connection>
        storage.yandexcloud.net A <internal_IP_address_of_service_connection>
        *.storage.yandexcloud.net A <internal_IP_address_of_service_connection>

  9. Click Create.

If you do not have the Yandex Cloud CLI yet, install and initialize it.

The folder used by default is the one specified when creating the CLI profile. To change the default folder, use the yc config set folder-id <folder_ID> command. You can also set a different folder for any specific command using the --folder-name or --folder-id options.

  1. View the description of the CLI command to create a service connection:

    yc vpc private-endpoint create --help

  2. Create a service connection to Object Storage in the default folder:

    yc vpc private-endpoint create \
  --name <service_connection_name> \
  --description "<service_connection_description>" \
  --network-name <network_name> \
  --object-storage

    Where:

    • --name: (Optional) Service connection name.
    • --description: (Optional) Service connection description.
    • --network-name: Name of the cloud network the service connection will be created in. You can also use the network ID in the --network-id parameter.
    • --object-storage: Service connection to Object Storage. Other service connection types are not available yet.

    When creating a service connection, you can use the following additional parameters:

    • --address-spec: (Optional) Parameters in the key=value format for the internal IP address which will be assigned to the service connection:

      • address: (Optional) Private IP address for the service connection. If no IP address is provided, a random one will be assigned from the specified subnet’s range.

      • subnet-id: (Optional) ID of the subnet to provide an IP address for the service connection. If no subnet ID is provided, a random internal IP address will be assigned from the range of one of the subnets in the cloud network.

        Note

        To create a service connection, you should have at least one subnet in your network.

    • --private-dns-records-enabled: (Optional) Parameter to create additional DNS resource records to override the public FQDN of the service to which the connection is created.

      Depending on whether the parameter is enabled, the following resource records will be created automatically for access to Object Storage:

      • The parameter is not used:

        Name Type Value
        storage.pe.yandexcloud.net A <internal_IP_address_of_service_connection>
        *.storage.pe.yandexcloud.net A <internal_IP_address_of_service_connection>

      • The parameter is used:

        Name Type Value
        storage.pe.yandexcloud.net A <internal_IP_address_of_service_connection>
        *.storage.pe.yandexcloud.net A <internal_IP_address_of_service_connection>
        storage.yandexcloud.net A <internal_IP_address_of_service_connection>
        *.storage.yandexcloud.net A <internal_IP_address_of_service_connection>

  3. Make sure the service connection is created:

    yc vpc private-endpoint list

    Result:

    +----------------------+-------------+--------------------------------+
|          ID          |    NAME     |          DESCRIPTION           |
+----------------------+-------------+--------------------------------+
| enpd7rq************* | s3-vpc-link | Private Endpoint to the Object |
|                      |             | Storage                        |
+----------------------+-------------+--------------------------------+

With Terraform, you can quickly create a cloud infrastructure in Yandex Cloud and manage it using configuration files. These files store the infrastructure description written in HashiCorp Configuration Language (HCL). If you change the configuration files, Terraform automatically detects which part of your configuration is already deployed, and what should be added or removed.

Terraform is distributed under the Business Source License. The Yandex Cloud provider for Terraform is distributed under the MPL-2.0 license.

For more information about the provider resources, see the relevant documentation on the Terraform website or its mirror.

If you do not have Terraform yet, install it and configure the Yandex Cloud provider.

  1. In the Terraform configuration file, describe the resources you want to create:

    resource "yandex_vpc_private_endpoint" "my-vpc-endpoint" {
  name        = "<service_connection_name>"
  description = "<service_connection_description>"
  network_id  = "<cloud_network_ID>"
  
  # Service connection to Object Storage
  object_storage {}

  # Creating additional DNS resource records 
  dns_options {
    private_dns_records_enabled = <true_or_false>
  }

  endpoint_address {
    subnet_id = "<subnet_ID>"
  }
}

    Where:

    • name: Service connection name. This is an optional parameter.

    • description: Service connection description. This is an optional parameter.

    • network_id: Name of the cloud network the service connection will be created in. This is a required parameter.

    • object_storage: Service connection to Object Storage. Other service connection types are not available yet.

