Creating a bucket

Written by

Yandex Cloud

Updated at May 13, 2025

To create a bucket, you need the minimum storage.editor role for the folder.

Management console

Yandex Cloud CLI

AWS CLI

Terraform

API

In the management console, select the folder where you want to create a bucket.
Select Object Storage.
In the top panel, click Create bucket.
On the bucket creation page:
1. Enter a name for the bucket consistent with the naming requirements.
  
  By default, a bucket with a dot in the name is only available over HTTP. To provide HTTPS support for your bucket, upload your own security certificate to Object Storage.
2. Add labels, if required:
  1. Click Add label.
  2. Enter a label in key: value format.
  3. Press Enter.
3. Limit the maximum bucket size, if required.
  
  If the value is 0, the size is not limited. It is similar to the enabled No limit option.
4. Configure public access to read objects in the bucket, get a list of objects, and read bucket settings:
  - Restricted: Authorized Yandex Cloud users only.
  - Public: All users.
  Warning
  
  Public access is granted to an unlimited number of anonymous users. Use it only when other access grant mechanisms are not available.
5. Select the default storage class:
  - Standard.
  - Cold.
  - Ice.
  "Cold" classes are for long-term storage of objects you intend to use less frequently. The "colder" the storage, the cheaper it is to store data in, but the more expensive it is to read from and write to it.
6. Enable encryption if you need to: in the KMS Key field, select an existing symmetric key or create a new one.
7. Click Create bucket to complete the operation.

If you do not have the Yandex Cloud (CLI) command line interface yet, install and initialize it.

The folder specified when creating the CLI profile is used by default. To change the default folder, use the yc config set folder-id <folder_ID> command. You can specify a different folder using the --folder-name or --folder-id parameter.

View the description of the CLI command to create a bucket:
```
yc storage bucket create --help
```
Create a bucket in the default folder:
```
yc storage bucket create --name <bucket_name>
```
Where --name is the name of the bucket. This is a required parameter. For more information, see Bucket naming rules.

By default, a bucket with a dot in the name is only available over HTTP. To provide HTTPS support for your bucket, upload your own security certificate to Object Storage.

Result:
```
name: example
folder_id: b1gmit33ngp6********
anonymous_access_flags:
read: false
list: false
default_storage_class: STANDARD
versioning: VERSIONING_DISABLED
max_size: "53687091200"
acl: {}
created_at: "2022-12-16T14:05:12.196007Z"
```
Optional parameters
- --default-storage-class: Storage class. The possible values are:
- standard: Standard storage. It is installed by default.
- cold: Cold storage.
- ice: Ice storage.
Cold classes are designed to store objects that you plan to use less frequently for longer periods of time. The colder the storage, the cheaper it is to store data in, but the more expensive it is to read from and write to it.
- --max-size: Maximum bucket size, in bytes. The default value is 0 (unlimited).
- Parameters for enabling public access to a bucket:
- --public-read: Enables public read access to bucket objects.
- --public-list: Enables public view access to the list of bucket objects.
- --public-config-read: Enables public read access to bucket settings.
By default, public access to the bucket is disabled.

Warning

Public access is granted to an unlimited number of anonymous users. Use it only when other access grant mechanisms are not available.
- Parameters to configure the bucket ACL:
- --acl: Predefined ACL. For a list of possible values, see Predefined ACLs. You cannot use this parameter together with --grants.
- --grants: This parameter configures permissions for individual users, service accounts, user groups, and public groups (a group of all internet users or a group of all authenticated Yandex Cloud users). You cannot use this parameter together with --acl. The parameter value is specified in the following format: grant-type=<permission_grantee_type>,grantee-id=<grantee_ID>,permission=<permission_type>, where:
  - grant-type: Permission grantee type. The possible values are:
  - grant-type-account: User, service account, or user group.
  - grant-type-all-authenticated-users: Public group that includes all authenticated Yandex Cloud users.
  - grant-type-all-users: Public group that includes all internet users.
  - grantee-id: ID of the user, service account, or user group you need to grant a permission to. It is specified only if grant-type=grant-type-account.
  - permission: ACL permission type. The possible values are permission-full-control, permission-write, and permission-read. Learn more about permissions in Permission types.
  To configure multiple permissions, specify the --grants parameter multiple times.
By default, an empty ACL is created for each new bucket.
Learn more about the yc storage bucket create command in the YC CLI reference.

