Bucket policy management
Object Storage incorporates multiple mechanisms for managing access to resources. To learn how these mechanisms interact, see Access management methods in Object Storage: Overview.
Bucket policies set permissions for operations with buckets, objects, and object groups.
Applying or editing a policy
The minimum role required to apply or modify an access policy is storage.configurer
. For more information, see the role description.
Note
If the bucket has already had a bucket policy, it will be completely overwritten once you apply the changes.
To apply or edit a bucket access policy:
- In the management console
, select the folder where you need to configure a bucket access policy. - Select Object Storage.
- Select a bucket from the list.
- Click the Access policy tab in the left-hand menu.
- Click
Configure access. - Enter a bucket policy ID.
- Set up a rule:
-
Enter a rule ID.
-
Configure rule settings:
-
Result: Allow or forbid.
-
Selection principle: Include or exclude users.
-
User: All users or specific users. To list specific users or service accounts, select their names in the drop-down list.
-
Action for which the rule is being created. You can also select the All actions option.
-
Resource: Selected bucket specified by default. To add other resources to the rule, click Add resource.
Note
A bucket resource does not include resources of all its objects. To make sure a bucket policy rule refers to the bucket and all objects, specify them as separate resources, such as
samplebucket
andsamplebucket/*
.
-
-
Add conditions to the rule as required:
- Choose Key from the list.
- Choose Operator from the list. For the operator to apply to the existing fields, select Apply if the field exists. This way, if a field does not exist, the conditions will be considered satisfied.
- Enter Value.
- Click Add value to add another value to a condition.
-
- Add and configure rules as required.
- Click Save.
If you do not have the Yandex Cloud command line interface yet, install and initialize it.
The folder specified in the CLI profile is used by default. You can specify a different folder using the --folder-name
or --folder-id
parameter.
-
View a description of the CLI command to edit a bucket ACL:
yc storage bucket update --help
-
Describe your access policy configuration as a data schema in JSON format:
{ "Version": "2012-10-17", "Statement": { "Effect": "Allow", "Principal": "*", "Action": "s3:GetObject", "Resource": "arn:aws:s3:::<bucket_name>/*", "Condition": { "Bool": { "aws:SecureTransport": "true" } } } }
Where:
Version
: Version of the bucket policy description. This is an optional parameter.Statement
: Bucket policy rules:-
Effect
: Deny or allow the requested action. Possible values:Allow
andDeny
. -
Principal
: Requested permission subject ID. You can request permissions for a user, service account, or user group. The possible values are*
and<subject_ID>
. This is an optional parameter.You can get the IDs in any of the following ways:
- User.
- Service account.
- User group: Navigate to the Groups
tab in the Cloud Organization interface.
-
Action
: Action to allow when the policy is triggered. The possible values ares3:GetObject
,s3:PutObject
, and*
(if you need to apply the policy to all actions). -
Resource
: Resource to apply the rule to. -
Condition
: Condition to check. This is an optional parameter.
-
-
Run this command:
yc storage bucket update \ --name <bucket_name> \ --policy-from-file <policy_file_path>
Result:
name: my-bucket folder_id: csgeoelk7fl1******** default_storage_class: STANDARD versioning: VERSIONING_SUSPENDED max_size: "10737418240" policy: Statement: Action: s3:GetObject Condition: Bool: aws:SecureTransport: "true" Effect: Allow Principal: '*' Resource: arn:aws:s3:::my-bucket Version: "2012-10-17" acl: {} created_at: "2022-12-14T08:42:16.273717Z"
Note
To manage a policy using the AWS CLI, a service account must have the storage.admin
role assigned.
If you do not have the AWS CLI yet, install and configure it.
-
Describe your access policy configuration as a data schema in JSON format:
{ "Version": "2012-10-17", "Statement": { "Effect": "Allow", "Principal": "*", "Action": "s3:GetObject", "Resource": "arn:aws:s3:::<bucket_name>/*", "Condition": { "Bool": { "aws:SecureTransport": "true" } } } }
Where:
Version
: Version of the bucket policy description. This is an optional parameter.Statement
: Bucket policy rules:-
Effect
: Deny or allow the requested action. Possible values:Allow
andDeny
. -
Principal
: Requested permission subject ID. You can request permissions for a user, service account, or user group. The possible values are*
and<subject_ID>
. This is an optional parameter.You can get the IDs in any of the following ways:
- User.
- Service account.
- User group: Navigate to the Groups
tab in the Cloud Organization interface.
-
Action
: Action to allow when the policy is triggered. The possible values ares3:GetObject
,s3:PutObject
, and*
(if you need to apply the policy to all actions). -
Resource
: Resource to apply the rule to. -
Condition
: Condition to check. This is an optional parameter.
-
Once complete, save the configuration to a file named
policy.json
. -
Run this command:
aws s3api put-bucket-policy \ --endpoint https://storage.yandexcloud.net \ --bucket <bucket_name> \ --policy file://policy.json
Note
Terraform uses a service account to interact with Object Storage. Assign to the service account the required role, e.g., storage.admin
, for the folder where you are going to create resources.
If you don't have Terraform, install it and configure the Yandex Cloud provider.
Retrieve static access keys: a static key and a key ID used to authenticate in Object Storage.
