Yandex Cloud
Search
Contact UsGet started
  • Pricing
  • Customer Stories
  • Documentation
  • Blog
  • All Services
  • System Status
    • Featured
    • Infrastructure & Network
    • Data Platform
    • Containers
    • Developer tools
    • Serverless
    • Security
    • Monitoring & Resources
    • AI Studio
    • Business tools
  • All Solutions
    • By industry
    • By use case
    • Economics and Pricing
    • Security
    • Technical Support
    • Start testing with double trial credits
    • Cloud credits to scale your IT product
    • Gateway to Russia
    • Cloud for Startups
    • Education and Science
    • Yandex Cloud Partner program
  • Pricing
  • Customer Stories
  • Documentation
  • Blog
© 2025 Direct Cursus Technology L.L.C.
Yandex Object Storage
    • All guides
      • Creating a bucket
      • Deleting a bucket
      • Limiting the maximum size of a bucket
      • Encrypting a bucket
      • Managing object lifecycles
      • Managing CORS configurations
      • Configuring access permissions using IAM
      • Editing a bucket's ACL
      • Managing access policies
      • Configuring public access to a bucket
      • Accessing a bucket using Security Token Service
      • Accessing a bucket using a service connection from VPC
      • Managing bucket versioning
      • Enabling logging
      • Managing object locks
      • Managing bucket labels
      • Getting bucket information and statistics
      • Viewing bucket metrics
  • Pricing policy
  • Terraform reference
  • Monitoring metrics
  • Audit Trails events
  • Bucket logs
  • Release notes
  • FAQ

In this article:

  • Create a VPC service connection
  • Configure a bucket policy
  • Configure a restriction for access only from service connections
  • Server-side copy
  1. Step-by-step guides
  2. Buckets
  3. Accessing a bucket using a service connection from VPC

Accessing a bucket using a service connection from Yandex Virtual Private Cloud

Written by
Yandex Cloud
Improved by
Tania L.
Updated at June 24, 2025
  • Create a VPC service connection
  • Configure a bucket policy
  • Configure a restriction for access only from service connections
    • Server-side copy

Warning

The VPC Private Endpoints feature is at the Preview stage. To request access to the feature, contact your account manager.

To make Object Storage buckets accessible from VPC cloud networks directly, use a VPC service connection. With this connection, you can access Object Storage via VPC internal IP addresses without any Internet access.

To enable access to a bucket using a service connection from VPC:

  1. Create a VPC service connection.
  2. Configure a bucket policy.
  3. Configure a restriction for access only from service connections.

Create a VPC service connectionCreate a VPC service connection

To create a service connection, you need one of the following roles:

  • vpc.privateEndpoints.editor
  • vpc.privateEndpoints.admin
  • vpc.privateAdmin
  • vpc.admin
  • admin
CLI

If you do not have the Yandex Cloud CLI installed yet, install and initialize it.

By default, the CLI uses the folder specified when creating the profile. To change the default folder, use the yc config set folder-id <folder_ID> command. You can also set a different folder for any specific command using the --folder-name or --folder-id parameter.

  1. View the description of the CLI command to create a service connection:

    yc vpc private-endpoint create --help
    
  2. Create a service connection to Object Storage in the default folder:

    yc vpc private-endpoint create \
      --name <service_connection_name> \
      --description "<service_connection_description>" \
      --network-name <network_name> \
      --object-storage 
    

    Where:

    • --name: (Optional) Service connection name.
    • --description: (Optional) Service connection description.
    • --network-name: Name of the cloud network the service connection will be created in. You can also use the network ID in the --network-id parameter.
    • --object-storage: Service connection to Object Storage. Other service connection types are not available yet.

    When creating a service connection, you can use the following additional parameters:

    • --address-spec: (Optional) Parameters in the key=value format for the internal IP address which will be assigned to the service connection:

      • address: (Optional) Private IP address for the service connection. If no IP address is provided, a random one will be assigned from the specified subnet’s range.

      • subnet-id: (Optional) ID of the subnet to provide an IP address for the service connection. If no subnet ID is provided, a random internal IP address will be assigned from the range of one of the subnets in the cloud network.

        Note

        To create a service connection, you should have at least one subnet in your network.

    • --private-dns-records-enabled: (Optional) Parameter to create additional DNS resource records to override the public FQDN of the service to which the connection is created.

      Depending on whether the parameter is enabled, the following resource records will be created automatically for access to Object Storage:

      • The parameter is not used:

        Name Type Value
        storage.pe.yandexcloud.net A <internal_IP_address_of_service_connection>
        *.storage.pe.yandexcloud.net A <internal_IP_address_of_service_connection>
      • The parameter is used:

        Name Type Value
        storage.pe.yandexcloud.net A <internal_IP_address_of_service_connection>
        *.storage.pe.yandexcloud.net A <internal_IP_address_of_service_connection>
        storage.yandexcloud.net A <internal_IP_address_of_service_connection>
        *.storage.yandexcloud.net A <internal_IP_address_of_service_connection>
  3. Make sure the service connection is created:

    yc vpc private-endpoint list
    

    Result:

    +----------------------+-------------+--------------------------------+
    |          ID          |    NAME     |          DESCRIPTION           |
    +----------------------+-------------+--------------------------------+
    | enpd7rq************* | s3-vpc-link | Private Endpoint to the Object |
    |                      |             | Storage                        |
    +----------------------+-------------+--------------------------------+
    

Save the service connection ID.

Object Storage buckets are now accessible via the VPC internal IP address without any internet access.

Configure a bucket policyConfigure a bucket policy

To allow access to a bucket only by VPC internal IP addresses, configure a bucket policy for the service connection.

