Editing a bucket's ACL

Written by

Updated at November 21, 2024

Object Storage incorporates multiple mechanisms for managing access to resources. To learn how these mechanisms interact, see Access management methods in Object Storage: Overview.

Note

If an ACL has already been set for a bucket, it will be completely overwritten once you apply the changes.

Management console

Yandex Cloud CLI

AWS CLI

Terraform

API

In the management console, select Object Storage from the list of services.
Select the bucket you need and click → Object ACL.
In the ACL editing window, grant or revoke the appropriate permissions.

Note

In the management console, you can only grant permissions to service accounts created in the same directory as the bucket. You can grant permissions to service accounts belonging to other directories using the YC CLI (only for the ACL bucket), AWS CLI, Terraform, or API.

If you do not have the Yandex Cloud command line interface yet, install and initialize it.

The folder specified in the CLI profile is used by default. You can specify a different folder using the --folder-name or --folder-id parameter.

Before configuring an ACL, view a description of the CLI command to edit a bucket:

yc storage bucket update --help

To view a bucket's current ACL, run this command:

yc storage bucket get <bucket_name> --with-acl

You can apply a predefined ACL to a bucket or configure permissions for individual users, service accounts, user groups and public groups (e.g., a group of all internet users or a group of all authenticated Yandex Cloud users). These settings are not compatible: a bucket should have either a predefined ACL or a set of individual permissions.

Predefined ACL

Run this command:

yc storage bucket update --name <bucket_name> --acl <predefined_ACL>

Where:

--name: Bucket name.
--acl: Predefined ACL. For the list of values, see Predefined ACLs.

Result:

name: my-bucket
folder_id: csgeoelk7fl1********
default_storage_class: STANDARD
versioning: VERSIONING_DISABLED
max_size: "1073741824"
acl:
  grants:
    - permission: PERMISSION_READ
      grant_type: GRANT_TYPE_ALL_USERS
created_at: "2022-12-14T19:10:05.957940Z"

Setting up individual permissions

To grant ACL permissions to a Yandex Cloud user, service account, or user group, get their IDs:
- User.
- Service account
- User group: Navigate to the Groups tab in the Cloud Center interface.
Run this command:
```
yc storage bucket update --name <bucket_name> \
  --grants grant-type=<permission_grantee_type>,grantee-id=<grantee_ID>,permission=<permission_type>
```
Where:
- grant-type: Permission grantee type. The possible values are:
  - grant-type-account: User, service account, or user group.
  - grant-type-all-authenticated-users: Public group that includes all authenticated Yandex Cloud users.
  - grant-type-all-users: Public group that includes all internet users.
- grantee-id: ID of the user, service account, or user group you need to grant a permission to. Specified only if grant-type=grant-type-account.
- permission: ACL permission type. The possible values are:
  - permission-read: Permission to access the list of objects in the bucket, read various bucket settings (lifecycle, CORS, or static hosting), and read all objects in the bucket.
  - permission-write: Permission to write, overwrite, and delete objects in the bucket. Can only be used together with permission-read.
  - permission-full-control: Full access to the bucket and the objects in it.
    For more information about permissions, see Permission types.
To configure multiple permissions, specify the --grants parameter multiple times. For example, to grant a write permission for a bucket, run the following command:
```
yc storage bucket update --name <bucket_name> \
  --grants grant-type=<permission_grantee_type>,grantee-id=<grantee_ID>,permission=permission-read \
  --grants grant-type=<permission_grantee_type>,grantee-id=<grantee_ID>,permission=permission-write
```

If you do not have the AWS CLI yet, install and configure it.

Note

To manage bucket ACL settings, assign the storage.admin role to the service account used by the AWS CLI.

View the bucket's current ACL:

aws s3api get-bucket-acl \
  --endpoint https://storage.yandexcloud.net \
  --bucket <bucket_name>

Where:

--bucket: Bucket name.
--endpoint: Object Storage endpoint.

Predefined ACL

Run this command:

  aws s3api put-bucket-acl \
    --endpoint https://storage.yandexcloud.net \
    --bucket <bucket_name> \
    --acl <predefined_ACL>

Where:

--endpoint: Object Storage endpoint.
--bucket: Bucket name.
--acl: Predefined ACL. For the list of values, see Predefined ACLs.

