Contact UsGet started
© 2024 Iron Hive LLC Belgrade

Managing object locks in a bucket

Written by
Updated at November 21, 2024

You can set up object locks in versioned buckets. When object lock is enabled, you can lock an object version so that it would not be deleted or overwritten. You can also set default object locks for a bucket that will apply to all new object versions.

Note

In buckets with paused versioning, object locks are not available.

Enabling an object lock

Enabling locks does not mean locking previously uploaded object versions. If required, you can lock them manually.

The minimum required role is storage.admin.

To enable object locks:

  1. In the management console, select Object Storage from the list of services and go to the bucket you want to configure a lock for.
  2. In the left-hand panel, select Security.
  3. Select the Object locks tab.
  4. To enable working with locks, enable Enable locks.
  5. Click Save.

If you do not have the AWS CLI yet, install and configure it.

Run the following command:

aws s3api put-object-lock-configuration \
  --bucket <bucket_name> \
  --object-lock-configuration ObjectLockEnabled=Enabled \
  --endpoint-url=https://storage.yandexcloud.net

Where:

  • --bucket: Bucket name.
  • --object-lock-configuration: Bucket lock settings. The ObjectLockEnabled=Enabled value enables object lock.
  • --endpoint-url: Object Storage endpoint.

If you don't have Terraform, install it and configure the Yandex Cloud provider.

  1. Open the Terraform configuration file and add the object_lock_configuration section to the bucket description:

    resource "yandex_storage_bucket" "b" {
  ...
  object_lock_configuration {
    object_lock_enabled = "Enabled"
  }
}

    Where:

    • object_lock_configuration: Object lock settings:
      • object_lock_enabled: Enables object locks. Requires enabled bucket versioning. This is an optional parameter.

    For more information about the bucket parameters you can specify using Terraform, see the provider documentation.

  2. Create resources:

    1. In the terminal, change to the folder where you edited the configuration file.

    2. Make sure the configuration file is correct using the command:

      terraform validate

      If the configuration is correct, the following message is returned:

      Success! The configuration is valid.

    3. Run the command:

      terraform plan

      The terminal will display a list of resources with parameters. No changes are made at this step. If the configuration contains errors, Terraform will point them out.

    4. Apply the configuration changes:

      terraform apply

    5. Confirm the changes: type yes in the terminal and press Enter.

With that done, an object lock for the bucket will be created in the specified folder. You can check that the object lock is there using this CLI command:

yc storage bucket get <bucket_name>

Result:

name: my-bucket
folder_id: b1geoelk2fld*********
...
object_lock:
  status: OBJECT_LOCK_STATUS_ENABLED

Use the putObjectLockConfiguration S3 API method, update REST API method for the Bucket resource, or the BucketService/Update gRPC API call.

Setting up default object locks

Default locks are set for all new object versions uploaded to the bucket. These settings do not affect the previously uploaded versions.

The minimum required role is storage.admin.

To set up default object locks:

  1. In the management console, select Object Storage from the list of services and go to the bucket you want to configure a default lock for.
  2. In the left-hand panel, select Security.
  3. Select the Object locks tab.
  4. To enable or disable working with locks, use Enable locks.
  5. Enable Default locks for new versions.
  6. Select Default lock type:
    • Governance: User with the storage.admin role can bypass a lock, change its expiration date, or remove it.
    • Compliance: User with the storage.admin role can only extend the lock period. You cannot bypass, shorten, or remove such a lock until it expires.
  7. Specify Default lock period in days or years. It starts from the moment you upload the object version to the bucket.
  8. Click Save.

If you do not have the AWS CLI yet, install and configure it.

  1. Specify a configuration for default object locks in JSON format:

    {
  "ObjectLockEnabled": "Enabled",
  "Rule": {
    "DefaultRetention": {
      "Mode": "<lock_type>",
      "Days": <retention_period_in_days>,
      "Years": <retention_period_in_years>
    }
  }
}

    Where:

    • ObjectLockEnabled: Object lock status, Enabled, which means it is on.

      Alert

      This is a required field. If you do not specify Enabled in this parameter, you will get the InvalidRequest error message, and the object lock will not be enabled. See also Disabling object locks for details.

    • Mode: Lock type:

      • GOVERNANCE: Temporary managed lock.
      • COMPLIANCE: Temporary strict lock.

    • Days: Retention period in days after uploading an object version. It must be a positive integer. You cannot use it together with Years.

    • Years: Retention period in years after uploading an object version. It must be a positive integer. You cannot use it together with Days.

