Contact UsGet started
© 2024 Iron Hive LLC Belgrade

Configuring public access to a bucket

Written by
Updated at October 28, 2024

Object Storage incorporates multiple mechanisms for managing access to resources. To learn how these mechanisms interact, see Access management methods in Object Storage: Overview.

By default, buckets are created with restricted access. You can enable public access:

Public access to each operation is provided separately. This means, if you have opened read-only access to your objects, anonymous users cannot get the list of objects and bucket settings.

Enabling public access

Warning

Public access is granted to an unlimited number of anonymous users. Use it only when other access grant mechanisms are not available.

  1. In the management console, select the folder.
  2. Select Object Storage.
  3. Click the bucket name.
  4. Go to the Settings tab.
  5. Enable public access for the operation types you need.
  6. Click Save.

If you do not have the Yandex Cloud command line interface yet, install and initialize it.

The folder specified in the CLI profile is used by default. You can specify a different folder using the --folder-name or --folder-id parameter.

  1. See the description of the CLI command to update a bucket:

    yc storage bucket update --help

  2. Get a list of buckets in the default folder:

    yc storage bucket list

    Result:

    +------------------+----------------------+-------------+-----------------------+---------------------+
|       NAME       |      FOLDER ID       |  MAX SIZE   | DEFAULT STORAGE CLASS |     CREATED AT      |
+------------------+----------------------+-------------+-----------------------+---------------------+
| first-bucket     | b1gmit33ngp6******** | 53687091200 | STANDARD              | 2022-12-16 13:58:18 |
+------------------+----------------------+-------------+-----------------------+---------------------+

  3. Using the NAME column, save the name of the bucket to which you need to enable public access.

  4. Allow public access to operations with the bucket:

    yc storage bucket update \
  --name <bucket_name> \
  --public-read \
  --public-list \
  --public-config-read

    Where:

    • --name: Name of the bucket to which you need to enable public access.
    • --public-read: Flag to enable public access to read bucket objects.
    • --public-list: Flag to enable public access to view the list of bucket objects.
    • --public-config-read: Flag to enable public access to read the bucket configuration.

    name: Required parameter. Other parameters are optional. By default, no public access to buckets is allowed.

    Result:

    name: first-bucket
folder_id: b1gmit33ngp6********
anonymous_access_flags:
  read: true
  list: true
  config_read: true
default_storage_class: STANDARD
versioning: VERSIONING_DISABLED
max_size: "53687091200"
acl: {}
created_at: "2022-12-16T13:58:18.933814Z"

Note

Terraform uses a service account to interact with Object Storage. Assign to the service account the required role, e.g., storage.admin, for the folder where you are going to create resources.

Terraform allows you to quickly create a cloud infrastructure in Yandex Cloud and manage it using configuration files. Configuration files store the infrastructure description in the HashiCorp Configuration Language (HCL). Terraform and its providers are distributed under the Business Source License.

For more information about the provider resources, see the documentation on the Terraform website or the mirror.

If you change the configuration files, Terraform automatically detects which part of your configuration is already deployed, and what should be added or removed.

If you don't have Terraform, install it and configure the Yandex Cloud provider.

To enable public access to bucket operations:

  1. Open the Terraform configuration file and add the anonymous_access_flags section to the bucket description fragment.

    resource "yandex_storage_bucket" "log_bucket" {
  access_key = "<static_key_ID>"
  secret_key = "<secret_key>"
  bucket     = "<bucket_name>"

  anonymous_access_flags {
    read        = true
    list        = true
    config_read = true
  }
}

    Where:

    • access_key: Static access key ID.
    • secret_key: Secret access key value.
    • bucket: Name of the bucket to which you need to enable public access.
    • anonymous_access_flags: Public access parameters:
      • read: Public access to read bucket objects.
      • list: Public access to the list of bucket objects.
      • config_read: Public access to read bucket configuration.

    For more information about the yandex_storage_bucket resource parameters in Terraform, see the provider documentation.

  2. Make sure the configuration files are correct.

    1. In the command line, go to the folder where you created the configuration file.

    2. Run a check using this command:

      terraform plan

    If the configuration is described correctly, the terminal will display a list of created resources and their parameters. If the configuration contains any errors, Terraform will point them out.

  3. Deploy cloud resources.

    1. If the configuration does not contain any errors, run this command:

      terraform apply

    2. Confirm creating the resources: type yes in the terminal and press Enter.

      All the resources you need will then be created in the specified folder. You can check the new resources and their configuration using the management console.