If you do not have the AWS CLI yet, install and configure it.

To create a bucket, assign the storage.editor role to the service account used by the AWS CLI.

In the terminal, run this command:

aws s3api create-bucket \
  --endpoint-url=https://storage.yandexcloud.net \
  --bucket <bucket_name>

Where:

--endpoint-url: Object Storage endpoint.
--bucket: Bucket name.

Note

By default, a bucket with a dot in the name is only available over HTTP. To provide HTTPS support for your bucket, upload your own security certificate to Object Storage. For more information, see Bucket naming rules.

Result:

{
  "Location": "/<bucket_name>"
}

The new bucket will have the following parameters:

Maximum size unlimited.
Limited access to read objects, get a list of objects, and read bucket setting.
Storage class: Standard.

Optional parameters

You can apply a predefined ACL to a bucket or configure permissions for individual users, service accounts, user groups, and public groups, such as a group of all internet users or a group of all authenticated Yandex Cloud users. You cannot use these settings together: a bucket can have either a predefined ACL or individual permissions.

Note

To manage bucket ACL settings, assign the storage.admin role to the service account used by the AWS CLI.

Predefined ACL

aws s3api create-bucket \
  --endpoint-url=https://storage.yandexcloud.net \
  --bucket <bucket_name> \
  --acl <predefined_ACL>

Where --acl is a predefined ACL. For a list of values, see Predefined ACLs.

Individual permissions

aws s3api create-bucket \
  --endpoint-url=https://storage.yandexcloud.net \
  --bucket <bucket_name> \
  <permission_type> <permission_grantee>

Where:

The possible types of ACL permissions are as follows:
- --grant-read: Permission to access the list of objects in the bucket, read various bucket settings (lifecycle, CORS, and static hosting), and read all objects in the bucket.
- --grant-write: Permission to write, overwrite, and delete objects in the bucket. It can only be used together with --grant-read.
- --grant-full-control: Full access to the bucket and objects in it.
You can specify multiple permissions in a single command.
The possible permission grantees are as follows:
- id=<grantee_ID>: ID of the user, service account, or user group you need to grant a permission to.
- uri=http://acs.amazonaws.com/groups/global/AuthenticatedUsers: Public group that includes all authenticated Yandex Cloud users.
- uri=http://acs.amazonaws.com/groups/global/AllUsers: Public group that includes all internet users.

By default, an empty ACL is created for each new bucket.

For more information about the aws s3api create-bucket command, see the AWS documentation.

Note

Terraform uses a service account to interact with Object Storage. Assign to the service account the required role, e.g., storage.admin, for the folder where you are going to create resources.

With Terraform, you can quickly create a cloud infrastructure in Yandex Cloud and manage it using configuration files. These files store the infrastructure description written in HashiCorp Configuration Language (HCL). If you change the configuration files, Terraform automatically detects which part of your configuration is already deployed, and what should be added or removed.

Terraform is distributed under the Business Source License. The Yandex Cloud provider for Terraform is distributed under the MPL-2.0 license.

For more information about the provider resources, see the documentation on the Terraform website or mirror website.

If you do not have Terraform yet, install it and configure its Yandex Cloud provider.

By default, Terraform uses an IAM token for authentication in Object Storage. In addition to an IAM token, you can use a service account and static access keys for authentication in Object Storage. For more information about Terraform authentication in Object Storage, see this provider article.

Creating a bucket using an IAM token

Get the authentication credentials and add them to environment variables.
In the configuration file, describe the resources you want to create:
```
# Creating a bucket using an IAM token

resource "yandex_storage_bucket" "iam-bucket" {
  bucket    = "<bucket_name>"
  folder_id = "<folder_ID>"
}
```
Where:
- bucket: Bucket name. This is a required setting.
  
  By default, a bucket with a dot in the name is only available over HTTP. To provide HTTPS support for your bucket, upload your own security certificate to Object Storage.
- folder_id: Folder ID
  
  If using a user account IAM token, specify folder_id in the yandex_storage_bucket resource.
  
