Contact UsTry it for free
© 2025 Direct Cursus Technology L.L.C.

Editing a bucket ACL

Written by
Improved by
Updated at December 3, 2025

Object Storage incorporates several access management mechanisms. To learn how these mechanisms interact, see Access management methods in Object Storage: Overview.

Note

If your bucket already has a configured ACL, it will be completely overwritten once you apply the changes.

  1. In the management console, select a folder.

  2. Go to Object Storage.

  3. In the bucket row, click and select Configure ACL.

    Alternatively, you can click the bucket name, then, on the page that opens, click at the top right and select Configure ACL.

    In the ACL editing window that opens, grant or revoke the relevant permissions:

    1. Select the subjects you need from the list. To do this, place the cursor in the subject input field, then select the required user, service account, user group, system group, or public group in the form that appears. If required, use the relevant tabs in the form or the search bar to find a subject by name or email address.

      To grant permissions for multiple subjects at the same time, select them one by one.

    2. Specify the relevant permission type for the selected subjects and click Add.

    3. To grant different types of permission to subjects, repeat the two previous steps.

    4. To revoke a subject's permission, click Cancel in the permission row.

    5. Click Save.

    Note

    In the management console, you can only grant permissions to service accounts created in the same folder as the bucket. You can grant permissions to service accounts belonging to other folders using the Yandex Cloud CLI (only for ACL buckets), AWS CLI, Terraform, or API.

If you do not have the Yandex Cloud CLI installed yet, install and initialize it.

By default, the CLI uses the folder specified when creating the profile. To change the default folder, use the yc config set folder-id <folder_ID> command. You can also set a different folder for any specific command using the --folder-name or --folder-id parameter.

You can apply a predefined ACL to a bucket or configure permissions for individual users, service accounts, user groups, and public groups (all internet users, all authenticated Yandex Cloud users). You cannot use these settings together: a bucket can have either a predefined ACL or individual permissions.

You can edit a bucket's ACL using the following commands:

yc storage bucket update

Before configuring an ACL, see the description of the CLI command for editing a bucket:

yc storage bucket update --help

To view the current ACL of a bucket, run this command:

yc storage bucket get <bucket_name> --with-acl

Predefined ACL

Run this command:

yc storage bucket update \
  --name <bucket_name> \
  --acl <predefined_ACL>

Where:

  • --name: Bucket name.
  • --acl: Predefined ACL. To view a list of values, see Predefined ACLs.

Result:

name: my-bucket
folder_id: csgeoelk7fl1********
default_storage_class: STANDARD
versioning: VERSIONING_DISABLED
max_size: "1073741824"
acl:
  grants:
    - permission: PERMISSION_READ
      grant_type: GRANT_TYPE_ALL_USERS
created_at: "2022-12-14T19:10:05.957940Z"

Setting up individual permissions

  1. To grant ACL permissions to a Yandex Cloud user, service account, or user group, get their IDs:

  2. Run this command:

    yc storage bucket update --name <bucket_name> \
  --grants grant-type=<permission_grantee_type>,grantee-id=<grantee_ID>,permission=<permission_type>

    Where:

    • grant-type: Permission grantee type. The possible values are:

      • grant-type-account: User, service account, or user group.
      • grant-type-all-authenticated-users: Public group that includes all authenticated Yandex Cloud users.
      • grant-type-all-users: Public group that includes all internet users.

    • grantee-id: ID of the user, service account, or user group you need to grant a permission to. It is specified only if grant-type=grant-type-account.

    • permission: ACL permission type. The possible values are:

      • permission-read: Permission to access the list of objects in the bucket, read various bucket settings (lifecycle, CORS, and static hosting), and read all objects in the bucket.
      • permission-write: Permission to write, overwrite, and delete objects in the bucket. It can only be used together with permission-read.
      • permission-full-control: Full access to the bucket and objects in it.

      For more information about permissions, see Permission types.

    To configure multiple permissions, specify the --grants parameter multiple times. For example, to grant a write permission for a bucket, run this command:

    yc storage bucket update --name <bucket_name> \
  --grants grant-type=<permission_grantee_type>,grantee-id=<grantee_ID>,permission=permission-read \
  --grants grant-type=<permission_grantee_type>,grantee-id=<grantee_ID>,permission=permission-write

yc storage s3api put-bucket-acl

View the bucket's current ACL:

yc storage s3api get-bucket-acl \
  --bucket <bucket_name>

Where --bucket is the bucket name.

Predefined ACL

Run this command:

yc storage s3api put-bucket-acl \
  --bucket <bucket_name> \
  --acl <predefined_ACL>

Where:

  • --name: Bucket name.
  • --acl: Predefined ACL. For the list of values, see Predefined ACLs.

Setting up individual permissions

  1. To grant ACL permissions to a Yandex Cloud user, service account, or user group, get their IDs:

  2. Run this command:

    yc storage s3api put-bucket-acl \
  --bucket <bucket_name> \
  <permission_type> <permission_grantee>

    Where:

    • --bucket: Bucket name.

