Editing a bucket ACL

Written by

Updated at February 21, 2025

Object Storage incorporates multiple mechanisms for managing access to resources. To learn how these mechanisms interact, see Access management methods in Object Storage: Overview.

Note

If your bucket already has a configured ACL, it will be completely overwritten once you apply the changes.

Management console

Yandex Cloud CLI

AWS CLI

Terraform

API

In the management console, select Object Storage from the list of services.
Select the bucket you need, click , and select Object ACL.
In the ACL editing window, grant or revoke the relevant permissions.

Note

In the management console, you can only grant permissions to service accounts created in the same directory as the bucket. You can grant permissions to service accounts belonging to other directories using the YC CLI (only for the ACL bucket), AWS CLI, Terraform, or API.

If you do not have the Yandex Cloud CLI yet, install and initialize it.

The folder specified in the CLI profile is used by default. You can specify a different folder through the --folder-name or --folder-id parameter.

Before configuring an ACL, see the description of the CLI command for editing a bucket:

yc storage bucket update --help

To view the current ACL of a bucket, run this command:

yc storage bucket get <bucket_name> --with-acl

You can apply a predefined ACL to a bucket or configure permissions for individual users, service accounts, user groups, and public groups, such as a group of all internet users or a group of all authenticated Yandex Cloud users. These settings cannot be used together: a bucket can have either a predefined ACL or individual permissions.

Predefined ACL

Run this command:

yc storage bucket update --name <bucket_name> --acl <predefined_ACL>

Where:

--name: Bucket name.
--acl: Predefined ACL. To view a list of values, see Predefined ACLs.

Result:

name: my-bucket
folder_id: csgeoelk7fl1********
default_storage_class: STANDARD
versioning: VERSIONING_DISABLED
max_size: "1073741824"
acl:
  grants:
    - permission: PERMISSION_READ
      grant_type: GRANT_TYPE_ALL_USERS
created_at: "2022-12-14T19:10:05.957940Z"

Setting up individual permissions

To grant ACL permissions to a Yandex Cloud user, service account, or user group, get their IDs:
- User.
- Service account.
- User group: Navigate to the Groups tab in the Cloud Center interface.
Run this command:
```
yc storage bucket update --name <bucket_name> \
  --grants grant-type=<permission_grantee_type>,grantee-id=<grantee_ID>,permission=<permission_type>
```
Where:
- grant-type: Permission grantee type. The possible values are as follows:
  - grant-type-account: User, service account, or user group.
  - grant-type-all-authenticated-users: Public group that includes all authenticated Yandex Cloud users.
  - grant-type-all-users: Public group that includes all internet users.
- grantee-id: ID of the user, service account, or user group you need to grant a permission to. It is specified only if grant-type=grant-type-account.
- permission: ACL permission type. The possible values are as follows:
  - permission-read: Permission to access the list of objects in the bucket, read various bucket settings (lifecycle, CORS, and static hosting), and read all objects in the bucket.
  - permission-write: Permission to write, overwrite, and delete objects in the bucket. It can only be used together with permission-read.
  - permission-full-control: Full access to the bucket and the objects in it.
    For more information about permissions, see Permission types.
To configure multiple permissions, specify the --grants parameter multiple times. For example, to grant a write permission for a bucket, run this command:
```
yc storage bucket update --name <bucket_name> \
  --grants grant-type=<permission_grantee_type>,grantee-id=<grantee_ID>,permission=permission-read \
  --grants grant-type=<permission_grantee_type>,grantee-id=<grantee_ID>,permission=permission-write
```

If you do not have the AWS CLI yet, install and configure it.

Note

To manage bucket ACL settings, assign the storage.admin role to the service account used by the AWS CLI.

View the bucket's current ACL:

aws s3api get-bucket-acl \
  --endpoint https://storage.yandexcloud.net \
  --bucket <bucket_name>

Where:

--bucket: Bucket name.
--endpoint: Object Storage endpoint.

Predefined ACL

Run this command:

  aws s3api put-bucket-acl \
    --endpoint https://storage.yandexcloud.net \
    --bucket <bucket_name> \
    --acl <predefined_ACL>

Where:

--endpoint: Object Storage endpoint.
--bucket: Bucket name.
--acl: Predefined ACL. To view a list of values, see Predefined ACLs.