    • dns_options: Section with parameters for creating DNS records:

      • private_dns_records_enabled: Parameter to create additional DNS resource records to override the public FQDN of the service to which the connection is created. This is an optional parameter.

        Depending on whether the parameter is enabled, the following resource records will be created automatically for access to Object Storage:

        • The parameter is not used:

          Name Type Value
          storage.pe.yandexcloud.net A <internal_IP_address_of_service_connection>
          *.storage.pe.yandexcloud.net A <internal_IP_address_of_service_connection>

        • The parameter is used:

          Name Type Value
          storage.pe.yandexcloud.net A <internal_IP_address_of_service_connection>
          *.storage.pe.yandexcloud.net A <internal_IP_address_of_service_connection>
          storage.yandexcloud.net A <internal_IP_address_of_service_connection>
          *.storage.yandexcloud.net A <internal_IP_address_of_service_connection>

    • endpoint_address: Section with parameters of the service connection's internal IP address:

      • subnet_id: ID of the subnet to provide an IP address for the service connection. If no subnet ID is provided, a random internal IP address will be assigned from the range of one of the cloud network's subnets. This is an optional parameter.

      Note

      To create a service connection, you should have at least one subnet in your network.

    For more information about yandex_vpc_private_endpoint properties, see this provider guide.

  2. Create the resources:

    1. In the terminal, go to the directory where you edited the configuration file.

    2. Make sure the configuration file is correct using this command:

      terraform validate

      If the configuration is correct, you will get this message:

      Success! The configuration is valid.

    3. Run this command:

      terraform plan

      You will see a detailed list of resources. No changes will be made at this step. If the configuration contains any errors, Terraform will show them.

    4. Apply the changes:

      terraform apply

    5. Type yes and press Enter to confirm the changes.

    Terraform will create all the required resources. You can check the new resources using the management console or this CLI command:

    yc vpc private-endpoint list

To create a VPC service connection, use the create REST API method for the PrivateEndpoint resource or the PrivateEndpointService/Create gRPC API call.

Save the service connection ID.

Object Storage buckets are now accessible via the VPC internal IP address without any internet access.

Configure a bucket policy

To allow access to a bucket only by VPC internal IP addresses, configure a bucket policy for the service connection.

Note

At the access policy level, you can grant access to the bucket from VPC service connections with IDs specified in the policy. However, as the access flow chart shows, the bucket will still be accessible from the public network, e.g., though an object ACL or under another enabling rule in the policy.

In addition, a bucket configured this way still supports server-side copy, both from and to the bucket.

  1. In the management console, select the folder where you configured the VPC service connection.

  2. Go to Object Storage.

  3. Select the bucket from the list.

  4. In the left-hand menu, go to the Security tab.

  5. At the top of the screen, navigate to the Access policy tab.

  6. Click Configure access.

  7. Enter a bucket policy ID, e.g., private-endpoint-policy.

  8. Set up a rule:

    1. Enter a rule ID, e.g., private-endpoint-rule.

    2. Configure rule settings:

      • Result: Enable.

      • Selection principle: Include users.

      • User: All users.

      • Action: Select All actions.

      • Resource<bucket_name>/*.

        Click Add resource and enter <bucket_name>.

        Note

        A bucket resource does not include resources of all its objects. To make sure a bucket policy rule refers to the bucket and all the objects, specify them as separate resources, e.g., samplebucket and samplebucket/*.

    3. Add a condition for the rule:

      • In the Key field, select private-endpoint-id.
      • In the Operator field, select StringEquals.
      • In the Value field, specify the service connection (private endpoint) ID, e.g., enpd7rq1s3f5********.

  9. Click Save.

If you do not have the Yandex Cloud CLI yet, install and initialize it.

The folder used by default is the one specified when creating the CLI profile. To change the default folder, use the yc config set folder-id <folder_ID> command. You can also set a different folder for any specific command using the --folder-name or --folder-id options.