    • The possible types of ACL permissions are as follows:

      • --grant-read: Permission to access the list of objects in the bucket, read various bucket settings (lifecycle, CORS, and static hosting), and read all objects in the bucket.
      • --grant-write: Permission to write, overwrite, and delete objects in the bucket. It can only be used together with --grant-read.
      • --grant-full-control: Full access to the bucket and objects in it.

      For more information about permissions, see Permission types.

    • The possible permission grantees are as follows:

      • id=<grantee_ID>: ID of the user, service account, or user group you need to grant a permission to.
      • uri=http://acs.amazonaws.com/groups/global/AuthenticatedUsers: Public group that includes all authenticated Yandex Cloud users.
      • uri=http://acs.amazonaws.com/groups/global/AllUsers: Public group that includes all internet users.

    To configure multiple permissions, specify the relevant settings, permission type, and permission grantee multiple times. For example, to grant a write permission for a bucket, run this command:

    yc storage s3api put-bucket-acl \
  --bucket <bucket_name> \
  --grant-read id=<grantee_ID> \
  --grant-write id=<grantee_ID>

If you do not have the AWS CLI yet, install and configure it.

Note

To manage bucket ACL settings, assign the storage.admin role to the service account used by the AWS CLI.

View the bucket's current ACL:

aws s3api get-bucket-acl \
  --endpoint https://storage.yandexcloud.net \
  --bucket <bucket_name>

Where:

  • --bucket: Bucket name.
  • --endpoint: Object Storage endpoint.

You can apply a predefined ACL to a bucket or configure permissions for individual users, service accounts, user groups, and public groups (all internet users, all authenticated Yandex Cloud users). You cannot use these settings together: a bucket can have either a predefined ACL or individual permissions.

Predefined ACL

Run this command:

  aws s3api put-bucket-acl \
    --endpoint https://storage.yandexcloud.net \
    --bucket <bucket_name> \
    --acl <predefined_ACL>

Where:

  • --endpoint: Object Storage endpoint.
  • --bucket: Bucket name.
  • --acl: Predefined ACL. For the list of values, see Predefined ACLs.
Setting up individual permissions

  1. To grant ACL permissions to a Yandex Cloud user, service account, or user group, get their IDs:

  2. Run this command:

    aws s3api put-bucket-acl \
  --endpoint https://storage.yandexcloud.net \
  --bucket <bucket_name> \
  <permission_type> <permission_grantee>

    Where:

    • --bucket: Bucket name.

    • --endpoint: Object Storage endpoint.

    • The possible types of ACL permissions are as follows:

      • --grant-read: Permission to access the list of objects in the bucket, read various bucket settings (lifecycle, CORS, and static hosting), and read all objects in the bucket.
      • --grant-write: Permission to write, overwrite, and delete objects in the bucket. It can only be used together with --grant-read.
      • --grant-full-control: Full access to the bucket and objects in it.

      For more information about permissions, see Permission types.

    • The possible permission grantees are as follows:

      • id=<grantee_ID>: ID of the user, service account, or user group you need to grant a permission to.
      • uri=http://acs.amazonaws.com/groups/global/AuthenticatedUsers: Public group that includes all authenticated Yandex Cloud users.
      • uri=http://acs.amazonaws.com/groups/global/AllUsers: Public group that includes all internet users.

    To configure multiple permissions, specify the relevant settings, permission type, and permission grantee multiple times. For example, to grant a write permission for a bucket, run this command:

    aws s3api put-bucket-acl \
  --endpoint https://storage.yandexcloud.net \
  --bucket <bucket_name> \
  --grant-read id=<grantee_ID> \
  --grant-write id=<grantee_ID>

Note

Terraform uses a service account to interact with Object Storage. Assign to the service account the required role, e.g., storage.admin, for the folder where you are going to create resources.

If you do not have Terraform yet, install it and configure the Yandex Cloud provider.

Before you start, retrieve the static access keys: a secret key and key ID used for Object Storage authentication.

Note

In addition to static access keys, you can use an IAM token for authentication in Object Storage. For more details, see Creating a bucket and the relevant provider documentation.

To edit a bucket ACL, you can use these resources:

Warning

You cannot use the yandex_storage_bucket_grant resource if the yandex_storage_bucket_iam_binding resource is simultaneously used to assign primitive roles, such as viewer, editor, or admin for a bucket, or if the acl or grant parameters of the yandex_storage_bucket resource are simultaneously in use.

One yandex_storage_bucket bucket can only be mapped to one yandex_storage_bucket_grant resource. Using multiple resources for a single bucket may lead to configuration errors.

yandex_storage_bucket_grant

  1. In the configuration file, describe the properties of resources you want to create:

    resource "yandex_storage_bucket_grant" "my_bucket_grant" {
  bucket = "<existing_bucket_name>"
  grant {
    id          = "<user_1_ID>"
    permissions = ["READ", "WRITE"]
    type        = "CanonicalUser"
  }
  grant {
    id          = "<user_2_ID>"
    permissions = ["FULL_CONTROL"]
    type        = "CanonicalUser"
  }
  grant {
    uri         = "http://acs.amazonaws.com/groups/global/AuthenticatedUsers"
    permissions = ["READ"]
    type        = "Group"
  }
}

    Where:

    • bucket: Existing bucket’s name.
    • grant: ACL settings. To manage it, the service account with static access keys must have the storage.admin role for the bucket or folder.