    When ready, you can save your configuration into a file, e.g., default-object-lock.json.

  2. Upload the configuration to the bucket:

    aws s3api put-object-lock-configuration \
  --bucket <bucket_name> \
  --object-lock-configuration file://default-object-lock.json \
  --endpoint-url=https://storage.yandexcloud.net

    Where:

    • --bucket: Bucket name.
    • --object-lock-configuration: Default lock settings. In our case, they are specified in the default-object-lock.json file.
    • --endpoint-url: Object Storage endpoint.

If you don't have Terraform, install it and configure the Yandex Cloud provider.

  1. Open the Terraform configuration file and add the default lock settings to the object_lock_configuration section:

    ...
rule {
  default_retention {
    mode = "GOVERNANCE"
    years = 1
  }
}
...

    Where:

    • rule: Object lock rule. It contains the default_retention parameter with retention settings:
      • mode: Lock type. Its possible values are GOVERNANCE or COMPLIANCE. This is an optional parameter.
      • years or days: Object lock duration (retention period). It is specified as a number. This is an optional parameter.

  2. Apply the changes:

    1. In the terminal, change to the folder where you edited the configuration file.

    2. Make sure the configuration file is correct using the command:

      terraform validate

      If the configuration is correct, the following message is returned:

      Success! The configuration is valid.

    3. Run the command:

      terraform plan

      The terminal will display a list of resources with parameters. No changes are made at this step. If the configuration contains errors, Terraform will point them out.

    4. Apply the configuration changes:

      terraform apply

    5. Confirm the changes: type yes in the terminal and press Enter.

You can check that the object lock is there using this CLI command:

yc storage bucket get <bucket_name>

Result:

name: my-bucket
folder_id: b1geoelk2fld********
...
object_lock:
status: OBJECT_LOCK_STATUS_ENABLED
default_retention:
  mode: MODE_GOVERNANCE
  years: "1"

Disabling object locks

If you disable the object lock feature, this will not disable existing locks. They will still be there, and you will not be able to remove or change them.

The minimum required role is storage.admin.

To disable object locks:

  1. In the management console, select Object Storage from the list of services and go to the bucket you want to configure a lock for.
  2. In the left-hand panel, select Security.
  3. Select the Object locks tab.
  4. To disable working with locks, disable Enable locks.
  5. Click Save.

If you do not have the AWS CLI yet, install and configure it.

Run the following command:

aws s3api put-object-lock-configuration \
  --bucket <bucket_name> \
  --object-lock-configuration ObjectLockEnabled="" \
  --endpoint-url=https://storage.yandexcloud.net

Where:

  • --bucket: Bucket name.
  • --object-lock-configuration: Bucket lock settings. The ObjectLockEnabled="" value disables object lock.
  • --endpoint-url: Object Storage endpoint.

If you don't have Terraform, install it and configure the Yandex Cloud provider.

  1. Open the Terraform configuration file and delete the object_lock_configuration section.

    Example of an object lock description in a Terraform configuration
    ...
object_lock_configuration {
  object_lock_enabled = "Enabled"
  rule {
    default_retention {
      mode = "GOVERNANCE"
      years = 1
    }
  }
}
...

  2. Apply the changes:

    1. In the terminal, change to the folder where you edited the configuration file.

    2. Make sure the configuration file is correct using the command:

      terraform validate

      If the configuration is correct, the following message is returned:

      Success! The configuration is valid.

    3. Run the command:

      terraform plan

      The terminal will display a list of resources with parameters. No changes are made at this step. If the configuration contains errors, Terraform will point them out.

    4. Apply the configuration changes:

      terraform apply

    5. Confirm the changes: type yes in the terminal and press Enter.

You can check the object lock deletion using this CLI command:

yc storage bucket get <bucket_name>

Result:

name: my-bucket
folder_id: b1geoelk2fld********
...
object_lock:
  status: OBJECT_LOCK_STATUS_DISABLED

To disable object lock for a bucket, use theputObjectLockConfiguration S3 API method, update REST API method for the Bucket resource, or the BucketService/Update gRPC API call.

In the request body, send the object lock parameter with an empty value:

  • ObjectLockConfiguration: For S3 API.
  • objectLock: For REST API.
  • object_lock: For gRPC API.

Example of the HTTP request body for S3 API:

<ObjectLockConfiguration xmlns="http://s3.amazonaws.com/doc/2006-03-01/" />
Previous
Enabling logging
Next
Bucket label management