  If using an IAM token of a service account or static access keys, you do not have to specify folder_id. You will only need it to create a resource in a folder other than the service account folder.
For more information about yandex_storage_bucket settings, see this Terraform article.
Create the resources:
1. In the terminal, change to the folder where you edited the configuration file.
2. Make sure the configuration file is correct using the command:
```
terraform validate
```
  If the configuration is correct, the following message is returned:
```
Success! The configuration is valid.
```
3. Run the command:
```
terraform plan
```
  The terminal will display a list of resources with parameters. No changes are made at this step. If the configuration contains errors, Terraform will point them out.
4. Apply the configuration changes:
```
terraform apply
```
5. Confirm the changes: type yes in the terminal and press Enter.

Terraform will create all required resources. You can check the new resources and their settings using the management console.

Creating a bucket using a static key

In the configuration file, describe the resources you want to create:

Creating a bucket using a key

terraform {
  required_providers {
    yandex = {
      source = "yandex-cloud/yandex"
    }
  }
  required_version = ">= 0.13"
}

# Configuring a provider

provider "yandex" {
  token     = "<IAM_or_OAuth_token>"
  cloud_id  = "<cloud_ID>"
  folder_id = "<folder_ID>"
  zone      = "ru-central1-a"
}

# Creating a service account

resource "yandex_iam_service_account" "sa" {
  name = "<service_account_name>"
}

# Assigning roles to a service account

resource "yandex_resourcemanager_folder_iam_member" "sa-admin" {
  folder_id = "<folder_ID>"
  role      = "storage.admin"
  member    = "serviceAccount:${yandex_iam_service_account.sa.id}"
}

# Creating a static access key

resource "yandex_iam_service_account_static_access_key" "sa-static-key" {
  service_account_id = yandex_iam_service_account.sa.id
  description        = "static access key for object storage"
}

# Creating a bucket using a static key

resource "yandex_storage_bucket" "test" {
  access_key            = yandex_iam_service_account_static_access_key.sa-static-key.access_key
  secret_key            = yandex_iam_service_account_static_access_key.sa-static-key.secret_key
  bucket                = "<bucket_name>"
  max_size              = <maximum_bucket_size>
  default_storage_class = "<storage_class>"
  anonymous_access_flags {
    read        = <true|false>
    list        = <true|false>
    config_read = <true|false>
  }
  tags = {
    <key_1> = "<value_1>"
    <key_2> = "<value_2>"
    ...
    <key_n> = "<value_n>"
  }
}

Where:

yandex_iam_service_account: Description of the service account to create and use the bucket:
- name: Service account name. This is a required setting.
- bucket: Bucket name.
  
  By default, a bucket with a dot in the name is only available over HTTP. To provide HTTPS support for your bucket, upload your own security certificate to Object Storage.
- max_size: Maximum bucket size, in bytes. The default value is 0, unlimited.
- default_storage_class: Storage class. The possible values are:
  - standard: Standard storage. Default value.
  - cold: Cold storage.
  - ice: Ice storage.
  Cold classes are designed to store objects that you plan to use less frequently for longer periods of time. The colder your storage is, the less you pay for storing data; however, the costs of reading and writing data increase.
- anonymous_access_flags: Access settings:
  - read: Public read access to bucket objects.
  - list: Public view access to the list of bucket objects.
  - config_read: Public read access to bucket settings. Disabled by default.
- tags: Bucket labels in key = "value" format.

For more information about yandex_storage_bucket settings, see this Terraform article.

Create the resources:
1. In the terminal, change to the folder where you edited the configuration file.
2. Make sure the configuration file is correct using the command:
```
terraform validate
```
  If the configuration is correct, the following message is returned:
```
Success! The configuration is valid.
```
3. Run the command:
```
terraform plan
```
  The terminal will display a list of resources with parameters. No changes are made at this step. If the configuration contains errors, Terraform will point them out.
4. Apply the configuration changes:
```
terraform apply
```
5. Confirm the changes: type yes in the terminal and press Enter.

Terraform will create all required resources. You can check the new resources and their configuration using the management console.

To create a bucket, use the create REST API method for the Bucket resource, the BucketService/Create gRPC API call, or the create S3 API method.

Creating a bucket

See also

Was the article helpful?