      • type: Permission grantee type. The possible values are:

      • permissions: Type of ACL permissions. It can take the following values:

        • READ: Permission to access the list of objects in the bucket, read various bucket settings (lifecycle, CORS, and static hosting), and read all objects in the bucket.
        • WRITE: Permission to write, overwrite, and delete objects in the bucket. It can only be used together with READ, e.g., permissions = ["READ", "WRITE"].
        • FULL_CONTROL: Full access to the bucket and objects in it.

        For more information about permissions, see Permission types.

      • id: ID of the user, service account, or user group:

        It is used with the CanonicalUser type of permission grantee.

      • uri: Public group ID. It is used with the Group type of permission grantee. The possible values are:

        • http://acs.amazonaws.com/groups/global/AllUsers: All internet users.
        • http://acs.amazonaws.com/groups/global/AuthenticatedUsers: All authenticated Yandex Cloud users.

    Instead of grant, you can specify acl, i.e., the predefined ACL of the bucket. The default value is private: Yandex Cloud users get permissions according to their roles in IAM.

    For more information about yandex_storage_bucket_grant properties, see the relevant provider documentation.

  2. If you plan to use the yandex_storage_bucket_iam_binding resource together with yandex_storage_bucket_grant for the same bucket, we recommend creating them sequentially. To do this, add a dependency on the yandex_storage_bucket_grant resource to the yandex_storage_bucket_iam_binding section.

    resource "yandex_storage_bucket_iam_binding" "mybucket-viewers" {
  ...

  depends_on = [
    yandex_storage_bucket_grant.my_bucket_grant
  ]
}

  3. Apply the configuration:

    1. In the terminal, go to the directory where you edited the configuration file.

    2. Make sure the configuration file is correct using this command:

      terraform validate

      If the configuration is correct, you will get this message:

      Success! The configuration is valid.

    3. Run this command:

      terraform plan

      You will see a detailed list of resources. No changes will be made at this step. If the configuration contains any errors, Terraform will show them.

    4. Apply the changes:

      terraform apply

    5. Type yes and press Enter to confirm the changes.

    You can check the resource updates in the management console or using this CLI command:

    yc storage bucket get <bucket_name> --full

yandex_storage_bucket (obsolete)

  1. In the configuration file, describe the properties of resources you want to create:

    resource "yandex_storage_bucket" "test" {
  access_key = "<static_key_ID>"
  secret_key = "<secret_key>"
  bucket = "<bucket_name>"
  grant {
    id          = "<user_ID>"
    type        = "CanonicalUser"
    permissions = ["FULL_CONTROL"]
  }

  grant {
    type        = "Group"
    permissions = ["READ", "WRITE"]
    uri         = "http://acs.amazonaws.com/groups/global/AllUsers"
  }
}

    Where:

    • access_key: Static access key ID.
    • secret_key: Secret access key value.
    • bucket: Bucket name. This is a required setting.
    • grant: ACL settings. This is an optional setting. To manage it, the service account with static access keys must have the storage.admin role for the bucket or folder.

      • type: Permission grantee type. The possible values are:

      • permissions: Type of ACL permissions. It can take the following values:

        • READ: Permission to access the list of objects in the bucket, read various bucket settings (lifecycle, CORS, and static hosting), and read all objects in the bucket.
        • WRITE: Permission to write, overwrite, and delete objects in the bucket. It can only be used together with READ, e.g., permissions = ["READ", "WRITE"].
        • FULL_CONTROL: Full access to the bucket and objects in it.

        For more information about permissions, see Permission types.

      • id: ID of the user, service account, or user group:

        It is used with the CanonicalUser type of permission grantee.

      • uri: Public group ID. It is used with the Group type of permission grantee. The possible values are:

        • http://acs.amazonaws.com/groups/global/AllUsers: All internet users.
        • http://acs.amazonaws.com/groups/global/AuthenticatedUsers: All authenticated Yandex Cloud users.

    Instead of grant, you can specify acl, i.e., the predefined ACL of the bucket. The default value is private: Yandex Cloud users get permissions according to their roles in IAM.

    For more information about yandex_storage_bucket properties, see the relevant provider documentation.

  2. Apply the configuration:

    1. In the terminal, go to the directory where you edited the configuration file.

    2. Make sure the configuration file is correct using this command:

      terraform validate

      If the configuration is correct, you will get this message:

      Success! The configuration is valid.

    3. Run this command:

      terraform plan

      You will see a detailed list of resources. No changes will be made at this step. If the configuration contains any errors, Terraform will show them.

    4. Apply the changes:

      terraform apply

    5. Type yes and press Enter to confirm the changes.

    You can check the resource updates in the management console or using this CLI command:

    yc storage bucket get <bucket_name> --full

To edit a bucket ACL, use the update REST API method for the Bucket resource, the BucketService/Update gRPC API call, or the bucketPutAcl S3 API method.

Previous
Configuring access permissions using IAM
Next
Managing access policies