Contact UsGet started
© 2025 Direct Cursus Technology L.L.C.

Managing a bucket policy

Written by
Improved by
Updated at September 8, 2025

Object Storage incorporates several access management mechanisms. To learn how these mechanisms interact, see Access management methods in Object Storage: Overview.

Bucket policies set permissions for operations with buckets, objects, and object groups.

For examples of bucket policies for specific use cases, see Configuration examples.

Warning

If you want to assign an access policy to a bucket and connect to this bucket from a Apache Hive™ Metastore or Yandex Managed Service for Apache Airflow™ cluster, you will need some additional infrastructure setup. For more information, see these guides for Apache Hive™ Metastore and Managed Service for Apache Airflow™.

Applying or updating a policy

The minimum role required to apply or update a bucket policy is storage.configurer. For more information, see the role description.

Note

If the bucket already had a bucket policy configured, it will be completely overwritten once you apply the changes.

To apply or update a bucket policy:

  1. In the management console, select Object Storage from the list of services and go to the bucket whose policy you need to configure.

  2. In the left-hand panel, select Security and go to the Access policy tab.

  3. Click Configure access.

  4. Enter a bucket policy ID.

  5. Set up a rule:

    1. Enter a rule ID.

    2. Configure rule settings:

      • Result: Allow or deny.

      • Selection principle: Include or exclude users.

      • User: Select all users or list specific subjects.

        To list specific subjects:

        • Select Select users.

        • Select the subjects you need from the list. To do this, place the cursor in the subject input field, then select the required user, service account, user group, system group, or public group in the form that appears. If required, use the relevant tabs in the form or the search bar to find a subject by name or email address.

          You can select multiple subjects; to do this, select them one by one.

      • Action for which you are creating the rule. You can also enable All actions.

      • Resource: Defaults to the selected bucket. To add other resources to the rule, click Add resource.

        Note

        A bucket resource does not include resources of all its objects. To make sure a bucket policy rule refers to the bucket and all the objects, specify them as separate resources, e.g., samplebucket and samplebucket/*.

    3. If required, add a condition for the rule:

      • Select Key from the list.
      • Select Operator from the list. If you want the operator to apply solely to the existing fields, select Apply if the field exists. This way, if the field is missing, the condition will be considered met.
      • Specify Value.
      • Click Add value to add another value to the condition.

      You can set multiple conditions for a rule and specify multiple keys for each condition. These conditions and their keys will be checked using the logical AND, i.e., the request must meet all the specified criteria at once.

      You can set multiple values for each condition key at the same time. These values will be checked using the logical OR, i.e., the request must match any of the specified condition key values.

  6. Add and configure rules as required.

  7. Click Save.

If you do not have the Yandex Cloud CLI installed yet, install and initialize it.

By default, the CLI uses the folder specified when creating the profile. To change the default folder, use the yc config set folder-id <folder_ID> command. You can also set a different folder for any specific command using the --folder-name or --folder-id parameter.

  1. See the description of the CLI command for editing a bucket ACL:

    yc storage bucket update --help

  2. Describe your bucket policy configuration as a JSON data schema:

    {
  "Version": "2012-10-17",
  "Statement": {
    "Effect": "Allow",
    "Principal": "*",
    "Action": "s3:GetObject",
    "Resource": "arn:aws:s3:::<bucket_name>/*",
    "Condition": {
      "Bool": {
        "aws:SecureTransport": "true"
      }
    }
  }
}

    Where:

    • Version: Version of the bucket policy description. This is an optional parameter.
    • Statement: Bucket policy rules:

      • Effect: Deny or allow the requested action. The possible values are Allow and Deny.

      • Principal: Requested permission subject ID. You can request permissions for a user, service account, or user group. Possible values: * and <subject_ID>. This is an optional parameter.

        You can get the IDs in the following ways:

      • Action: Action to allow when the policy is triggered. The possible values are s3:GetObject, s3:PutObject, and * (if you need to apply the policy to all actions).

      • Resource: Resource to apply the rule to.

      • Condition: Condition to check. This is an optional parameter.

        You can set multiple conditions for a rule and specify multiple keys for each condition. These conditions and their keys will be checked using the logical AND, i.e., the request must meet all the specified criteria at once.

