Configuring access permissions for a bucket using Identity and Access Management
Object Storage incorporates several access management mechanisms. To learn how these mechanisms interact, see Access management methods in Object Storage: Overview.
To configure access to a bucket using Identity and Access Management, assign a user, user group, or service account a role for that bucket:
- In the management console
, select a folder. - Navigate to Object Storage.
- Click the name of the bucket you want to grant access to.
- In the left-hand menu, select Security.
- Navigate to the Access bindings tab.
- Click Assign roles.
- Select a user from the list or use the user search option.
- Click Add role.
- Select a role for the user.
- Click Save.
If you do not have the Yandex Cloud CLI yet, install and initialize it.
The folder used by default is the one specified when creating the CLI profile. To change the default folder, use the yc config set folder-id <folder_ID> command. You can also specify a different folder for any command using --folder-name or --folder-id. If you access a resource by its name, the search will be limited to the default folder. If you access a resource by its ID, the search will be global, i.e., through all folders based on access permissions.
-
See the description of the CLI command for updating bucket settings:
yc storage bucket update --help -
Assign a role for the bucket:
yc storage bucket update \ --name <bucket_name> \ --grants grantee-id=<account_ID>,grant-type=<subject_type>,permission=<permission>Where:
--name: Bucket name.--grants: ACL access permission settings:grantee-id: ID of the account the permissions are granted to. Used when the value isgrant-type=grant-type-account.grant-type: Type of entity the permissions are granted to. The possible values are:grant-type-account: User or service account.grant-type-all-authenticated-users: All authenticated users.grant-type-all-users: All users.
permission: Permission. The possible values are:permission-full-control: Full access to the bucket and objects in it.permission-write: Writing objects to the bucket.permission-write-acp: Editing bucket ACL.permission-read: Reading objects in the bucket.permission-read-acp: Reading bucket ACL.
If the yc storage bucket update command is called, the bucket's assigned ACL roles are overwritten, not appended. To preserve existing permissions settings, they must be re-listed in the --grants parameter.
Learn more about the yc storage bucket update command in the YC CLI reference.
Example
To assign a service account full access to a bucket using the CLI:
-
Get a list of buckets in the default folder:
yc storage bucket listResult:
+------------------+----------------------+----------+-----------------------+---------------------+ | NAME | FOLDER ID | MAX SIZE | DEFAULT STORAGE CLASS | CREATED AT | +------------------+----------------------+----------+-----------------------+---------------------+ | my-bucket | b1gmit33ngp3******** | 10 | STANDARD | 2022-12-16 13:58:18 | +------------------+----------------------+----------+-----------------------+---------------------+ -
Get a list of service accounts in the default folder:
yc iam service-account listResult:
+----------------------+--------------+--------+---------------------+-----------------------+ | ID | NAME | LABELS | CREATED AT | LAST AUTHENTICATED AT | +----------------------+--------------+--------+---------------------+-----------------------+ | ajeg2b2et02f******** | my-robot | | 2024-09-08 18:59:45 | 2025-02-18 10:10:00 | | ajegtlf2q28a******** | account-name | | 2023-06-27 16:18:18 | 2025-02-18 10:20:00 | +----------------------+--------------+--------+---------------------+-----------------------+ -
Assign a role for the bucket:
yc storage bucket update \ --name my-bucket \ --grants grantee-id=ajeg2b2et02f********,grant-type=grant-type-account,permission=permission-full-control
Result:
name: my-bucket
folder_id: b1g0ijbfaqsn********
default_storage_class: STANDARD
versioning: VERSIONING_DISABLED
max_size: "53687091200"
acl:
grants:
- permission: PERMISSION_FULL_CONTROL
grant_type: GRANT_TYPE_ACCOUNT
grantee_id: ajeg2b2et02f********
created_at: "2026-04-30T09:48:38.836171Z"
resource_id: e3ev6mif5rb1********
With Terraform
Terraform is distributed under the Business Source License
For more information about the provider resources, see the relevant documentation on the Terraform
If you do not have Terraform yet, install it and configure the Yandex Cloud provider.
To manage infrastructure using Terraform under a service account or user accounts (a Yandex account, a federated account, or a local user), authenticate using the appropriate method.
To assign a role for a bucket using Terraform:
-
In the Terraform configuration file, describe the resources you want to create:
resource "yandex_storage_bucket_iam_binding" "mybucket-viewers" { bucket = "<bucket_name>" role = "<role>" members = [ "<subject_type>:<subject_ID>", "serviceAccount:<service_account_ID>", "userAccount:<user_ID>" ] } # Example of assigning the `storage.editor` role to service accounts resource "yandex_storage_bucket_iam_binding" "sa-editors" { bucket = "<bucket_name>" role = "storage.editor" members = [ "serviceAccount:<service_account_1_ID>", "serviceAccount:<service_account_2_ID>" ] } # Example of assigning the `storage.admin` role to users resource "yandex_storage_bucket_iam_binding" "users-admins" { bucket = "<bucket_name>" role = "storage.admin" members = [ "userAccount:<user_1_ID>", "userAccount:<user_2_ID>" ] }Where:
-
bucket: Bucket name. -
role: Role to assign.Warning
You cannot use the yandex_storage_bucket_iam_binding resource to assign primitive roles, such as
viewer,editor, oradminfor a bucket if the yandex_storage_bucket_grant resource or theaclorgrantparameters of the yandex_storage_bucket resource are used simultaneously. -
members: Types and IDs of entities getting the role. Specify it asuserAccount:<user_ID>orserviceAccount:<service_account_ID>.
For more information about the
yandex_storage_bucket_iam_bindingresource properties, see this provider guide. -
-
If you intend to use the yandex_storage_bucket_iam_binding resource together with yandex_storage_bucket_grant for the same bucket, we recommend creating them sequentially. To do this, add a dependency on the
yandex_storage_bucket_grantresource to theyandex_storage_bucket_iam_bindingsection.resource "yandex_storage_bucket_iam_binding" "mybucket-viewers" { ... depends_on = [ yandex_storage_bucket_grant.my_bucket_grant ] } -
Apply the configuration:
-
In the terminal, navigate to the configuration file directory.
-
Make sure the configuration is correct using this command:
terraform validateIf the configuration is valid, you will get this message:
Success! The configuration is valid. -
Run this command:
terraform planYou will see a list of resources and their properties. No changes will be made at this step. Terraform will show any errors in the configuration.
-
Apply the configuration changes:
terraform apply -
Type
yesand press Enter to confirm the changes.
You can check the resource update using the management console
. -
Use the updateAccessBindings REST API method for the Bucket resource or the BucketService/UpdateAccessBindings gRPC API call.
You can also assign a role for a bucket in Identity and Access Management.