Setting up individual permissions

To grant ACL permissions to a Yandex Cloud user, service account, or user group, get their IDs:
- User.
- Service account.
- User group: Navigate to the Groups tab in the Cloud Center interface.
Run this command:
```
aws s3api put-bucket-acl \
  --endpoint https://storage.yandexcloud.net \
  --bucket <bucket_name> \
  <permission_type> <permission_grantee>
```
Where:
- --bucket: Bucket name.
- --endpoint: Object Storage endpoint.
- The possible types of ACL permissions are as follows:
  - --grant-read: Permission to access the list of objects in the bucket, read various bucket settings (lifecycle, CORS, and static hosting), and read all objects in the bucket.
  - --grant-write: Permission to write, overwrite, and delete objects in the bucket. It can only be used together with --grant-read.
  - --grant-full-control: Full access to the bucket and the objects in it.
  For more information about permissions, see Permission types.
- The possible permission grantees are as follows:
  - id=<grantee_ID>: ID of the user, service account, or user group you need to grant a permission to.
  - uri=http://acs.amazonaws.com/groups/global/AuthenticatedUsers: Public group that includes all authenticated Yandex Cloud users.
  - uri=http://acs.amazonaws.com/groups/global/AllUsers: Public group that includes all internet users.
To configure multiple permissions, specify the relevant settings, permission type, and permission grantee multiple times. For example, to grant a write permission for a bucket, run this command:
```
aws s3api put-bucket-acl \
  --endpoint https://storage.yandexcloud.net \
  --bucket <bucket_name> \
  --grant-read id=<grantee_ID> \
  --grant-write id=<grantee_ID>
```

Note

Terraform uses a service account to interact with Object Storage. Assign to the service account the required role, e.g., storage.admin, for the folder where you are going to create resources.

If you don't have Terraform, install it and configure the Yandex Cloud provider.

Before you start, retrieve the static access keys: a secret key and key ID used for Object Storage authentication.

In the configuration file, define the parameters of the resources you want to create:
```
resource "yandex_storage_bucket" "test" {
  access_key = "<static_key_ID>"
  secret_key = "<secret_key>"
  bucket = "<bucket_name>"
  grant {
    id          = "<user_ID>"
    type        = "CanonicalUser"
    permissions = ["FULL_CONTROL"]
  }

  grant {
    type        = "Group"
    permissions = ["READ", "WRITE"]
    uri         = "http://acs.amazonaws.com/groups/global/AllUsers"
  }
}
```
Where:
- access_key: Static access key ID.
- secret_key: Secret access key value.
- bucket: Bucket name. This is a required parameter.
- grant: ACL settings. This is an optional parameter. To manage it, the service account with static access keys must have the storage.admin role for the bucket or folder.
  - type: Permission grantee type. The possible values are as follows:
    - CanonicalUser: For a user, service account, or user group.
    - Group: For a public group.
  - permissions: Type of ACL permissions. It can take the following values:
    - READ: Permission to access the list of objects in the bucket, read various bucket settings (lifecycle, CORS, and static hosting), and read all objects in the bucket.
    - WRITE: Permission to write, overwrite, and delete objects in the bucket. It can only be used together with READ, e.g., permissions = ["READ", "WRITE"].
    - FULL_CONTROL: Full access to the bucket and the objects in it.
    For more information about permissions, see Permission types.
  - id: ID of the user, service account, or user group. It is used with the CanonicalUser type of permission grantee.
    
    You can get the IDs in the following ways:
    - User.
    - Service account.
    - User group: Navigate to the Groups tab in the Cloud Center interface.
  - uri: Public group ID. It is used with the Group type of permission grantee. The possible values are as follows:
    - http://acs.amazonaws.com/groups/global/AllUsers: All internet users.
    - http://acs.amazonaws.com/groups/global/AuthenticatedUsers: All authenticated Yandex Cloud users.
Instead of grant, you can specify acl, i.e., the predefined ACL of the bucket. The default value is private: Yandex Cloud users get permissions based on their roles in IAM.

For more information about the resources you can create with Terraform, see this provider reference.
Make sure the configuration files are correct.
1. In the command line, go to the directory where you created the configuration file.
2. Run a check using this command:
```
terraform plan
```
If you described the configuration correctly, the terminal will display a list of the resources being created and their parameters. If the configuration contains any errors, Terraform will point them out.
Deploy the cloud resources.
1. If the configuration does not contain any errors, run this command:
```
terraform apply
```
2. Confirm creating the resources.
This will create all the resources you need in the specified folder. You can check the new resources and their settings using the management console.

To edit a bucket ACL, use the update REST API method for the Bucket resource, the BucketService/Update gRPC API call, or the bucketPutAcl S3 API method.

Editing a bucket ACL

Was the article helpful?