Setting up individual permissions

To grant ACL permissions to a Yandex Cloud user, service account, or user group, get their IDs:
- User.
- Service account.
- User group: Navigate to the Groups tab in the Cloud Center interface.
Run this command:
```
aws s3api put-bucket-acl \
  --endpoint https://storage.yandexcloud.net \
  --bucket <bucket_name> \
  <permission_type> <permission_grantee>
```
Where:
- --bucket: Bucket name.
- --endpoint: Object Storage endpoint.
- Possible types of ACL permissions:
  - --grant-read: Permission to access the list of objects in the bucket, read various bucket settings (lifecycle, CORS, static hosting), and read all objects in the bucket.
  - --grant-write: Permission to write, overwrite, and delete objects in the bucket. Can only be used together with --grant-read.
  - --grant-full-control: Full access to the bucket and the objects in it.
  For more information about permissions, see Permission types.
- The possible permission grantees are:
  - id=<grantee_ID>: ID of the user, service account, or user group you need to grant a permission to.
  - uri=http://acs.amazonaws.com/groups/global/AuthenticatedUsers: Public group that includes all authenticated Yandex Cloud users.
  - uri=http://acs.amazonaws.com/groups/global/AllUsers: Public group that includes all internet users.
To configure multiple permissions, specify the settings, permission type, and permission grantee multiple times. For example, to grant a write permission for a bucket, run the following command:
```
aws s3api put-bucket-acl \
  --endpoint https://storage.yandexcloud.net \
  --bucket <bucket_name> \
  --grant-read id=<grantee_ID> \
  --grant-write id=<grantee_ID>
```

Note

Terraform uses a service account to interact with Object Storage. Assign to the service account the required role, e.g., storage.admin, for the folder where you are going to create resources.

If you don't have Terraform, install it and configure the Yandex Cloud provider.

Before you start, retrieve the static access keys: a secret key and a key ID used for authentication in Object Storage.

In the configuration file, describe the parameters of the resources you want to create:
```
resource "yandex_storage_bucket" "test" {
  access_key = "<static_key_ID>"
  secret_key = "<secret_key>"
  bucket = "<bucket_name>"
  grant {
    id          = "<user_ID>"
    type        = "CanonicalUser"
    permissions = ["FULL_CONTROL"]
  }

  grant {
    type        = "Group"
    permissions = ["READ", "WRITE"]
    uri         = "http://acs.amazonaws.com/groups/global/AllUsers"
  }
}
```
Where:
- access_key: Static access key ID.
- secret_key: Secret access key value.
- bucket: Bucket name. This is a required parameter.
- grant: ACL settings. This is an optional parameter. To manage this parameter, the service account for which the static access keys were obtained must have the storage.admin role for a bucket or folder.
  - type: Permission grantee type. The possible values are:
    - CanonicalUser: For a user, service account, or user group.
    - Group: For a public group.
  - permissions: Type of ACL permissions. The possible values are:
    - READ: Permission to access the list of objects in the bucket, read various bucket settings (lifecycle, CORS, static hosting), and read all objects in the bucket.
    - WRITE: Permission to write, overwrite, and delete objects in the bucket. Can only be used together with READ, e.g., permissions = ["READ", "WRITE"].
    - FULL_CONTROL: Full access to the bucket and the objects in it.
    For more information about permissions, see Permission types.
  - id: ID of the user, service account, or user group. Used with the CanonicalUser type of permission grantee.
    
    You can get the IDs in any of the following ways:
    - User.
    - Service account.
    - User group: Navigate to the Groups tab in the Cloud Center interface.
  - uri: Public group ID. Used with the Group type of permission grantee. The possible values are:
    - http://acs.amazonaws.com/groups/global/AllUsers: All internet users.
    - http://acs.amazonaws.com/groups/global/AuthenticatedUsers: All authenticated Yandex Cloud users.
Instead of grant, you can specify acl, i.e., the predefined ACL of the bucket. The default value is private: Yandex Cloud users get permissions based on their roles in IAM.

For more information about the resources you can create with Terraform, see the provider documentation.
Make sure the configuration files are correct.
1. In the command line, go to the folder where you created the configuration file.
2. Run a check using this command:
```
terraform plan
```
If the configuration is described correctly, the terminal will display a list of created resources and their parameters. If the configuration contains any errors, Terraform will point them out.
Deploy cloud resources.
1. If the configuration does not contain any errors, run this command:
```
terraform apply
```
2. Confirm that you want to create the resources.
All the resources you need will then be created in the specified folder. You can check the new resources and their settings using the management console.

To edit a bucket's ACL, use the update REST API method for the Bucket resource, the BucketService/Update gRPC API call, or the bucketPutAcl S3 API method.

Editing a bucket's ACL

Was the article helpful?