        You can set multiple values for each condition key at the same time. These values will be checked using the logical OR, i.e., the request must match any of the specified condition key values.

  3. Run this command:

    yc storage bucket update \
  --name <bucket_name> \
  --policy-from-file <policy_file_path>

    Result:

    name: my-bucket
folder_id: csgeoelk7fl1********
default_storage_class: STANDARD
versioning: VERSIONING_SUSPENDED
max_size: "10737418240"
policy:
    Statement:
      Action: s3:GetObject
      Condition:
        Bool:
          aws:SecureTransport: "true"
        Effect: Allow
        Principal: '*'
        Resource: arn:aws:s3:::my-bucket
      Version: "2012-10-17"
acl: {}
created_at: "2022-12-14T08:42:16.273717Z"

Note

To manage a policy using the AWS CLI, a service account needs the storage.admin role.

If you do not have the AWS CLI yet, install and configure it.

  1. Describe your bucket policy configuration as a JSON data schema:

    {
  "Version": "2012-10-17",
  "Statement": {
    "Effect": "Allow",
    "Principal": "*",
    "Action": "s3:GetObject",
    "Resource": "arn:aws:s3:::<bucket_name>/*",
    "Condition": {
      "Bool": {
        "aws:SecureTransport": "true"
      }
    }
  }
}

    Where:

    • Version: Version of the bucket policy description. This is an optional parameter.
    • Statement: Bucket policy rules:

      • Effect: Deny or allow the requested action. The possible values are Allow and Deny.

      • Principal: Requested permission subject ID. You can request permissions for a user, service account, or user group. Possible values: * and <subject_ID>. This is an optional parameter.

        You can get the IDs in the following ways:

      • Action: Action to allow when the policy is triggered. The possible values are s3:GetObject, s3:PutObject, and * (if you need to apply the policy to all actions).

      • Resource: Resource to apply the rule to.

      • Condition: Condition to check. This is an optional parameter.

        You can set multiple conditions for a rule and specify multiple keys for each condition. These conditions and their keys will be checked using the logical AND, i.e., the request must meet all the specified criteria at once.

        You can set multiple values for each condition key at the same time. These values will be checked using the logical OR, i.e., the request must match any of the specified condition key values.

    Once the configuration is complete, save it to a file named policy.json.

  2. Run this command:

    aws s3api put-bucket-policy \
  --endpoint https://storage.yandexcloud.net \
  --bucket <bucket_name> \
  --policy file://policy.json

Note

Terraform uses a service account to interact with Object Storage. Assign to the service account the required role, e.g., storage.admin, for the folder where you are going to create resources.

If you do not have Terraform yet, install it and configure the Yandex Cloud provider.

By default, Terraform uses an IAM token for authentication in Object Storage. In addition to an IAM token, you can use a service account and static access keys for authentication in Object Storage. For more information about Terraform authentication in Object Storage, see the relevant provider documentation.

To edit a bucket policy, you can use these resources:

yandex_storage_bucket_policy

  1. Open the Terraform configuration file and specify the policy using the yandex_storage_bucket_policy resource:

    resource "yandex_storage_bucket_policy" "bpolicy" {
  bucket = "my-policy-bucket"
  policy = <<POLICY
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": "*",
      "Action": "s3:*",
      "Resource": [
        "arn:aws:s3:::my-policy-bucket/*",
        "arn:aws:s3:::my-policy-bucket"
      ]
    },
    {
      "Effect": "Deny",
      "Principal": "*",
      "Action": "s3:PutObject",
      "Resource": [
        "arn:aws:s3:::my-policy-bucket/*",
        "arn:aws:s3:::my-policy-bucket"
      ]
    }
  ]
}
POLICY
}

    Where:

    • bucket: Bucket name. This is a required parameter.
    • policy: Policy name. This is a required parameter.

    Policy settings:

    • Version: Version of the bucket policy description. This is a required parameter. The only supported value is 2012-10-17.
    • Statement: Bucket policy rules:

      • Effect: Deny or allow the requested action. The possible values are Allow and Deny.

      • Principal: ID of the subject requesting the permission. You can request permissions for a user, service account, or user group. Possible values: * and <subject_ID>. This is an optional setting.

