Managing object locks in a bucket
You can set up object locks in versioned buckets. When object lock is enabled, you can lock an object version so that it would not be deleted or overwritten. You can also set default object locks for a bucket that will apply to all new object versions.
Note
In buckets with paused versioning, object locks are not available.
Enabling an object lock
Enabling locks does not mean locking previously uploaded object versions. If required, you can lock them manually.
The minimum required role is storage.admin
.
To enable object locks:
- In the management console
, select Object Storage from the list of services and go to the bucket you want to configure a lock for. - In the left-hand panel, select
Security. - Select the Object locks tab.
- To enable working with locks, enable Enable locks.
- Click Save.
If you do not have the AWS CLI yet, install and configure it.
Run the following command:
aws s3api put-object-lock-configuration \
--bucket <bucket_name> \
--object-lock-configuration ObjectLockEnabled=Enabled \
--endpoint-url=https://storage.yandexcloud.net
Where:
--bucket
: Bucket name.--object-lock-configuration
: Bucket lock settings. TheObjectLockEnabled=Enabled
value enables object lock.--endpoint-url
: Object Storage endpoint.
If you don't have Terraform, install it and configure the Yandex Cloud provider.
-
Open the Terraform configuration file and add the
object_lock_configuration
section to the bucket description:resource "yandex_storage_bucket" "b" { ... object_lock_configuration { object_lock_enabled = "Enabled" } }
Where:
object_lock_configuration
: Object lock settings:object_lock_enabled
: Enables object locks. Requires enabled bucket versioning. This is an optional parameter.
For more information about the bucket parameters you can specify using Terraform, see the provider documentation
. -
Create resources:
-
In the terminal, change to the folder where you edited the configuration file.
-
Make sure the configuration file is correct using the command:
terraform validate
If the configuration is correct, the following message is returned:
Success! The configuration is valid.
-
Run the command:
terraform plan
The terminal will display a list of resources with parameters. No changes are made at this step. If the configuration contains errors, Terraform will point them out.
-
Apply the configuration changes:
terraform apply
-
Confirm the changes: type
yes
in the terminal and press Enter.
-
With that done, an object lock for the bucket will be created in the specified folder. You can check that the object lock is there using this CLI command:
yc storage bucket get <bucket_name>
Result:
name: my-bucket
folder_id: b1geoelk2fld*********
...
object_lock:
status: OBJECT_LOCK_STATUS_ENABLED
Use the putObjectLockConfiguration S3 API method, update REST API method for the Bucket resource, or the BucketService/Update gRPC API call.
Setting up default object locks
Default locks are set for all new object versions uploaded to the bucket. These settings do not affect the previously uploaded versions.
The minimum required role is storage.admin
.
To set up default object locks:
- In the management console
, select Object Storage from the list of services and go to the bucket you want to configure a default lock for. - In the left-hand panel, select
Security. - Select the Object locks tab.
- To enable or disable working with locks, use Enable locks.
- Enable Default locks for new versions.
- Select Default lock type:
- Governance: User with the
storage.admin
role can bypass a lock, change its expiration date, or remove it. - Compliance: User with the
storage.admin
role can only extend the lock period. You cannot bypass, shorten, or remove such a lock until it expires.
- Governance: User with the
- Specify Default lock period in days or years. It starts from the moment you upload the object version to the bucket.
- Click Save.
If you do not have the AWS CLI yet, install and configure it.
-
Specify a configuration for default object locks in JSON format:
{ "ObjectLockEnabled": "Enabled", "Rule": { "DefaultRetention": { "Mode": "<lock_type>", "Days": <retention_period_in_days>, "Years": <retention_period_in_years> } } }
Where:
-
ObjectLockEnabled
: Object lock status,Enabled
, which means it is on.Alert
This is a required field. If you do not specify
Enabled
in this parameter, you will get theInvalidRequest
error message, and the object lock will not be enabled. See also Disabling object locks for details. -
Mode
: Lock type:GOVERNANCE
: Temporary managed lock.COMPLIANCE
: Temporary strict lock.
-
Days
: Retention period in days after uploading an object version. It must be a positive integer. You cannot use it together withYears
. -
Years
: Retention period in years after uploading an object version. It must be a positive integer. You cannot use it together withDays
.
