Accessing a bucket using a service connection from Yandex Virtual Private Cloud
Warning
The VPC Private Endpoints feature is at the Preview stage. To request access to the feature, contact your account manager.
To make Object Storage buckets accessible from VPC cloud networks directly, use a VPC service connection. With this connection, you can access Object Storage via VPC internal IP addresses without any Internet access.
To enable access to a bucket using a service connection from VPC:
- Create a VPC service connection.
- Configure a bucket policy.
- Configure a restriction for access only from service connections.
Create a VPC service connection
To create a service connection, you need one of the following roles:
vpc.privateEndpoints.editorvpc.privateEndpoints.adminvpc.privateAdminvpc.adminadmin
If you do not have the Yandex Cloud CLI installed yet, install and initialize it.
By default, the CLI uses the folder specified when creating the profile. To change the default folder, use the yc config set folder-id <folder_ID> command. You can also set a different folder for any specific command using the --folder-name or --folder-id parameter.
-
View the description of the CLI command to create a service connection:
yc vpc private-endpoint create --help -
Create a service connection to Object Storage in the default folder:
yc vpc private-endpoint create \ --name <service_connection_name> \ --description "<service_connection_description>" \ --network-name <network_name> \ --object-storageWhere:
--name: (Optional) Service connection name.--description: (Optional) Service connection description.--network-name: Name of the cloud network the service connection will be created in. You can also use the network ID in the--network-idparameter.--object-storage: Service connection to Object Storage. Other service connection types are not available yet.
When creating a service connection, you can use the following additional parameters:
-
--address-spec: (Optional) Parameters in thekey=valueformat for the internal IP address which will be assigned to the service connection:-
address: (Optional) Private IP address for the service connection. If no IP address is provided, a random one will be assigned from the specified subnet’s range. -
subnet-id: (Optional) ID of the subnet to provide an IP address for the service connection. If no subnet ID is provided, a random internal IP address will be assigned from the range of one of the subnets in the cloud network.Note
To create a service connection, you should have at least one subnet in your network.
-
-
--private-dns-records-enabled: (Optional) Parameter to create additional DNS resource records to override the public FQDN of the service to which the connection is created.Depending on whether the parameter is enabled, the following resource records will be created automatically for access to Object Storage:
-
The parameter is not used:
Name Type Value storage.pe.yandexcloud.net A <internal_IP_address_of_service_connection> *.storage.pe.yandexcloud.net A <internal_IP_address_of_service_connection> -
The parameter is used:
Name Type Value storage.pe.yandexcloud.net A <internal_IP_address_of_service_connection> *.storage.pe.yandexcloud.net A <internal_IP_address_of_service_connection> storage.yandexcloud.net A <internal_IP_address_of_service_connection> *.storage.yandexcloud.net A <internal_IP_address_of_service_connection>
-
-
Make sure the service connection is created:
yc vpc private-endpoint listResult:
+----------------------+-------------+--------------------------------+ | ID | NAME | DESCRIPTION | +----------------------+-------------+--------------------------------+ | enpd7rq************* | s3-vpc-link | Private Endpoint to the Object | | | | Storage | +----------------------+-------------+--------------------------------+
Save the service connection ID.
Object Storage buckets are now accessible via the VPC internal IP address without any internet access.
Configure a bucket policy
To allow access to a bucket only by VPC internal IP addresses, configure a bucket policy for the service connection.
Note
At the access policy level, you can grant access to the bucket from VPC service connections with IDs specified in the policy. However, as the access flow chart shows, the bucket will still be accessible from the public network, e.g., though an object ACL or under another enabling rule in the policy.
In addition, a bucket configured this way still supports server-side copy, both from and to the bucket.
-
In the management console, select the folder where you configured the VPC service connection.
-
Select Object Storage.
-
Select the bucket from the list.
-
In the left-hand menu, go to the Security tab.
-
At the top of the screen, navigate to the Access policy tab.
-
Click Configure access.
-
Enter a bucket policy ID, e.g.,
private-endpoint-policy. -
Set up a rule:
-
Enter a rule ID, e.g.,
private-endpoint-rule. -
Configure rule settings:
-
Result: Enable.
-
Selection principle: Include users.
-
User: All users.
-
Action: Select All actions.
