Disabling static keys for access to a bucket
Object Storage incorporates several access management mechanisms. To learn how these mechanisms interact, see Access management methods in Object Storage: Overview.
By default, one can access a bucket using static access keys. You can disable this access option to only allow access with an IAM token or anonymous access, if enabled in the bucket settings.
Note
Once disabled, access with static keys will be denied to all tools using this access option: the AWS CLI, SDK, and third-party applications. Access via ephemeral keys, temporary Security Token Service access keys, and pre-signed URLs will also be terminated.
The minimum required role to disable access with static keys is storage.admin. For more information, see the role description.
To disable bucket access with static keys, follow these steps:
If you do not have the Yandex Cloud CLI installed yet, install and initialize it.
By default, the CLI uses the folder specified when creating the profile. To change the default folder, use the yc config set folder-id <folder_ID> command. You can also set a different folder for any specific command using the --folder-name or --folder-id parameter.
-
See the description of the CLI command for updating a bucket:
yc storage bucket update --help -
Get a list of buckets in the default folder:
yc storage bucket listResult:
+------------------+----------------------+-------------+-----------------------+---------------------+ | NAME | FOLDER ID | MAX SIZE | DEFAULT STORAGE CLASS | CREATED AT | +------------------+----------------------+-------------+-----------------------+---------------------+ | first-bucket | b1gmit33ngp6******** | 10737418240 | STANDARD | 2025-11-20 09:45:36 | +------------------+----------------------+-------------+-----------------------+---------------------+ -
Save the
NAMEof the bucket for which you want to disable access with static keys. -
Disable using static keys for bucket access:
yc storage bucket update \ --name <bucket_name> \ --disable-statickey-auth trueWhere:
--name: Name of the bucket for which you need to disable access with static keys.--disable-statickey-auth: Flag to disable access with static keys. It can either betrueorfalse.
Result:
name: first-bucket folder_id: b1gmit33ngp6******** default_storage_class: STANDARD versioning: VERSIONING_DISABLED max_size: "53687091200" acl: {} created_at: "2022-12-16T13:58:18.933814Z" disabled_statickey_auth: true
To disable bucket access with static keys, use the update REST API method for the Bucket resource or the BucketService/Update gRPC API call.
Run this query:
curl -X PATCH \
-H "Content-Type: application/json" \
-H "Authorization: Bearer <IAM_token>" \
-d '{
"updateMask":"disabledStatickeyAuth",
"disabledStatickeyAuth":true
}' \
"https://storage.api.cloud.yandex.net/storage/v1/buckets/first-bucket"
Where:
<bucket_name>: Name of the bucket for which you need to disable access with static keys.<IAM_token>: IAM token of the user with thestorage.adminrole for the bucket.
Result:
{
"done": true,
"metadata": {
"@type": "type.googleapis.com/yandex.cloud.storage.v1.UpdateBucketMetadata",
"name": "first-bucket"
},
"response": {
"@type": "type.googleapis.com/yandex.cloud.storage.v1.Bucket",
"acl": {},
"disabledStatickeyAuth": true,
"name": "first-bucket",
"folderId": "b1g07hj5r6i4********",
"defaultStorageClass": "STANDARD",
"versioning": "VERSIONING_DISABLED",
"maxSize": "53687091200",
"createdAt": "2025-11-20T09:45:36.230463Z",
"resourceId": "e3eruofcbqc2********"
},
"id": "e3enqoaug76p********",
"description": "update bucket",
"createdAt": "2025-12-22T20:47:01.424654Z",
"createdBy": "ajeb9l33h6mu********",
"modifiedAt": "2025-12-22T20:47:01.424654Z"
}
Follow the status of the operation by the done field.