Editing an object ACL

Written by

Updated at February 21, 2025

Object Storage incorporates multiple mechanisms for managing access to resources. To learn how these mechanisms interact, see Access management methods in Object Storage: Overview.

To manage access to an object in an Object Storage bucket, you can use an ACL.

Note

If your object already has a configured ACL, it will be completely overwritten once you apply the changes.

Management console

AWS CLI

Terraform

API

In the management console, select Object Storage from the list of services and go to the bucket you need.
In the left-hand panel, select Objects and find the object in the list.
To edit an ACL, click to the right of the object name and select Object ACL.

Alternatively, you can click the object name, then, on the page that opens, click and select Object ACL.
In the ACL editing window that opens, grant or revoke the relevant permissions.

Note

In the management console, you can only grant permissions to service accounts created in the same directory as the bucket. You can grant permissions to service accounts belonging to other directories using the YC CLI (only for the ACL bucket), AWS CLI, Terraform, or API.

If you do not have the AWS CLI yet, install and configure it.

Note

To manage bucket ACL settings, assign the storage.admin role to the service account used by the AWS CLI.

View the object's current ACL:

aws s3api get-object-acl \
  --endpoint https://storage.yandexcloud.net \
  --bucket <bucket_name> \
  --key <object_key>

Where:

--endpoint: Object Storage endpoint.
--bucket: Bucket name.
--key: Object key.

You can apply a predefined ACL to an object or configure permissions for individual users, service accounts, user groups, and public groups, such as a group of all internet users or a group of all authenticated Yandex Cloud users. These settings cannot be used together: an object can have either a predefined ACL or individual permissions.

Predefined ACL

Run this command:

aws s3api put-object-acl \
  --endpoint https://storage.yandexcloud.net \
  --bucket <bucket_name> \
  --key <object_key> \
  --acl <predefined_ACL>

Where:

--endpoint: Object Storage endpoint.
--bucket: Bucket name.
--key: Object key.
--acl: Predefined ACL. To view a list of values, see Predefined ACLs.

Setting up individual permissions

To grant ACL permissions to a Yandex Cloud user, service account, or user group, get their IDs:
- User.
- Service account.
- User group: Navigate to the Groups tab in the Cloud Center interface.
Run this command:
```
aws s3api put-object-acl \
  --endpoint https://storage.yandexcloud.net \
  --bucket <bucket_name> \
  --key <object_key> \
  <permission_type> <permission_grantee>
```
Where:
- --endpoint: Object Storage endpoint.
- --bucket: Bucket name.
- --key: Object key.
- The possible types of ACL permissions are as follows:
  - --grant-read: Read access to the object.
  - --grant-full-control: Full access to the object.
  - --grant-read-acp: Read access to the object ACL.
  - --grant-write-acp: Edit access to the object ACL.
  You can specify multiple permissions in a single command.
- The possible permission grantees are as follows:
  - id=<grantee_ID>: ID of the user, service account, or user group you need to grant a permission to.
  - uri=http://acs.amazonaws.com/groups/global/AuthenticatedUsers: Public group that includes all authenticated Yandex Cloud users.
  - uri=http://acs.amazonaws.com/groups/global/AllUsers: Public group that includes all internet users.

Note

Terraform uses a service account to interact with Object Storage. Assign to the service account the required role, e.g., storage.admin, for the folder where you are going to create resources.

With Terraform, you can quickly create a cloud infrastructure in Yandex Cloud and manage it using configuration files. These files store the infrastructure description written in HashiCorp Configuration Language (HCL). If you change the configuration files, Terraform automatically detects which part of your configuration is already deployed, and what should be added or removed.

Terraform is distributed under the Business Source License. The Yandex Cloud provider for Terraform is distributed under the MPL-2.0 license.

For more information about the provider resources, see the documentation on the Terraform website or mirror website.

If you don't have Terraform, install it and configure the Yandex Cloud provider.

To edit an object ACL:

Open the Terraform configuration file and add the acl parameter to the object description:
```
...
resource "yandex_storage_object" "cute-cat-picture" {
  access_key = "<static_key_ID>"
  secret_key = "<secret_key>"
  bucket     = "cat-pictures"
  key        = "cute-cat"
  source     = "/images/cats/cute-cat.jpg"
  acl        = "public-read"
}
...
```
Where:
- access_key: Static access key ID.
- secret_key: Secret access key value.
- acl: Object's predefined ACL. The default value is private: Yandex Cloud users get permissions according to their roles in IAM.
For more information about the yandex_storage_object resource parameters in Terraform, see this TF provider article.
Check the configuration using this command:
```
terraform validate
```
If the configuration is correct, you will get this message:
```
Success! The configuration is valid.
```
Run this command:
```
terraform plan
```
The terminal will display a list of resources with their parameters. No changes will be made at this step. If the configuration contains any errors, Terraform will point them out.
Apply the configuration changes:
```
terraform apply
```
Confirm the changes: type yes into the terminal and press Enter.

You can check the security group update using the management console.

To edit an object ACL, use the objectPutAcl S3 API method.

To upload an object an install an ACL, use the upload S3 API method with the X-Amz-Acl, X-Amz-Grant-Read, X-Amz-Grant-Read-Acp, X-Amz-Grant-Write-Acp, and X-Amz-Grant-Full-Control headers.

Editing an object ACL

Was the article helpful?