Yandex Cloud
Search
Discuss with expertTry it for free
  • Customer Stories
  • Documentation
  • Blog
  • All Services
  • System Status
  • Marketplace
    • Featured
    • Infrastructure & Network
    • Data Platform
    • AI for business
    • Security
    • DevOps tools
    • Serverless
    • Monitoring & Resources
  • All Solutions
    • By industry
    • By use case
    • Economics and Pricing
    • Security
    • Technical Support
    • Start testing with double trial credits
    • Cloud credits to scale your IT product
    • Gateway to Russia
    • Cloud for Startups
    • Center for Technologies and Society
    • Yandex Cloud Partner program
    • Price calculator
    • Pricing plans
  • Customer Stories
  • Documentation
  • Blog
© 2026 Direct Cursus Technology L.L.C.
Yandex Object Storage
    • All guides
      • Creating a bucket
      • Deleting a bucket
      • Limiting the maximum size of a bucket
      • Encrypting a bucket
      • Managing object lifecycles
      • Managing CORS configurations
      • Configuring access permissions using IAM
      • Editing a bucket's ACL
      • Managing access policies
      • Configuring public access to a bucket
      • Disabling access with static keys
      • Accessing a bucket using Security Token Service
      • Accessing a bucket with an ephemeral access key
      • Accessing a bucket using a service connection from VPC
      • Managing bucket versioning
      • Enabling logging
      • Managing object locks
      • Managing object metadata export
      • Managing bucket labels
      • Getting a list of buckets
      • Getting bucket information and statistics
      • Viewing bucket metrics
  • Pricing policy
  • Terraform reference
  • Monitoring metrics
  • Audit Trails events
  • Bucket logs
  • Release notes
  • FAQ
  1. Step-by-step guides
  2. Buckets
  3. Configuring access permissions using IAM

Configuring access permissions for a bucket using Identity and Access Management

Written by
Yandex Cloud
Improved by
Tania L.
Updated at June 29, 2026
View in Markdown

Object Storage incorporates several access management mechanisms. To learn how these mechanisms interact, see Access management methods in Object Storage: Overview.

To configure access to a bucket using Identity and Access Management, assign a user, user group, or service account a role for that bucket:

Management console
CLI
Terraform
API
  1. In the management console, select a folder.
  2. Navigate to Object Storage.
  3. Click the name of the bucket you want to grant access to.
  4. In the left-hand menu, select Security.
  5. Navigate to the Access bindings tab.
  6. Click Assign roles.
  7. Select a user from the list or use the user search option.
  8. Click Add role.
  9. Select a role for the user.
  10. Click Save.

If you do not have the Yandex Cloud CLI yet, install and initialize it.

The folder used by default is the one specified when creating the CLI profile. To change the default folder, use the yc config set folder-id <folder_ID> command. You can also specify a different folder for any command using --folder-name or --folder-id. If you access a resource by its name, the search will be limited to the default folder. If you access a resource by its ID, the search will be global, i.e., through all folders based on access permissions.

  1. See the description of the CLI command for updating bucket settings:

    yc storage bucket update --help
    
  2. Assign a role for the bucket:

    yc storage bucket update \
      --name <bucket_name> \
      --grants grantee-id=<account_ID>,grant-type=<subject_type>,permission=<permission>
    

    Where:

    • --name: Bucket name.
    • --grants: ACL access permission settings:
      • grantee-id: ID of the account the permissions are granted to. Used when the value is grant-type=grant-type-account.
      • grant-type: Type of entity the permissions are granted to. The possible values are:
        • grant-type-account: User or service account.
        • grant-type-all-authenticated-users: All authenticated users.
        • grant-type-all-users: All users.
      • permission: Permission. The possible values are:
        • permission-full-control: Full access to the bucket and objects in it.
        • permission-write: Writing objects to the bucket.
        • permission-write-acp: Editing bucket ACL.
        • permission-read: Reading objects in the bucket.
        • permission-read-acp: Reading bucket ACL.

If the yc storage bucket update command is called, the bucket's assigned ACL roles are overwritten, not appended. To preserve existing permissions settings, they must be re-listed in the --grants parameter.

Learn more about the yc storage bucket update command in the YC CLI reference.