When ready, you can save your configuration into a file, e.g.,
default-object-lock.json
. -
-
Upload the configuration to the bucket:
aws s3api put-object-lock-configuration \ --bucket <bucket_name> \ --object-lock-configuration file://default-object-lock.json \ --endpoint-url=https://storage.yandexcloud.net
Where:
--bucket
: Bucket name.--object-lock-configuration
: Default lock settings. In our case, they are specified in thedefault-object-lock.json
file.--endpoint-url
: Object Storage endpoint.
If you don't have Terraform, install it and configure the Yandex Cloud provider.
-
Open the Terraform configuration file and add the default lock settings to the
object_lock_configuration
section:... rule { default_retention { mode = "GOVERNANCE" years = 1 } } ...
Where:
rule
: Object lock rule. It contains thedefault_retention
parameter with retention settings:mode
: Lock type. Its possible values areGOVERNANCE
orCOMPLIANCE
. This is an optional parameter.years
ordays
: Object lock duration (retention period). It is specified as a number. This is an optional parameter.
-
Apply the changes:
-
In the terminal, change to the folder where you edited the configuration file.
-
Make sure the configuration file is correct using the command:
terraform validate
If the configuration is correct, the following message is returned:
Success! The configuration is valid.
-
Run the command:
terraform plan
The terminal will display a list of resources with parameters. No changes are made at this step. If the configuration contains errors, Terraform will point them out.
-
Apply the configuration changes:
terraform apply
-
Confirm the changes: type
yes
in the terminal and press Enter.
-
You can check that the object lock is there using this CLI command:
yc storage bucket get <bucket_name>
Result:
name: my-bucket
folder_id: b1geoelk2fld********
...
object_lock:
status: OBJECT_LOCK_STATUS_ENABLED
default_retention:
mode: MODE_GOVERNANCE
years: "1"
Disabling object locks
If you disable the object lock feature, this will not disable existing locks. They will still be there, and you will not be able to remove or change them.
The minimum required role is storage.admin
.
To disable object locks:
- In the management console
, select Object Storage from the list of services and go to the bucket you want to configure a lock for. - In the left-hand panel, select
Security. - Select the Object locks tab.
- To disable working with locks, disable Enable locks.
- Click Save.
If you do not have the AWS CLI yet, install and configure it.
Run the following command:
aws s3api put-object-lock-configuration \
--bucket <bucket_name> \
--object-lock-configuration ObjectLockEnabled="" \
--endpoint-url=https://storage.yandexcloud.net
Where:
--bucket
: Bucket name.--object-lock-configuration
: Bucket lock settings. TheObjectLockEnabled=""
value disables object lock.--endpoint-url
: Object Storage endpoint.
If you don't have Terraform, install it and configure the Yandex Cloud provider.
-
Open the Terraform configuration file and delete the
object_lock_configuration
section.Example of an object lock description in a Terraform configuration
... object_lock_configuration { object_lock_enabled = "Enabled" rule { default_retention { mode = "GOVERNANCE" years = 1 } } } ...
-
Apply the changes:
-
In the terminal, change to the folder where you edited the configuration file.
-
Make sure the configuration file is correct using the command:
terraform validate
If the configuration is correct, the following message is returned:
Success! The configuration is valid.
-
Run the command:
terraform plan
The terminal will display a list of resources with parameters. No changes are made at this step. If the configuration contains errors, Terraform will point them out.
-
Apply the configuration changes:
terraform apply
-
Confirm the changes: type
yes
in the terminal and press Enter.
-
You can check the object lock deletion using this CLI command:
yc storage bucket get <bucket_name>
Result:
name: my-bucket
folder_id: b1geoelk2fld********
...
object_lock:
status: OBJECT_LOCK_STATUS_DISABLED
To disable object lock for a bucket, use theputObjectLockConfiguration S3 API method, update REST API method for the Bucket resource, or the BucketService/Update gRPC API call.
In the request body, send the object lock parameter with an empty value:
ObjectLockConfiguration
: For S3 API.objectLock
: For REST API.object_lock
: For gRPC API.
Example of the HTTP request body for S3 API:
<ObjectLockConfiguration xmlns="http://s3.amazonaws.com/doc/2006-03-01/" />