  1. See the description of the CLI command for updating bucket settings:

    yc storage bucket update --help

  2. Describe your bucket policy configuration as a JSON data schema:

    {
  "Version": "2012-10-17",
  "Statement": {
    "Effect": "Allow",
    "Principal": "*",
    "Action": "*",
    "Resource": [
      "arn:aws:s3:::<bucket_name>/*",
      "arn:aws:s3:::<bucket_name>"
    ],
    "Condition": {
      "StringEquals": {
        "yc:private-endpoint-id": "<connection_ID>"
      }
    }
  }
}

    Where:

    • <bucket_name>: Name of the bucket in Object Storage to which you need to apply the access policy, e.g., my-s3-bucket.
    • <connection_ID>: Service connection ID (private endpoint), e.g., enpd7rq1s3f5********.

  3. Save the final configuration to a file named policy.json.

  4. Run this command:

    yc storage bucket update \
  --name <bucket_name> \
  --policy-from-file <policy_file_path>

    Once the bucket policy is applied, you can access the bucket only from the VPC cloud network in which you created the relevant service connection (private endpoint).

Note

To manage a policy using the AWS CLI, a service account needs the storage.admin role.

If you do not have the AWS CLI yet, install and configure it.

  1. Describe your bucket policy configuration as a JSON data schema:

    {
  "Version": "2012-10-17",
  "Statement": {
    "Effect": "Allow",
    "Principal": "*",
    "Action": "*",
    "Resource": [
      "arn:aws:s3:::<bucket_name>/*",
      "arn:aws:s3:::<bucket_name>"
    ],
    "Condition": {
      "StringEquals": {
        "yc:private-endpoint-id": "<connection_ID>"
      }
    }
  }
}

    Where:

    • <bucket_name>: Name of the bucket in Object Storage to which you need to apply the access policy, e.g., my-s3-bucket.
    • <connection_ID>: Service connection ID (private endpoint), e.g., enpd7rq1s3f5********.

  2. Save the final configuration to a file named policy.json.

  3. Run this command:

    aws s3api put-bucket-policy \
  --endpoint https://storage.yandexcloud.net \
  --bucket <bucket_name> \
  --policy file://policy.json

Once the bucket policy is applied, you can access the bucket only from the VPC cloud network in which you created the relevant service connection (private endpoint).

If you do not have Terraform yet, install it and configure the Yandex Cloud provider.

By default, Terraform uses an IAM token for authentication in Object Storage. In addition to an IAM token, you can use a service account and static access keys for authentication in Object Storage. For more information about Terraform authentication in Object Storage, see the relevant provider documentation.

Note

If you access Object Storage via Terraform under a service account, assign to the service account the relevant role, e.g., storage.admin, for the folder you are going to create the resources in.

  1. Open the Terraform configuration file and specify the policy using the yandex_storage_bucket_policy resource:

    resource "yandex_storage_bucket_policy" "bpolicy" {
  bucket = "my-policy-bucket"
  policy = <<POLICY
{
  "Version": "2012-10-17",
  "Statement": {
    "Effect": "Allow",
    "Principal": "*",
    "Action": "*",
    "Resource": [
      "arn:aws:s3:::<bucket_name>/*",
      "arn:aws:s3:::<bucket_name>"
    ],
    "Condition": {
      "StringEquals": {
        "yc:private-endpoint-id": "<connection_ID>"
      }
    }
  }
}
POLICY
}

    Where:

    • <bucket_name>: Name of the bucket in Object Storage to which you need to apply the access policy, e.g., my-s3-bucket.
    • <connection_ID>: Service connection ID (private endpoint), e.g., enpd7rq1s3f5********.

    For more information about yandex_storage_bucket_policy properties, see this provider guide.

  2. Apply the changes:

    1. In the terminal, go to the directory where you edited the configuration file.

    2. Make sure the configuration file is correct using this command:

      terraform validate

      If the configuration is correct, you will get this message:

      Success! The configuration is valid.

    3. Run this command:

      terraform plan

      You will see a detailed list of resources. No changes will be made at this step. If the configuration contains any errors, Terraform will show them.

    4. Apply the changes:

      terraform apply

    5. Type yes and press Enter to confirm the changes.

    You can check the update using the management console.

