Accessing a bucket using Security Token Service

With Security Token Service, you can get temporary keys for limited access to Yandex Object Storage buckets.

Temporary access keys as an authentication method are only supported in Object Storage.

You must have at least the following roles:

• To create a service account and get access keys for it: iam.serviceAccounts.admin for a folder. If you want to use an existing service account, the iam.serviceAccounts.admin role to that service account will be sufficient.
• To assign the required role to the service account: storage.admin for a bucket or folder. Alternatively, you can use the FULL_CONTROL permission in the bucket's ACL.

If you have a primitive admin role for a folder, you do not need to assign any additional roles.

To get a temporary access key:

1. Create a service account. You can also use an existing service account.

2. Assign the service account the required role, such as storage.viewer, for the bucket or folder you want to access with a temporary key.

   Note

   Assign a role for a folder if you want to have access to all buckets in the folder using a service account.

   The selected role must include all the permissions you want to grant using temporary keys.

   Alternatively, you can use ACL permissions for a bucket.

3. Create a static access key for the service account.

4. Install and configure the AWS Command Line Interface (AWS CLI).

5. Describe the access policy configuration as a data schema in JSON format.

   Temporary Security Token Service keys inherit the access permissions of the service account, but are limited by the access policy. If you set the access policy for a temporary key to allow operations that are not allowed for a service account, such operations will not be performed.

   Policy example

   This policy allows a temporary key user to get objects from the specified bucket prefix:

   {
     "Version": "2012-10-17",
     "Statement": {
       "Sid": "all",
       "Effect": "Allow",
       "Principal": "*",
       "Action": "s3:GetObject",
       "Resource": "arn:aws:s3:::<bucket_name>/<prefix>"
     }
   }
   

   Where:

   • Version: Optionally, specify the version of the access policy description, e.g., 2012-10-17.

   • Statement: Access policy rules:

     • Sid: Optionally, specify custom rule ID, e.g.: all, Statement Allow, Statement Deny.
     • Effect: Deny or allow the requested action. The possible values are Allow and Deny.
     • Principal: The only possible value is *. This parameter is required for compatibility with AWS S3 API.
     • Action: Action to perform when the policy is triggered, e.g.: s3:GetObject, s3:PutObject, *.
     • Resource: Resource to perform the action with. The possible values are:

       • arn:aws:s3:::<bucket_name>: Bucket.

       • arn:aws:s3:::<bucket_name>/<object_key>: Bucket object.

       • arn:aws:s3:::<bucker_name>/<prefix>*: All objects in the bucket whose keys start with a prefix, e.g., arn:aws:s3:::samplebucket/some/path/*. A prefix can be empty, e.g., arn:aws:s3:::samplebucket/*; in this case, the rule will apply to all bucket objects.

         A bucket resource does not include resources of all its objects. To make sure a bucket policy rule refers to the bucket and all objects, specify them as separate resources, e.g., arn:aws:s3:::samplebucket and arn:aws:s3:::samplebucket/*.

     If you apply an access policy without rules when creating temporary access keys, access by temporary key will be denied.

   Once complete, save the configuration to a file named policy.json.

   Warning

   The access is checked by object ACL after checking the Security Token Service policy. Therefore, if the service account through which you obtain temporary access keys has ACL permissions configured for objects in the bucket, those objects will become available for temporary access key requests, regardless of the specified policy. For more information, see how the access management works in Object Storage.

6. Get a temporary access key:

   AWS CLI

   Run this command:

   aws --endpoint https://sts.yandexcloud.net/ sts assume-role \
     --role-arn <description> \
     --role-session-name <key_name> \
     --duration-seconds <key_time_to_live> \
     --policy file://policy.json
   

   Where:

   • --endpoint: Security Token Service endpoint.
   • --role-arn: Description of at least 20 characters. You can use Latin characters, numbers, _ and -.
   • --role-session-name: Unique key name. You can use Latin characters, numbers, _ and -.
   • --duration-seconds: Key time-to-live in seconds, which must not be more than 43200.
   • --policy file://: Path to the access policy file.

   For more information about the aws sts assume-role command, see the AWS documentation.

   Result:

   {
       "Credentials": {
           "AccessKeyId": "YCAJEkNuezZyt4b**********",
           "SecretAccessKey": "YCMUWwxFAnZ**********...",
           "SessionToken": "s1.9euelZqPjcj**********...",
           "Expiration": "2024-02-29T23:30:53+00:00"
       },
       "AssumedRoleUser": {
           "Arn": "a1234567891234567890/test-2"
       },
       "PackedPolicySize": 0,
       "SourceIdentity": ""
   }
   

   Where:

   • AccessKeyId: Key ID (matches the static key ID).
   • SecretAccessKey: Secret key.
   • SessionToken: Session token.

   Save these parameters.

7. Add the resulting temporary access key parameters to the environment variables for the user to whom you want to grant access permissions to the bucket:

   export AWS_ACCESS_KEY_ID=<key_ID>
   export AWS_SECRET_ACCESS_KEY=<secret_key>
   export AWS_SESSION_TOKEN=<session_token>
   

8. To test access to a bucket, save the object from the prefix of the bucket that was accessed to the client device:

   AWS CLI

   aws --endpoint https://storage.yandexcloud.net s3 cp \
     s3://<bucket_name>/<prefix><object_name> ./
   

   Result:

   download: s3://<bucket_name>/<prefix><object_name> to ./<object_name>
   

See alsoSee also

• Access management methods in Object Storage: Overview