Accessing a bucket using Security Token Service
With Security Token Service, you can get temporary keys for limited access to Yandex Object Storage buckets.
Temporary access keys as an authentication method are only supported in Object Storage.
You must have at least the following roles:
-
To create a service account and get access keys for it: iam.serviceAccounts.admin for a folder. If you want to use an existing service account, the
iam.serviceAccounts.adminrole for that service account will be enough. -
To assign the required role to the service account: storage.admin for a bucket or folder. Alternatively, you can use the
FULL_CONTROLpermission in the bucket's ACL.
If you have a primitive admin role for a folder, you do not need to assign any additional roles.
To get a temporary access key:
-
Create a service account. You can also use an existing service account.
-
Assign to the service account the required role, e.g., storage.viewer, for the bucket or folder you want to access with a temporary key.
Note
Assign a role for a folder if you want to have access to all buckets in the folder using the service account.
The selected role must include all the permissions you want to grant using temporary keys.
Tip
If a service account has roles in Object Storage for a folder, users with temporary keys will get view access to buckets in that folder. We recommend assigning service account roles for specific buckets, rather than a folder.
Alternatively, you can use ACL permissions for a bucket.
-
Create a static access key for the service account.
-
Install and configure the AWS Command Line Interface (AWS CLI).
-
Describe the access policy configuration as a data schema in JSON format.
Temporary Security Token Service keys inherit the access permissions of the service account but are limited by the bucket-level access policy. If you set up a temporary key’s access policy to allow operations the service account has no permissions for, such operations will not be performed.
Policy example
This policy allows a temporary key user to get objects from the specified bucket prefix:
{ "Version": "2012-10-17", "Statement": { "Sid": "all", "Effect": "Allow", "Principal": "*", "Action": "s3:GetObject", "Resource": "arn:aws:s3:::<bucket_name>/<prefix>" } }Where:
-
Version: (Optional) Version of the access policy description, e.g.,2012-10-17. -
Statement: Bucket policy rules:-
Sid: (Optional) Custom rule ID, e.g.,all,Statement Allow, orStatement Deny. -
Effect: Denies or allows the requested action. The possible values areAllowandDeny. -
Principal: The possible value is*. This parameter is required for compatibility with AWS S3 API. -
Action: Action to perform when the policy is triggered, e.g.,s3:GetObject,s3:PutObject, or*. -
Resource: Resource to perform the action with. The possible values are:arn:aws:s3:::<bucket_name>: Bucket.arn:aws:s3:::<bucket_name>/<object_key>: Bucket object.arn:aws:s3:::<bucket_name>/<prefix>*: All objects in the bucket whose keys start with a prefix, e.g.,arn:aws:s3:::samplebucket/some/path/*. A prefix can be empty, e.g.,arn:aws:s3:::samplebucket/*, in which case the rule will apply to all bucket objects.
A bucket resource does not include resources of all its objects. To make sure a bucket policy rule refers to the bucket and all objects, specify them as separate resources, e.g.,
arn:aws:s3:::samplebucketandarn:aws:s3:::samplebucket/*.
If you apply an access policy without rules when creating temporary access keys, access by temporary key will be denied.
-
Once complete, save the configuration to a file named
policy.json.Warning
The access is checked by object ACL after checking the Security Token Service policy. Therefore, if the service account through which you obtain temporary access keys has ACL permissions configured for objects in the bucket, those objects will become available for temporary access key requests, regardless of the specified policy. For more information, see how the access management works in Object Storage.
-
-
Get a temporary access key:
AWS CLIRun this command:
aws --endpoint https://sts.yandexcloud.net/ sts assume-role \ --role-arn <description> \ --role-session-name <key_name> \ --duration-seconds <key_lifetime> \ --policy file://policy.jsonWhere:
--endpoint: Security Token Service endpoint.--role-arn: Description of at least 20 characters. You can use Latin letters, numbers,_and-.--role-session-name: Unique key name. You can use Latin letters, numbers,_and-.--duration-seconds: Key lifetime in seconds, which cannot exceed43200.--policy file://: Path to the access policy file.
For more information about the
aws sts assume-rolecommand, see the AWS documentation.Result:
{ "Credentials": { "AccessKeyId": "YCAJEkNuezZyt4b**********", "SecretAccessKey": "YCMUWwxFAnZ**********...", "SessionToken": "s1.9euelZqPjcj**********...", "Expiration": "2024-02-29T23:30:53+00:00" }, "AssumedRoleUser": { "Arn": "a1234567891234567890/test-2" }, "PackedPolicySize": 0, "SourceIdentity": "" }Where:
AccessKeyId: Key ID (same as the static key ID).SecretAccessKey: Secret key.SessionToken: Session token.
Save these parameters.
-
Add the resulting temporary access key parameters to the environment variables for the user to whom you want to grant access permissions to the bucket:
export AWS_ACCESS_KEY_ID=<key_ID> export AWS_SECRET_ACCESS_KEY=<secret_key> export AWS_SESSION_TOKEN=<session_token> -
To test access to a bucket, save the object from the prefix of the bucket that was accessed to the client device:
AWS CLIaws --endpoint https://storage.yandexcloud.net s3 cp \ s3://<bucket_name>/<prefix><object_name> ./Result:
download: s3://<bucket_name>/<prefix><object_name> to ./<object_name>