-
Resource —
<bucket_name>/*.Click Add resource and enter
<bucket_name>.Note
A bucket resource does not include resources of all its objects. To make sure a bucket policy rule refers to the bucket and all the objects, specify them as separate resources, e.g.,
samplebucketandsamplebucket/*.
-
-
Add a condition for the rule:
- In the Key field, select
private-endpoint-id. - In the Operator field, select
StringEquals. - In the Value field, specify the service connection (private endpoint) ID, e.g.,
enpd7rq1s3f5********.
- In the Key field, select
-
-
Click Save.
Note
To manage a policy using the AWS CLI, a service account needs the storage.admin role.
If you do not have the AWS CLI yet, install and configure it.
-
Describe your bucket policy configuration as a JSON data schema:
{ "Version": "2012-10-17", "Statement": { "Effect": "Allow", "Principal": "*", "Action": "*", "Resource": [ "arn:aws:s3:::<bucket_name>/*", "arn:aws:s3:::<bucket_name>" ], "Condition": { "StringEquals": { "yc:private-endpoint-id": "<connection_ID>" } } } }Where:
<bucket_name>: Name of the bucket in Object Storage to which you need to apply the access policy, e.g.,my-s3-bucket.<connection_ID>: Service connection ID (private endpoint), e.g.,enpd7rq1s3f5********.
-
Save the final configuration to a file named
policy.json. -
Run this command:
aws s3api put-bucket-policy \ --endpoint https://storage.yandexcloud.net \ --bucket <bucket_name> \ --policy file://policy.json
Once the bucket policy is applied, you can access the bucket only from the VPC cloud network in which you created the relevant service connection (private endpoint).
Learn more about managing a bucket policy in Bucket policy management.
Configure a restriction for access only from service connections
You can restrict access to a bucket at the service level. This will make access to the bucket possible only from VPC service connections.
Warning
With this option on, the bucket will not be accessible from the public network. Also, as currently implemented, no access to the bucket will be possible from the management console. See also Server side copy.
To allow access to the bucket only from VPC service connections at the service level:
If you do not have the Yandex Cloud CLI installed yet, install and initialize it.
By default, the CLI uses the folder specified when creating the profile. To change the default folder, use the yc config set folder-id <folder_ID> command. You can also set a different folder for any specific command using the --folder-name or --folder-id parameter.
-
Create additional DNS resource records to override the public FQDN of the service to which the connection is created. To do this, enable a special VPC service connection parameter:
yc vpc private-endpoint update \ --id <service_connection_ID> \ --private-dns-records-enabled -
Update the bucket settings by specifying the parameters for access only from VPC service connections:
yc storage bucket update \ --name <bucket_name> \ --enable-private-endpoints true \ --private-endpoints <service_connection_ID>Where:
-
--name: Bucket name. -
--enable-private-endpoints: Parameter for access to the bucket only from VPC service connections. If you do not set this parameter, the bucket will be accessible from both the public network and VPC service connections. -
--private-endpoints: List of IDs of VPC service connections to allow access from.Warning
If you do not specify the IDs of VPC service connections, the bucket will not be accessible from anywhere. However, you can still disable the restrictions for access only from VPC service connections.
-
To restore access to the bucket from the public network:
Update the bucket settings:
yc storage bucket update \
--name <bucket_name> \
--enable-private-endpoints false
Where:
-
--name: Bucket name. -
--enable-private-endpoints: Parameter for access to the bucket only from VPC service connections.Tip
After you remove the restriction for access only from VPC service connections, the list of service connections provided earlier in the
--private-endpointsparameter remains in the bucket settings. If you choose to restrict access again, you do not have to provide the list one more time.
Server-side copy
For details on server-side copy in buckets with access restricted to VPC service connections, refer to this table:
| Source bucket | Target bucket | Condition to initiate server-side copying1 |
|---|---|---|
| Access restricted to VPC service connections | Access restricted to VPC service connections | Request from a service connection listed as allowed for both buckets |
| Access restricted to VPC service connections | Access from a public network | Request from a service connection listed as allowed for the source bucket |
| Access from a public network | Access restricted to VPC service connections | Request from a service connection listed as allowed for the target bucket |
| Access from a public network | Access from a public network | Request from a public network or service connection |
1 If the client has permissions to read from the source bucket and write to the target bucket.