        You can get the IDs in the following ways:

      • Action: Action to allow when the policy is triggered. Examples of possible values: s3:GetObject, s3:PutObject. Use * if you need to apply the policy to all actions.

      • Resource: Resource to apply the rule to.

      • Condition: Condition to check. This is an optional setting.

        You can set multiple conditions for a rule and specify multiple keys for each condition. These conditions and their keys will be checked using the logical AND, i.e., the request must meet all the specified criteria at once.

        You can set multiple values for each condition key at the same time. These values will be checked using the logical OR, i.e., the request must match any of the specified condition key values.

    For more information about yandex_storage_bucket_policy properties, see the relevant provider documentation.

  2. Apply the changes:

    1. In the terminal, go to the directory where you edited the configuration file.

    2. Make sure the configuration file is correct using this command:

      terraform validate

      If the configuration is correct, you will get this message:

      Success! The configuration is valid.

    3. Run this command:

      terraform plan

      You will see a detailed list of resources. No changes will be made at this step. If the configuration contains any errors, Terraform will show them.

    4. Apply the changes:

      terraform apply

    5. Type yes and press Enter to confirm the changes.

    You can check the update using the management console.

yandex_storage_bucket (obsolete)

  1. Open the Terraform configuration file and specify the policy in the policy parameter for the yandex_storage_bucket resource:

    resource "yandex_storage_bucket" "mybucket" {
  bucket     = "my-policy-bucket"
  policy     = <<POLICY
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": "*",
      "Action": "s3:*",
      "Resource": [
        "arn:aws:s3:::my-policy-bucket/*",
        "arn:aws:s3:::my-policy-bucket"
      ]
    },
    {
      "Effect": "Deny",
      "Principal": "*",
      "Action": "s3:PutObject",
      "Resource": [
        "arn:aws:s3:::my-policy-bucket/*",
        "arn:aws:s3:::my-policy-bucket"
      ]
    }
  ]
}
POLICY
}

    Where:

    • bucket: Bucket name. This is a required parameter.
    • policy: Policy name. This is a required parameter.

    Policy settings:

    • Version: Version of the bucket policy description. This is a required parameter. The only supported value is 2012-10-17.
    • Statement: Bucket policy rules:

      • Effect: Deny or allow the requested action. The possible values are Allow and Deny.

      • Principal: ID of the subject requesting the permission. You can request permissions for a user, service account, or user group. Possible values: * and <subject_ID>. This is an optional setting.

        You can get the IDs in the following ways:

      • Action: Action to allow when the policy is triggered. Examples of possible values: s3:GetObject, s3:PutObject. Use * if you need to apply the policy to all actions.

      • Resource: Resource to apply the rule to.

      • Condition: Condition to check. This is an optional setting.

        You can set multiple conditions for a rule and specify multiple keys for each condition. These conditions and their keys will be checked using the logical AND, i.e., the request must meet all the specified criteria at once.

        You can set multiple values for each condition key at the same time. These values will be checked using the logical OR, i.e., the request must match any of the specified condition key values.

    For more information about yandex_storage_bucket properties, see the relevant provider documentation.

  2. Apply the changes:

    1. In the terminal, go to the directory where you edited the configuration file.

    2. Make sure the configuration file is correct using this command:

      terraform validate

      If the configuration is correct, you will get this message:

      Success! The configuration is valid.

    3. Run this command:

      terraform plan

      You will see a detailed list of resources. No changes will be made at this step. If the configuration contains any errors, Terraform will show them.

    4. Apply the changes:

      terraform apply

    5. Type yes and press Enter to confirm the changes.

    You can check the update using the management console.

To manage a bucket policy, use the update REST API method for the Bucket resource, the BucketService/Update gRPC API call, or the PutBucketPolicy S3 API method. If the bucket already had a bucket policy configured, it will be completely overwritten once you apply the new policy.

Note

If a bucket policy with no rules is applied to the bucket, access is denied to all users. To disable request verification for a bucket policy, delete it.

Viewing a policy

The minimum role required to view a bucket policy is storage.configViewer. For more information, see the role description.

To view the bucket policy applied to a bucket:

  1. In the management console, select Object Storage from the list of services.
  2. Select the bucket from the list.
  3. In the left-hand menu, select Security and go to the Access policy tab.

