Configuring public access to a bucket
Object Storage incorporates multiple mechanisms for managing access to resources. To learn how these mechanisms interact, see Access management methods in Object Storage: Overview.
By default, bucket access is restricted. You can enable public access:
- To read objects in a bucket.
- To access the list of objects in a bucket.
- To read settings:
Public access to each operation is provided separately. This means, if you have opened read-only access to your objects, anonymous users cannot get the list of objects and bucket settings.
Enabling public access
Warning
Public access is granted to an unlimited number of anonymous users. Use it only when other access grant mechanisms are not available.
- In the management console
, select Object Storage from the list of services and go to the bucket you want to configure public access for. - In the left-hand panel, select
Settings. - Select the General tab.
- Enable public access for the operation types you need.
- Click Save.
If you do not have the Yandex Cloud CLI yet, install and initialize it.
The folder specified in the CLI profile is used by default. You can specify a different folder through the --folder-name
or --folder-id
parameter.
-
See the description of the CLI command for updating a bucket:
yc storage bucket update --help
-
Get a list of buckets in the default folder:
yc storage bucket list
Result:
+------------------+----------------------+-------------+-----------------------+---------------------+ | NAME | FOLDER ID | MAX SIZE | DEFAULT STORAGE CLASS | CREATED AT | +------------------+----------------------+-------------+-----------------------+---------------------+ | first-bucket | b1gmit33ngp6******** | 53687091200 | STANDARD | 2022-12-16 13:58:18 | +------------------+----------------------+-------------+-----------------------+---------------------+
-
Save the name (from the
NAME
column) of the bucket to which you want to enable public access. -
Enable public access to bucket operations:
yc storage bucket update \ --name <bucket_name> \ --public-read \ --public-list \ --public-config-read
Where:
--name
: Name of the bucket to which you need to enable public access.--public-read
: Flag to enable public read access to bucket objects.--public-list
: Flag to enable public view access to the list of bucket objects.--public-config-read
: Flag to enable public read access to the bucket configuration.
name
: This is a required parameter. Other parameters are optional. By default, public access to the bucket is disabled.Result:
name: first-bucket folder_id: b1gmit33ngp6******** anonymous_access_flags: read: true list: true config_read: true default_storage_class: STANDARD versioning: VERSIONING_DISABLED max_size: "53687091200" acl: {} created_at: "2022-12-16T13:58:18.933814Z"
Note
Terraform uses a service account to interact with Object Storage. Assign to the service account the required role, e.g., storage.admin
, for the folder where you are going to create resources.
With Terraform
Terraform is distributed under the Business Source License
For more information about the provider resources, see the documentation on the Terraform
If you don't have Terraform, install it and configure the Yandex Cloud provider.
To enable public access to bucket operations:
-
Open the Terraform configuration file and add the
anonymous_access_flags
section to the bucket description.resource "yandex_storage_bucket" "log_bucket" { access_key = "<static_key_ID>" secret_key = "<secret_key>" bucket = "<bucket_name>" anonymous_access_flags { read = true list = true config_read = true } }
Where:
access_key
: Static access key ID.secret_key
: Secret access key value.bucket
: Name of the bucket to which you need to enable public access.anonymous_access_flags
: Public access parameters:read
: Public read access to bucket objects.list
: Public access to the list of bucket objects.config_read
: Public read access to the bucket configuration.
For more information about the
yandex_storage_bucket
resource parameters in Terraform, see this TF provider article . -
Make sure the configuration files are correct.
-
In the command line, go to the directory where you created the configuration file.
-
Run a check using this command:
terraform plan
If you described the configuration correctly, the terminal will display a list of the resources being created and their parameters. If the configuration contains any errors, Terraform will point them out.
-
-
Deploy the cloud resources.
-
If the configuration does not contain any errors, run this command:
terraform apply
-
Confirm creating the resources: type
yes
in the terminal and press Enter.This will create all the resources you need in the specified folder. You can check the new resources and their settings using the management console
.