ExampleExample

To assign a service account full access to a bucket using the CLI:

  1. Get a list of buckets in the default folder:

    yc storage bucket list
    

    Result:

    +------------------+----------------------+----------+-----------------------+---------------------+
    |       NAME       |      FOLDER ID       | MAX SIZE | DEFAULT STORAGE CLASS |     CREATED AT      |
    +------------------+----------------------+----------+-----------------------+---------------------+
    | my-bucket        | b1gmit33ngp3******** | 10       | STANDARD              | 2022-12-16 13:58:18 |
    +------------------+----------------------+----------+-----------------------+---------------------+
    
  2. Get a list of service accounts in the default folder:

    yc iam service-account list
    

    Result:

    +----------------------+--------------+--------+---------------------+-----------------------+
    |          ID          |     NAME     | LABELS |     CREATED AT      | LAST AUTHENTICATED AT |
    +----------------------+--------------+--------+---------------------+-----------------------+
    | ajeg2b2et02f******** | my-robot     |        | 2024-09-08 18:59:45 | 2025-02-18 10:10:00   |
    | ajegtlf2q28a******** | account-name |        | 2023-06-27 16:18:18 | 2025-02-18 10:20:00   |
    +----------------------+--------------+--------+---------------------+-----------------------+
    
  3. Assign a role for the bucket:

    yc storage bucket update \
      --name my-bucket \
      --grants grantee-id=ajeg2b2et02f********,grant-type=grant-type-account,permission=permission-full-control
    

Result:

name: my-bucket
folder_id: b1g0ijbfaqsn********
default_storage_class: STANDARD
versioning: VERSIONING_DISABLED
max_size: "53687091200"
acl:
  grants:
    - permission: PERMISSION_FULL_CONTROL
      grant_type: GRANT_TYPE_ACCOUNT
      grantee_id: ajeg2b2et02f********
created_at: "2026-04-30T09:48:38.836171Z"
resource_id: e3ev6mif5rb1********

With Terraform, you can quickly create a cloud infrastructure in Yandex Cloud and manage it using configuration files. These files store the infrastructure description written in HashiCorp Configuration Language (HCL). If you change the configuration files, Terraform automatically detects which part of your configuration is already deployed, and what should be added or removed.

Terraform is distributed under the Business Source License. The Yandex Cloud provider for Terraform is distributed under the MPL-2.0 license.

For more information about the provider resources, see the relevant documentation on the Terraform website or its mirror.

If you do not have Terraform yet, install it and configure the Yandex Cloud provider.

To manage infrastructure using Terraform under a service account or user accounts (a Yandex account, a federated account, or a local user), authenticate using the appropriate method.

To assign a role for a bucket using Terraform:

  1. In the Terraform configuration file, describe the resources you want to create:

    resource "yandex_storage_bucket_iam_binding" "mybucket-viewers" {
      bucket  = "<bucket_name>"
      role    = "<role>"
      members = [
                  "<subject_type>:<subject_ID>",
                  "serviceAccount:<service_account_ID>",
                  "userAccount:<user_ID>"
                ]
    }
    
    # Example of assigning the `storage.editor` role to service accounts
    resource "yandex_storage_bucket_iam_binding" "sa-editors" {
      bucket  = "<bucket_name>"
      role    = "storage.editor"
      members = [
                  "serviceAccount:<service_account_1_ID>",
                  "serviceAccount:<service_account_2_ID>"
                ]
    }
    
    # Example of assigning the `storage.admin` role to users 
    resource "yandex_storage_bucket_iam_binding" "users-admins" {
      bucket  = "<bucket_name>"
      role    = "storage.admin"
      members = [
                  "userAccount:<user_1_ID>",
                  "userAccount:<user_2_ID>"
                ]
    }
    

    Where:

    • bucket: Bucket name.

    • role: Role to assign.

      Warning

      You cannot use the yandex_storage_bucket_iam_binding resource to assign primitive roles, such as viewer, editor, or admin for a bucket if the yandex_storage_bucket_grant resource or the acl or grant parameters of the yandex_storage_bucket resource are used simultaneously.

    • members: Types and IDs of entities getting the role. Specify it as userAccount:<user_ID> or serviceAccount:<service_account_ID>.

    For more information about the yandex_storage_bucket_iam_binding resource properties, see this provider guide.

  2. If you intend to use the yandex_storage_bucket_iam_binding resource together with yandex_storage_bucket_grant for the same bucket, we recommend creating them sequentially. To do this, add a dependency on the yandex_storage_bucket_grant resource to the yandex_storage_bucket_iam_binding section.

    resource "yandex_storage_bucket_iam_binding" "mybucket-viewers" {
      ...
    
      depends_on = [
        yandex_storage_bucket_grant.my_bucket_grant
      ]
    }
    
  3. Apply the configuration:

    1. In the terminal, navigate to the configuration file directory.

    2. Make sure the configuration is correct using this command:

      terraform validate
      

      If the configuration is valid, you will get this message:

      Success! The configuration is valid.
      
    3. Run this command:

      terraform plan
      

      You will see a list of resources and their properties. No changes will be made at this step. Terraform will show any errors in the configuration.

    4. Apply the configuration changes:

      terraform apply
      
    5. Type yes and press Enter to confirm the changes.

    You can check the resource update using the management console.

Use the updateAccessBindings REST API method for the Bucket resource or the BucketService/UpdateAccessBindings gRPC API call.

You can also assign a role for a bucket in Identity and Access Management.

Was the article helpful?

Previous
Managing CORS configurations
Next
Editing a bucket's ACL
© 2026 Direct Cursus Technology L.L.C.