Run this command:

aws --endpoint https://storage.yandexcloud.net s3api get-bucket-policy \
  --bucket <bucket_name> \
  --output text

Result:

{
  "Policy": "{\"Version\":\"2012-10-17\",\"Statement\":{\"Effect\":\"Allow\",\"Principal\":\"*\",\"Action\":\"s3:GetObject\",\"Resource\":\"arn:aws:s3:::<bucket_name>/*\",\"Condition\":{\"Bool\":{\"aws:SecureTransport\":\"true\"}}}}"
}

For more information about parameters, see the data schema description.

Use the GetBucketPolicy S3 API method.

Deleting a policy

The minimum role required to delete a bucket policy is storage.configurer. For more information, see the role description.

To delete a bucket policy:

  1. In the management console, select Object Storage from the list of services.
  2. Select the bucket from the list.
  3. In the left-hand menu, select Security and go to the Access policy tab.
  4. Click and select Delete access policy.
  5. Click Delete.

Run this command:

aws --endpoint https://storage.yandexcloud.net s3api delete-bucket-policy \
  --bucket <bucket_name>

If you do not have Terraform yet, install it and configure the Yandex Cloud provider.

By default, Terraform uses an IAM token for authentication in Object Storage. In addition to an IAM token, you can use a service account and static access keys for authentication in Object Storage. For more information about Terraform authentication in Object Storage, see the relevant provider documentation.

You can use the yandex_storage_bucket_policy and yandex_storage_bucket resources to specify the policy (this method is deprecated).

  1. Open the Terraform configuration file describing the bucket policy.

    • If you applied a bucket policy using the yandex_storage_bucket resource:

      yandex_storage_bucket

      1. Find the parameters of the previously created bucket policy to delete in the configuration file:

        resource "yandex_storage_bucket" "b" {
  bucket = "my-policy-bucket"
  policy = <<POLICY
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": "*",
      "Action": "s3:*",
      "Resource": [
        "arn:aws:s3:::my-policy-bucket/*",
        "arn:aws:s3:::my-policy-bucket"
      ]
    },
    {
      "Effect": "Deny",
      "Principal": "*",
      "Action": "s3:PutObject",
      "Resource": [
        "arn:aws:s3:::my-policy-bucket/*",
        "arn:aws:s3:::my-policy-bucket"
      ]
    }
  ]
}
POLICY
}

      2. Delete the policy field describing the bucket policy settings from the configuration file.

    • If you applied a bucket policy using the yandex_storage_bucket_policy resource:

      yandex_storage_bucket_policy

      1. Find the parameters of the previously created bucket policy to delete in the configuration file:

        resource "yandex_storage_bucket_policy" "bpolicy" {
  bucket = "my-policy-bucket"
  policy = <<POLICY
{
  "Version": "2012-10-17",
  "Statement": [
  {
    "Effect": "Allow",
    "Principal": "*",
    "Action": "s3:*",
    "Resource": [
      "arn:aws:s3:::my-policy-bucket/*",
      "arn:aws:s3:::my-policy-bucket"
    ]
  },
  {
    "Effect": "Deny",
    "Principal": "*",
    "Action": "s3:PutObject",
    "Resource": [
      "arn:aws:s3:::my-policy-bucket/*",
      "arn:aws:s3:::my-policy-bucket"
    ]
  }
  ]
}
POLICY
}

      2. Delete the yandex_storage_bucket_policy section describing the bucket policy settings from the configuration file.

  2. Apply the changes:

    1. In the terminal, go to the directory where you edited the configuration file.

    2. Make sure the configuration file is correct using this command:

      terraform validate

      If the configuration is correct, you will get this message:

      Success! The configuration is valid.

    3. Run this command:

      terraform plan

      You will see a detailed list of resources. No changes will be made at this step. If the configuration contains any errors, Terraform will show them.

    4. Apply the changes:

      terraform apply

    5. Type yes and press Enter to confirm the changes.

    This will delete the bucket policy from the specified folder. You can check the bucket policy deletion using the management console.

Use the DeleteBucketPolicy S3 API method.

See also

Previous
Editing a bucket's ACL
Next
Configuring public access to a bucket