Note

At the access policy level, you can grant access to the bucket from VPC service connections with IDs specified in the policy. However, as the access flow chart shows, the bucket will still be accessible from the public network, e.g., though an object ACL or under another enabling rule in the policy.

In addition, a bucket configured this way still supports server-side copy, both from and to the bucket.

Management console
AWS CLI
  1. In the management console, select the folder where you configured the VPC service connection.

  2. Select Object Storage.

  3. Select the bucket from the list.

  4. In the left-hand menu, go to the Security tab.

  5. At the top of the screen, navigate to the Access policy tab.

  6. Click Configure access.

  7. Enter a bucket policy ID, e.g., private-endpoint-policy.

  8. Set up a rule:

    1. Enter a rule ID, e.g., private-endpoint-rule.

    2. Configure rule settings:

      • Result: Enable.

      • Selection principle: Include users.

      • User: All users.

      • Action: Select All actions.

      • Resource — <bucket_name>/*.

        Click Add resource and enter <bucket_name>.

        Note

        A bucket resource does not include resources of all its objects. To make sure a bucket policy rule refers to the bucket and all the objects, specify them as separate resources, e.g., samplebucket and samplebucket/*.

    3. Add a condition for the rule:

      • In the Key field, select private-endpoint-id.
      • In the Operator field, select StringEquals.
      • In the Value field, specify the service connection (private endpoint) ID, e.g., enpd7rq1s3f5********.
  9. Click Save.

Note

To manage a policy using the AWS CLI, a service account needs the storage.admin role.

If you do not have the AWS CLI yet, install and configure it.

  1. Describe your bucket policy configuration as a JSON data schema:

    {
      "Version": "2012-10-17",
      "Statement": {
        "Effect": "Allow",
        "Principal": "*",
        "Action": "*",
        "Resource": [
          "arn:aws:s3:::<bucket_name>/*",
          "arn:aws:s3:::<bucket_name>"
        ],
        "Condition": {
          "StringEquals": {
            "yc:private-endpoint-id": "<connection_ID>"
          }
        }
      }
    }
    

    Where:

    • <bucket_name>: Name of the bucket in Object Storage to which you need to apply the access policy, e.g., my-s3-bucket.
    • <connection_ID>: Service connection ID (private endpoint), e.g., enpd7rq1s3f5********.
  2. Save the final configuration to a file named policy.json.

  3. Run this command:

    aws s3api put-bucket-policy \
      --endpoint https://storage.yandexcloud.net \
      --bucket <bucket_name> \
      --policy file://policy.json
    

Once the bucket policy is applied, you can access the bucket only from the VPC cloud network in which you created the relevant service connection (private endpoint).

Learn more about managing a bucket policy in Bucket policy management.

Configure a restriction for access only from service connectionsConfigure a restriction for access only from service connections

You can restrict access to a bucket at the service level. This will make access to the bucket possible only from VPC service connections.

Warning

With this option on, the bucket will not be accessible from the public network. Also, as currently implemented, no access to the bucket will be possible from the management console. See also Server side copy.

To allow access to the bucket only from VPC service connections at the service level:

CLI

If you do not have the Yandex Cloud CLI installed yet, install and initialize it.

By default, the CLI uses the folder specified when creating the profile. To change the default folder, use the yc config set folder-id <folder_ID> command. You can also set a different folder for any specific command using the --folder-name or --folder-id parameter.

  1. Create additional DNS resource records to override the public FQDN of the service to which the connection is created. To do this, enable a special VPC service connection parameter:

    yc vpc private-endpoint update \
      --id <service_connection_ID> \
      --private-dns-records-enabled
    
  2. Update the bucket settings by specifying the parameters for access only from VPC service connections:

    yc storage bucket update \
      --name <bucket_name> \
      --enable-private-endpoints true \
      --private-endpoints <service_connection_ID>
    

    Where:

    • --name: Bucket name.

    • --enable-private-endpoints: Parameter for access to the bucket only from VPC service connections. If you do not set this parameter, the bucket will be accessible from both the public network and VPC service connections.

    • --private-endpoints: List of IDs of VPC service connections to allow access from.

      Warning

      If you do not specify the IDs of VPC service connections, the bucket will not be accessible from anywhere. However, you can still disable the restrictions for access only from VPC service connections.

To restore access to the bucket from the public network:

CLI

Update the bucket settings:

yc storage bucket update \
  --name <bucket_name> \
  --enable-private-endpoints false

Where:

  • --name: Bucket name.

  • --enable-private-endpoints: Parameter for access to the bucket only from VPC service connections.

    Tip

    After you remove the restriction for access only from VPC service connections, the list of service connections provided earlier in the --private-endpoints parameter remains in the bucket settings. If you choose to restrict access again, you do not have to provide the list one more time.

Server-side copyServer-side copy

For details on server-side copy in buckets with access restricted to VPC service connections, refer to this table:

Source bucket Target bucket Condition to initiate server-side copying1
Access restricted to VPC service connections Access restricted to VPC service connections Request from a service connection listed as allowed for both buckets
Access restricted to VPC service connections Access from a public network Request from a service connection listed as allowed for the source bucket
Access from a public network Access restricted to VPC service connections Request from a service connection listed as allowed for the target bucket
Access from a public network Access from a public network Request from a public network or service connection

1 If the client has permissions to read from the source bucket and write to the target bucket.

See alsoSee also

  • VPC service connections
  • Managing VPC service connections
  • Bucket policy
  • Connecting to Object Storage from Virtual Private Cloud
  • Access management methods in Object Storage: Overview

Was the article helpful?

Previous
Accessing a bucket using Security Token Service
Next
Managing bucket versioning
© 2025 Direct Cursus Technology L.L.C.