-
To enable public access to bucket operations, use the update REST API method for the Bucket resource or the BucketService/Update gRPC API call.
Note
If your bucket has any bucket policies applied, you will also need to configure them for public access to work properly.
Disabling public access
- In the management console
, select Object Storage from the list of services and go to the bucket you want to disable public access for. - In the left-hand panel, select
Settings. - Select the General tab.
- Enable restricted access for the operation types you need.
- Click Save.
If you do not have the Yandex Cloud CLI yet, install and initialize it.
The folder specified in the CLI profile is used by default. You can specify a different folder through the --folder-name
or --folder-id
parameter.
-
See the description of the CLI command for updating a bucket:
yc storage bucket update --help
-
Get a list of buckets in the default folder:
yc storage bucket list
Result:
+------------------+----------------------+-------------+-----------------------+---------------------+ | NAME | FOLDER ID | MAX SIZE | DEFAULT STORAGE CLASS | CREATED AT | +------------------+----------------------+-------------+-----------------------+---------------------+ | first-bucket | b1gmit33ngp6******** | 53687091200 | STANDARD | 2022-12-16 13:58:18 | +------------------+----------------------+-------------+-----------------------+---------------------+
-
Save the name (from the
NAME
column) of the bucket to which you want to disable public access. -
Disable public access to bucket operations:
yc storage bucket update \ --name <bucket_name> \ --public-read=false \ --public-list=false \ --public-config-read=false
Where:
--name
: Name of the bucket to which you need to disable public access.--public-read
: Flag to manage public read access to bucket objects. To disable public access, set it tofalse
.--public-list
: Flag to manage public view access to the list of bucket objects. To disable public access, set it tofalse
.--public-config-read
: Flag to manage public read access to the bucket configuration. To disable public access, set it tofalse
.
name
: This is a required parameter. Other parameters are optional. By default, public access to the bucket is disabled.Result:
name: first-bucket folder_id: b1gmit33ngp6******** anonymous_access_flags: read: false list: false config_read: false default_storage_class: STANDARD versioning: VERSIONING_DISABLED max_size: "53687091200" acl: {} created_at: "2022-12-16T13:58:18.933814Z"
With Terraform
Terraform is distributed under the Business Source License
For more information about the provider resources, see the documentation on the Terraform
If you don't have Terraform, install it and configure the Yandex Cloud provider.
To disable public access to bucket operations:
-
Open the Terraform configuration file and add the
anonymous_access_flags
section to the bucket description.resource "yandex_storage_bucket" "log_bucket" { access_key = "<static_key_ID>" secret_key = "<secret_key>" bucket = "<bucket_name>" anonymous_access_flags { read = false list = false config_read = false } }
Where:
access_key
: Static access key ID.secret_key
: Secret access key value.bucket
: Name of the bucket to which you need to disable public access.anonymous_access_flags
: Public access parameters:read
: Public read access to bucket objects.list
: Public access to the list of bucket objects.config_read
: Public read access to the bucket configuration.
For more information about the
yandex_storage_bucket
resource parameters in Terraform, see this TF provider article . -
Make sure the configuration files are correct.
-
In the command line, go to the directory where you created the configuration file.
-
Run a check using this command:
terraform plan
If you described the configuration correctly, the terminal will display a list of the resources being created and their parameters. If the configuration contains any errors, Terraform will point them out.
-
-
Deploy the cloud resources.
-
If the configuration does not contain any errors, run this command:
terraform apply
-
Confirm creating the resources: type
yes
in the terminal and press Enter.This will create all the resources you need in the specified folder. You can check the new resources and their settings using the management console
.
-
To disable public access to bucket operations, use the update REST API method for the Bucket resource or the BucketService/Update gRPC API call.
When disabling public access to your bucket, make sure the All users
public group has no viewer
, storage.viewer
, or higher role assigned for the folder or bucket. Otherwise, the bucket will still be publicly accessible.