To configure a bucket policy, use the update REST API method for the Bucket resource, the BucketService/Update gRPC API call, or the PutBucketPolicy S3 API method. If the bucket already had a bucket policy configured, it will be completely overwritten once you apply the new policy.

Learn more about managing a bucket policy in Bucket policy management.

Configure a restriction for access only from service connections

You can restrict access to a bucket at the service level. This will make access to the bucket possible only from VPC service connections.

Warning

With this option on, the bucket will not be accessible from the public network. There is a separate option enabling bucket access via the management console. See also Server side copy.

Allowing bucket access only from VPC service connections at the service level

  1. In the management console, select the folder where you configured the VPC service connection.
  2. Go to Object Storage.
  3. Select the bucket from the list.
  4. In the left-hand panel, select Settings.
  5. Under Strict mode, enable Available only via VPC service connections.
  6. In the VPC service connections field, specify the ID of the service connection you created.
  7. Optionally, enable Access from console. This option enables you to access the bucket from the management console even if access is allowed only via VPC service connections. When this option is disabled, you can only access the bucket via the API or CLI.
  8. Click Save.

If you do not have the Yandex Cloud CLI yet, install and initialize it.

The folder used by default is the one specified when creating the CLI profile. To change the default folder, use the yc config set folder-id <folder_ID> command. You can also set a different folder for any specific command using the --folder-name or --folder-id options.

  1. Create additional DNS resource records to override the public FQDN of the service to which the connection is created. To do this, enable a special VPC service connection parameter:

    yc vpc private-endpoint update \
  --id <service_connection_ID> \
  --private-dns-records-enabled

  2. Update the bucket settings by specifying the parameters for access only from VPC service connections:

    yc storage bucket update \
  --name <bucket_name> \
  --enable-private-endpoints true \
  --private-endpoints <service_connection_ID> \
  --private-endpoints-force-cloudconsole-access true

    Where:

    • --name: Bucket name.

    • --enable-private-endpoints: Parameter for access to the bucket only from VPC service connections. If you do not set this parameter, the bucket will be accessible from both the public network and VPC service connections.

    • --private-endpoints: List of IDs of VPC service connections to allow access from.

      Warning

      If you do not specify the IDs of VPC service connections, the bucket will not be accessible from anywhere. However, you can still disable the restrictions for access only from VPC service connections.

    • --private-endpoints-force-cloudconsole-access: This parameter enables bucket access from the management console even if access is allowed only via VPC service connections. This is an optional parameter. When this option is disabled, you can only access the bucket via the API or CLI.

To allow bucket access only from VPC service connections at the service level, use the update REST API method for the Bucket resource or the Bucket/Update gRPC API call.

Restoring bucket access from a public network

  1. In the management console, select the folder where you configured the VPC service connection.
  2. Go to Object Storage.
  3. Select the bucket from the list.
  4. In the left-hand panel, select Settings.
  5. Under Strict mode, disable Available only via VPC service connections.
  6. Click Save.

Update the bucket settings:

yc storage bucket update \
  --name <bucket_name> \
  --enable-private-endpoints false

Where:

  • --name: Bucket name.

  • --enable-private-endpoints: Parameter for access to the bucket only from VPC service connections.

    Tip

    After you remove the restriction for access only from VPC service connections, the list of service connections provided earlier in the --private-endpoints parameter remains in the bucket settings. If you choose to restrict access again, you do not have to provide the list one more time.

To allow bucket access only from VPC service connections at the service level, use the update REST API method for the Bucket resource or the Bucket/Update gRPC API call.

Server-side copy

For details on server-side copy in buckets with access restricted to VPC service connections, refer to this table:

Source bucket Target bucket Condition to initiate server-side copying1
Access restricted to VPC service connections Access restricted to VPC service connections Request from a service connection listed as allowed for both buckets
Access restricted to VPC service connections Access from a public network Request from a service connection listed as allowed for the source bucket
Access from a public network Access restricted to VPC service connections Request from a service connection listed as allowed for the target bucket
Access from a public network Access from a public network Request from a public network or service connection

1 If the client has permissions to read from the source bucket and write to the target bucket.

See also

Previous
Accessing a bucket with an ephemeral access key
Next
Managing bucket versioning