To allow public access to operations with your bucket, use the update REST API method for the Bucket resource or the BucketService/Update gRPC API call.

Note

If your bucket has access policies, you will also need to configure them for public access to work properly.

Disabling public access

  1. In the management console, select the folder.
  2. Select Object Storage.
  3. Click the bucket name.
  4. Go to the Settings tab.
  5. Enable restricted access for the operation types you need.
  6. Click Save.

If you do not have the Yandex Cloud command line interface yet, install and initialize it.

The folder specified in the CLI profile is used by default. You can specify a different folder using the --folder-name or --folder-id parameter.

  1. See the description of the CLI command to update a bucket:

    yc storage bucket update --help

  2. Get a list of buckets in the default folder:

    yc storage bucket list

    Result:

    +------------------+----------------------+-------------+-----------------------+---------------------+
|       NAME       |      FOLDER ID       |  MAX SIZE   | DEFAULT STORAGE CLASS |     CREATED AT      |
+------------------+----------------------+-------------+-----------------------+---------------------+
| first-bucket     | b1gmit33ngp6******** | 53687091200 | STANDARD              | 2022-12-16 13:58:18 |
+------------------+----------------------+-------------+-----------------------+---------------------+

  3. Using the NAME column, save the name of the bucket to which you want to disable public access.

  4. Disable public access to operations with the bucket.

    yc storage bucket update \
  --name <bucket_name> \
  --public-read=false \
  --public-list=false \
  --public-config-read=false

    Where:

    • --name: Name of the bucket to which you need to disable public access.
    • --public-read: Flag to manage public access to read bucket objects. To disable public access, set it to false.
    • --public-list: Flag to manage public access to view the list of bucket objects. To disable public access, set it to false.
    • --public-config-read: Flag to manage public access to read bucket configuration. To disable public access, set it to false.

    name: Required parameter. Other parameters are optional. By default, no public access to buckets is allowed.

    Result:

    name: first-bucket
folder_id: b1gmit33ngp6********
anonymous_access_flags:
  read: false
  list: false
  config_read: false
default_storage_class: STANDARD
versioning: VERSIONING_DISABLED
max_size: "53687091200"
acl: {}
created_at: "2022-12-16T13:58:18.933814Z"

Terraform allows you to quickly create a cloud infrastructure in Yandex Cloud and manage it using configuration files. Configuration files store the infrastructure description in the HashiCorp Configuration Language (HCL). Terraform and its providers are distributed under the Business Source License.

For more information about the provider resources, see the documentation on the Terraform website or the mirror.

If you change the configuration files, Terraform automatically detects which part of your configuration is already deployed, and what should be added or removed.

If you don't have Terraform, install it and configure the Yandex Cloud provider.

To disable public access to bucket operations:

  1. Open the Terraform configuration file and add the anonymous_access_flags section to the bucket description fragment.

    resource "yandex_storage_bucket" "log_bucket" {
  access_key = "<static_key_ID>"
  secret_key = "<secret_key>"
  bucket     = "<bucket_name>"

  anonymous_access_flags {
    read        = false
    list        = false
    config_read = false
  }
}

    Where:

    • access_key: Static access key ID.
    • secret_key: Secret access key value.
    • bucket: Name of the bucket to which you need to disable public access.
    • anonymous_access_flags: Public access parameters:
      • read: Public access to read bucket objects.
      • list: Public access to the list of bucket objects.
      • config_read: Public access to read bucket configuration.

    For more information about the yandex_storage_bucket resource parameters in Terraform, see the provider documentation.

  2. Make sure the configuration files are correct.

    1. In the command line, go to the folder where you created the configuration file.

    2. Run a check using this command:

      terraform plan

    If the configuration is described correctly, the terminal will display a list of created resources and their parameters. If the configuration contains any errors, Terraform will point them out.

  3. Deploy cloud resources.

    1. If the configuration does not contain any errors, run this command:

      terraform apply

    2. Confirm creating the resources: type yes in the terminal and press Enter.

      All the resources you need will then be created in the specified folder. You can check the new resources and their configuration using the management console.

To disable public access to operations with your bucket, use the update REST API method for the Bucket resource or the BucketService/Update gRPC API call.

When disabling public access to the bucket, make sure the All users public group has no viewer, storage.viewer, or higher role assigned for the folder or bucket. Otherwise, the bucket will still be publicly accessible.

Previous
Access policy management
Next
Accessing a bucket using Security Token Service