-
In the configuration file, describe the parameters of the resources you want to create:
resource "yandex_iam_service_account" "sa" { name = "<service_account_name>" } // Assigning a role to a service account resource "yandex_resourcemanager_folder_iam_member" "sa-admin" { folder_id = "<folder_ID>" role = "storage.admin" member = "serviceAccount:${yandex_iam_service_account.sa.id}" } // Creating a static access key resource "yandex_iam_service_account_static_access_key" "sa-static-key" { service_account_id = yandex_iam_service_account.sa.id description = "static access key for object storage" } resource "yandex_storage_bucket" "b" { access_key = "yandex_iam_service_account_static_access_key.sa-static-key.access_key" secret_key = "yandex_iam_service_account_static_access_key.sa-static-key.secret_key" bucket = "my-policy-bucket" policy = <<POLICY { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": "*", "Action": "s3:*", "Resource": [ "arn:aws:s3:::my-policy-bucket/*", "arn:aws:s3:::my-policy-bucket" ] }, { "Effect": "Deny", "Principal": "*", "Action": "s3:PutObject", "Resource": [ "arn:aws:s3:::my-policy-bucket/*", "arn:aws:s3:::my-policy-bucket" ] } ] } POLICY }
Where:
access_key
: Static access key ID.secret_key
: Secret access key value.bucket
: Bucket name. This is a required parameter.policy
: Policy name. This is a required parameter.
Policy settings:
Version
: Version of the bucket policy description. This is an optional parameter.Statement
: Bucket policy rules:-
Effect
: Deny or allow the requested action. Possible values:Allow
andDeny
. -
Principal
: Requested permission subject ID. You can request permissions for a user, service account, or user group. The possible values are*
and<subject_ID>
. This is an optional parameter.You can get the IDs in any of the following ways:
- User.
- Service account.
- User group: Navigate to the Groups
tab in the Cloud Organization interface.
-
Action
: Action to allow when the policy is triggered. The possible values ares3:GetObject
,s3:PutObject
, and*
(if you need to apply the policy to all actions). -
Resource
: Resource to apply the rule to. -
Condition
: Condition to check. This is an optional parameter.
-
For more details about resources you can create using Terraform, see the provider documentation
. -
Make sure the configuration files are correct.
-
In the command line, go to the folder where you created the configuration file.
-
Run a check using this command:
terraform plan
If the configuration is described correctly, the terminal will display a list of created resources and their parameters. If the configuration contains any errors, Terraform will point them out.
-
-
Deploy cloud resources.
-
If the configuration does not contain any errors, run this command:
terraform apply
-
Confirm that you want to create the resources.
All the resources you need will then be created in the specified folder. You can check the new resources and their configuration using the management console
. -
To manage your bucket policy, use the update REST API method for the Bucket resource, the BucketService/Update gRPC API call, or the PutBucketPolicy S3 API method. If a bucket policy has already been set for the bucket, it will be completely overwritten once you apply the new policy.
Note
If a bucket policy with no rules is applied to the bucket, access is denied to all users. To disable request verification for a bucket policy, delete it.
Viewing a policy
The minimum role required to view an access policy is storage.configViewer
. For more information, see the role description.
To view the access policy applied to a bucket:
- In the management console
, select the folder where you need to view a bucket access policy. - Select Object Storage.
- Select a bucket from the list.
- Click the Access policy tab in the left-hand menu.
Run the following command:
aws --endpoint https://storage.yandexcloud.net s3api get-bucket-policy \
--bucket <bucket_name> \
--output text
Result:
{
"Policy": "{\"Version\":\"2012-10-17\",\"Statement\":{\"Effect\":\"Allow\",\"Principal\":\"*\",\"Action\":\"s3:GetObject\",\"Resource\":\"arn:aws:s3:::<bucket_name>/*\",\"Condition\":{\"Bool\":{\"aws:SecureTransport\":\"true\"}}}}"
}
For more information about parameters, see the data schema description.
Use the GetBucketPolicy S3 API method.
Deleting a policy
The minimum role required to delete an access policy is storage.configurer
. For more information, see the role description.
To delete a bucket policy:
- In the management console
, select the folder where you need to configure a bucket access policy. - Select Object Storage.
- Select a bucket from the list.
- Click the Access policy tab in the left-hand menu.
- Click
and select Delete access policy. - Click Delete.
Run the following command:
aws --endpoint https://storage.yandexcloud.net s3api delete-bucket-policy \
--bucket <bucket_name>
If you don't have Terraform, install it and configure the Yandex Cloud provider.
If you applied a bucket policy using Terraform, you can delete it:
-
Find the parameters of the previously created bucket policy to delete in the configuration file:
resource "yandex_storage_bucket" "b" { bucket = "my-policy-bucket" policy = <<POLICY { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": "*", "Action": "s3:*", "Resource": [ "arn:aws:s3:::my-policy-bucket/*", "arn:aws:s3:::my-policy-bucket" ] }, { "Effect": "Deny", "Principal": "*", "Action": "s3:PutObject", "Resource": [ "arn:aws:s3:::my-policy-bucket/*", "arn:aws:s3:::my-policy-bucket" ] } ] } POLICY }
-
Delete the
policy
field describing the bucket policy settings from the configuration file. -
Make sure the configuration files are correct.
-
In the command line, change to the folder where you edited the configuration file.
-
Run a check using this command:
terraform plan
If the configuration is described properly, the terminal will display a list of the resources being created and their parameters without the bucket policy being deleted. If the configuration contains any errors, Terraform will point them out.
-
-
Delete the bucket policy.
-
If the configuration does not contain any errors, run this command:
terraform apply
-
Type
yes
and press Enter.
Afterwards, the bucket policy will be deleted from the specified folder. You can check the bucket policy's deletion using the management console
. -
Use the DeleteBucketPolicy S3 API method.