Contact UsGet started
© 2025 Direct Cursus Technology L.L.C.

Accessing a bucket using a service connection from Yandex Virtual Private Cloud

Written by
Improved by
Updated at March 19, 2025

Warning

The Service connections (VPC Private Endpoints) functionality is at the Preview stage and will become available for testing from September 26, 2024. To request access, contact your account manager.

To make Object Storage buckets accessible from VPC cloud networks directly, use a VPC service connection. With this connection, you can access Object Storage via VPC internal IP addresses without any Internet access.

To enable access to a bucket using a service connection from VPC:

  1. Create a VPC service connection.
  2. Configure a bucket policy.

Create a VPC service connection

To create a service connection, you need one of the following roles:

  • vpc.privateEndpoints.editor
  • vpc.privateEndpoints.admin
  • vpc.privateAdmin
  • vpc.admin
  • admin

If you do not have the Yandex Cloud CLI yet, install and initialize it.

The folder specified in the CLI profile is used by default. You can specify a different folder through the --folder-name or --folder-id parameter.

  1. View the description of the CLI command to create a service connection:

    yc vpc private-endpoint create --help

  2. Create a service connection to Object Storage in the default folder:

    yc vpc private-endpoint create \
  --name s3-vpc-link \
  --description "Private Endpoint to the Object Storage" \
  --network-name default-net \
  --object-storage

    Where:

    • --name: (Optional) Service connection name.
    • --description: (Optional) Service connection description.
    • --network-name: Name of the cloud network the service connection will be created in. You can also use the network ID in the --network-id parameter.
    • --object-storage: Service connection to Object Storage. Other service connection types are not available yet.

    When creating a service connection, you can use the following additional parameters:

    • --address-spec: (Optional) Parameters in the key=value format for the internal IP address which will be assigned to the service connection:

      • address: (Optional) Private IP address for the service connection. If no IP address is provided, a random one will be assigned from the specified subnet’s range.

      • subnet-id: (Optional) ID of the subnet to provide an IP address for the service connection. If no subnet ID is provided, a random internal IP address will be assigned from the range of one of the subnets in the cloud network.

        Note

        To create a service connection, you should have at least one subnet in your network.

    • --private-dns-records-enabled: (Optional) Parameter to create additional DNS resource records to override the public FQDN of the service to which the connection is created.

      Depending on whether the parameter is enabled, the following resource records will be created automatically for access to Object Storage:

      • The parameter is not used:

        Name Type Value
        storage.pe.yandexcloud.net A <internal_IP_address_of_service_connection>
        *.storage.pe.yandexcloud.net A <internal_IP_address_of_service_connection>

      • The parameter is used:

        Name Type Value
        storage.pe.yandexcloud.net A <internal_IP_address_of_service_connection>
        *.storage.pe.yandexcloud.net A <internal_IP_address_of_service_connection>
        storage.yandexcloud.net A <internal_IP_address_of_service_connection>
        *.storage.yandexcloud.net A <internal_IP_address_of_service_connection>

  3. Make sure the service connection is created:

    yc vpc private-endpoint list

    The command result will be as follows:

    +----------------------+-------------+--------------------------------+
|          ID          |    NAME     |          DESCRIPTION           |
+----------------------+-------------+--------------------------------+
| enpd7rq************* | s3-vpc-link | Private Endpoint to the Object |
|                      |             | Storage                        |
+----------------------+-------------+--------------------------------+

Learn how to get the parameters of the service connection you created in Getting information about a service connection.

Save the service connection ID.

Object Storage buckets are now accessible via the VPC internal IP address without any internet access.

Configure a bucket policy

To restrict access to a bucket to VPC internal IP addresses, configure a bucket policy for the service connection.

  1. In the management console, select the folder where you configured the VPC service connection.

  2. Select Object Storage.

  3. Select the bucket from the list.

  4. In the left-hand menu, go to the Security tab.

  5. At the top of the screen, navigate to the Access policy tab.

  6. Click Configure access.

  7. Enter a bucket policy ID, e.g., private-endpoint-policy.

  8. Set up a rule:

    1. Enter a rule ID, e.g., private-endpoint-rule.

    2. Configure rule settings:

      • Result: Enable.

      • Selection principle: Include users.

      • User: All users.

      • Action: Select All actions.

      • Resource<bucket_name>/*.

        Click Add resource and enter <bucket_name>.

        Note

        A bucket resource does not include resources of all its objects. To make sure a bucket policy rule refers to the bucket and all the objects, specify them as separate resources, e.g., samplebucket and samplebucket/*.

    3. Add a condition for the rule:

      • In the Key field, select private-endpoint-id.
      • In the Operator field, select StringEquals.
      • In the Value field, specify the service connection (Private Endpoint) ID, e.g., enpd7rq1s3f5********.

  9. Click Save.

Note

To manage a policy using the AWS CLI, a service account needs the storage.admin role.

If you do not have the AWS CLI yet, install and configure it.

  1. Describe your bucket policy configuration as a JSON data schema:

    {
  "Version": "2012-10-17",
  "Statement": {
    "Effect": "Allow",
    "Principal": "*",
    "Action": "*",
    "Resource": [
      "arn:aws:s3:::<bucket_name>/*",
      "arn:aws:s3:::<bucket_name>"
    ],
    "Condition": {
      "StringEquals": {
        "yc:private-endpoint-id": "<connection_ID>"
      }
    }
  }
}

    Where:

    • <bucket_name>: Name of the bucket in Object Storage to which you need to apply the access policy, e.g., my-s3-bucket.
    • <connection_ID>: Service connection ID (private endpoint), e.g., enpd7rq1s3f5********.

  2. Save the final configuration to a file named policy.json.

  3. Run this command:

    aws s3api put-bucket-policy \
  --endpoint https://storage.yandexcloud.net \
  --bucket <bucket_name> \
  --policy file://policy.json

Once the bucket policy is applied, you can access the bucket only from the VPC cloud network in which you created the relevant service connection (Private Endpoint).

Learn more about managing a bucket policy in Bucket policy management.

See also

Previous
Accessing a bucket using Security Token Service
Next
Managing bucket versioning