Contact UsTry it for free
© 2026 Direct Cursus Technology L.L.C.

Configuring public access to a bucket

Written by
Improved by
Updated at May 6, 2026

Object Storage incorporates several access management mechanisms. To learn how these mechanisms interact, see Access management methods in Object Storage: Overview.

By default, bucket access is restricted. You can enable public access:

Public access to each operation is granted separately. This means, if you have granted only read access to your objects, anonymous users cannot get the list of objects and bucket settings.

Enabling public access

Warning

Public access is granted to an unlimited number of anonymous users. Use it only when other access grant mechanisms are not available.

  1. In the management console, open a folder.
  2. Navigate to Object Storage.
  3. Select the bucket to configure public access for.
  4. In the left-hand panel, select Settings.
  5. Select the General tab.
  6. Enable public access for the operation types you need.
  7. Click Save.

If you do not have the Yandex Cloud CLI yet, install and initialize it.

The folder used by default is the one specified when creating the CLI profile. To change the default folder, use the yc config set folder-id <folder_ID> command. You can also specify a different folder for any command using --folder-name or --folder-id. If you access a resource by its name, the search will be limited to the default folder. If you access a resource by its ID, the search will be global, i.e., through all folders based on access permissions.

  1. See the description of the CLI command for updating a bucket:

    yc storage bucket update --help

  2. Get a list of buckets in the default folder:

    yc storage bucket list

    Result:

    +------------------+----------------------+-------------+-----------------------+---------------------+
|       NAME       |      FOLDER ID       |  MAX SIZE   | DEFAULT STORAGE CLASS |     CREATED AT      |
+------------------+----------------------+-------------+-----------------------+---------------------+
| first-bucket     | b1gmit33ngp6******** | 53687091200 | STANDARD              | 2022-12-16 13:58:18 |
+------------------+----------------------+-------------+-----------------------+---------------------+

  3. Save the name (from the NAME column) of the bucket to which you want to enable public access.

  4. Enable public access to bucket operations:

    yc storage bucket update \
  --name <bucket_name> \
  --public-read \
  --public-list \
  --public-config-read

    Where:

    • --name: Name of the bucket to which you need to enable public access.
    • --public-read: Flag to enable public read access to bucket objects.
    • --public-list: Flag to enable public view access to the list of bucket objects.
    • --public-config-read: Flag to enable public read access to the bucket configuration.

    name: This is a required setting. Other parameters are optional. By default, public access to the bucket is disabled.

    Result:

    name: first-bucket
folder_id: b1gmit33ngp6********
anonymous_access_flags:
  read: true
  list: true
  config_read: true
default_storage_class: STANDARD
versioning: VERSIONING_DISABLED
max_size: "53687091200"
acl: {}
created_at: "2022-12-16T13:58:18.933814Z"

Note

If you access Object Storage via Terraform under a service account, assign to the service account the relevant role, e.g., storage.admin, for the folder you are going to create the resources in.

With Terraform, you can quickly create a cloud infrastructure in Yandex Cloud and manage it using configuration files. These files store the infrastructure description written in HashiCorp Configuration Language (HCL). If you change the configuration files, Terraform automatically detects which part of your configuration is already deployed, and what should be added or removed.

Terraform is distributed under the Business Source License. The Yandex Cloud provider for Terraform is distributed under the MPL-2.0 license.

For more information about the provider resources, see the relevant documentation on the Terraform website or its mirror.

If you do not have Terraform yet, install it and configure the Yandex Cloud provider.

To open public access to bucket operations:

  1. Open the Terraform configuration file and add the anonymous_access_flags section to the bucket description.

    resource "yandex_storage_bucket" "log_bucket" {
  access_key = "<static_key_ID>"
  secret_key = "<secret_key>"
  bucket     = "<bucket_name>"

  anonymous_access_flags {
    read        = true
    list        = true
    config_read = true
  }
}

    Where:

    • access_key: Static access key ID.

      Note

      In addition to static access keys, you can use an IAM token for authentication in Object Storage. For more details, see Creating a bucket and the relevant provider documentation.

    • secret_key: Secret access key value.

    • bucket: Name of the bucket to which you need to enable public access.

    • anonymous_access_flags: Public access parameters:

      • read: Public read access to bucket objects.
      • list: Public access to the list of bucket objects.
      • config_read: Public read access to the bucket configuration.

    For more information about the yandex_storage_bucket properties in Terraform, see this provider guide.

  2. Validate your configuration files.

    1. In the terminal, navigate to the directory where you created your configuration file.

    2. Run a check using the following command:

      terraform plan

    If your configuration is correct, the terminal will display a list of the resources to be created and their settings. Otherwise, Terraform will show any detected errors.

  3. Deploy the cloud resources.

    1. If the configuration is correct, run this command:

      terraform apply

    2. Confirm creating the resources: type yes and press Enter.

      This will create all the resources you need in the specified folder. You can check the new resources and their settings using the management console.

To open public access to bucket operations, use the update REST API method for the Bucket resource or the BucketService/Update gRPC API call.

Note

You will not be able to open public access if a restrictive access policy is configured for the bucket.

Disabling public access

  1. In the management console, select any folder.
  2. Navigate to Object Storage.
  3. Select the bucket to disable public access for.
  4. In the left-hand panel, select Settings.
  5. Select the General tab.
  6. Enable restricted access for the operation types you need.
  7. Click Save.

If you do not have the Yandex Cloud CLI yet, install and initialize it.

The folder used by default is the one specified when creating the CLI profile. To change the default folder, use the yc config set folder-id <folder_ID> command. You can also specify a different folder for any command using --folder-name or --folder-id. If you access a resource by its name, the search will be limited to the default folder. If you access a resource by its ID, the search will be global, i.e., through all folders based on access permissions.

  1. See the description of the CLI command for updating a bucket:

    yc storage bucket update --help

  2. Get a list of buckets in the default folder:

    yc storage bucket list

    Result:

    +------------------+----------------------+-------------+-----------------------+---------------------+
|       NAME       |      FOLDER ID       |  MAX SIZE   | DEFAULT STORAGE CLASS |     CREATED AT      |
+------------------+----------------------+-------------+-----------------------+---------------------+
| first-bucket     | b1gmit33ngp6******** | 53687091200 | STANDARD              | 2022-12-16 13:58:18 |
+------------------+----------------------+-------------+-----------------------+---------------------+

  3. Save the name (from the NAME column) of the bucket to which you want to disable public access.

  4. Disable public access to bucket operations:

    yc storage bucket update \
  --name <bucket_name> \
  --public-read=false \
  --public-list=false \
  --public-config-read=false

    Where:

    • --name: Name of the bucket to which you need to disable public access.
    • --public-read: Flag to manage public read access to bucket objects. To disable public access, set it to false.
    • --public-list: Flag to manage public view access to the list of bucket objects. To disable public access, set it to false.
    • --public-config-read: Flag to manage public read access to the bucket configuration. To disable public access, set it to false.

    name: This is a required setting. Other parameters are optional. By default, public access to the bucket is disabled.

    Result:

    name: first-bucket
folder_id: b1gmit33ngp6********
anonymous_access_flags:
  read: false
  list: false
  config_read: false
default_storage_class: STANDARD
versioning: VERSIONING_DISABLED
max_size: "53687091200"
acl: {}
created_at: "2022-12-16T13:58:18.933814Z"

With Terraform, you can quickly create a cloud infrastructure in Yandex Cloud and manage it using configuration files. These files store the infrastructure description written in HashiCorp Configuration Language (HCL). If you change the configuration files, Terraform automatically detects which part of your configuration is already deployed, and what should be added or removed.

Terraform is distributed under the Business Source License. The Yandex Cloud provider for Terraform is distributed under the MPL-2.0 license.

For more information about the provider resources, see the relevant documentation on the Terraform website or its mirror.

If you do not have Terraform yet, install it and configure the Yandex Cloud provider.

To disable public access to bucket operations:

  1. Open the Terraform configuration file and add the anonymous_access_flags section to the bucket description fragment.

    resource "yandex_storage_bucket" "log_bucket" {
  access_key = "<static_key_ID>"
  secret_key = "<secret_key>"
  bucket     = "<bucket_name>"

  anonymous_access_flags {
    read        = false
    list        = false
    config_read = false
  }
}

    Where:

    • access_key: Static access key ID.
    • secret_key: Secret access key value.
    • bucket: Name of the bucket to which you need to disable public access.
    • anonymous_access_flags: Public access parameters:
      • read: Public read access to bucket objects.
      • list: Public access to the list of bucket objects.
      • config_read: Public read access to the bucket configuration.

    For more information about the yandex_storage_bucket properties in Terraform, see this provider guide.

  2. Validate your configuration files.

    1. In the terminal, navigate to the directory where you created your configuration file.

    2. Run a check using the following command:

      terraform plan

    If your configuration is correct, the terminal will display a list of the resources to be created and their settings. Otherwise, Terraform will show any detected errors.

  3. Deploy the cloud resources.

    1. If the configuration is correct, run this command:

      terraform apply

    2. Confirm creating the resources: type yes and press Enter.

      This will create all the resources you need in the specified folder. You can check the new resources and their settings using the management console.

To disable public access to bucket operations, use the update REST API method for the Bucket resource or the BucketService/Update gRPC API call.

When disabling public access to your bucket, make sure the All users public group has no viewer, storage.viewer, or higher role assigned for the folder or bucket. Otherwise, the bucket will still be publicly accessible.

Previous
Managing access policies
Next
Disabling access with static keys