Contact UsGet started
© 2024 Iron Hive LLC Belgrade

Editing an object's ACL

Written by
Updated at November 7, 2024

Object Storage incorporates multiple mechanisms for managing access to resources. To learn how these mechanisms interact, see Access management methods in Object Storage: Overview.

To control access to an object in an Object Storage bucket, you can use an ACL.

Note

If an ACL has been set for an object, it will be completely overwritten once you apply the changes.

  1. In the management console, select Object Storage from the list of services and go to the bucket you need.

  2. In the left-hand panel, select Objects and find the object in the list.

  3. To edit an ACL, click to the right of the object name and select Object ACL.

    You can also click the object name, click on the page that opens, and select Object ACL.

  4. In the ACL editing window that opens, grant or revoke the appropriate permissions.

    Note

    In the management console, you can only grant permissions to service accounts created in the same directory as the bucket. You can grant permissions to service accounts belonging to other directories using the YC CLI (only for the ACL bucket), AWS CLI, Terraform, or API.

If you do not have the AWS CLI yet, install and configure it.

Note

To manage bucket ACL settings, assign the storage.admin role to the service account used by the AWS CLI.

View the object's current ACL:

aws s3api get-object-acl \
  --endpoint https://storage.yandexcloud.net \
  --bucket <bucket_name> \
  --key <object_key>

Where:

  • --endpoint: Object Storage endpoint.
  • --bucket: Bucket name.
  • --key: Object key.

You can apply a predefined ACL to an object or configure permissions for individual users, service accounts, user groups, and public groups (e.g., a group of all internet users or a group of all authenticated Yandex Cloud users). These settings are not compatible: an object should have either a predefined ACL or a set of individual permissions.

Predefined ACL

Run this command:

aws s3api put-object-acl \
  --endpoint https://storage.yandexcloud.net \
  --bucket <bucket_name> \
  --key <object_key> \
  --acl <predefined_ACL>

Where:

  • --endpoint: Object Storage endpoint.
  • --bucket: Bucket name.
  • --key: Object key.
  • --acl: Predefined ACL. For the list of values, see Predefined ACLs.

Setting up individual permissions

  1. To grant ACL permissions to a Yandex Cloud user, service account, or user group, get their IDs:

  2. Run this command:

    aws s3api put-object-acl \
  --endpoint https://storage.yandexcloud.net \
  --bucket <bucket_name> \
  --key <object_key> \
  <permission_type> <permission_grantee>

    Where:

    • --endpoint: Object Storage endpoint.

    • --bucket: Bucket name.

    • --key: Object key.

    • Possible types of ACL permissions:

      • --grant-read: Read access to the object.
      • --grant-full-control: Full access to the object.
      • --grant-read-acp: Read access to the object's ACL.
      • --grant-write-acp: Edit access to the object's ACL.

      You can set multiple permissions within the same command.

    • The possible permission grantees are:

      • id=<grantee_ID>: ID of the user, service account, or user group you need to grant a permission to.
      • uri=http://acs.amazonaws.com/groups/global/AuthenticatedUsers: Public group that includes all authenticated Yandex Cloud users.
      • uri=http://acs.amazonaws.com/groups/global/AllUsers: Public group that includes all internet users.

Note

Terraform uses a service account to interact with Object Storage. Assign to the service account the required role, e.g., storage.admin, for the folder where you are going to create resources.

Terraform allows you to quickly create a cloud infrastructure in Yandex Cloud and manage it using configuration files. Configuration files store the infrastructure description in the HashiCorp Configuration Language (HCL). Terraform and its providers are distributed under the Business Source License.

For more information about the provider resources, see the documentation on the Terraform website or the mirror.

If you change the configuration files, Terraform automatically detects which part of your configuration is already deployed, and what should be added or removed.

If you don't have Terraform, install it and configure the Yandex Cloud provider.

To edit an object's ACL:

  1. Open the Terraform configuration file and add the acl parameter to the object description:

    ...
resource "yandex_storage_object" "cute-cat-picture" {
  access_key = "<static_key_ID>"
  secret_key = "<secret_key>"
  bucket     = "cat-pictures"
  key        = "cute-cat"
  source     = "/images/cats/cute-cat.jpg"
  acl        = "public-read"
}
...

    Where:

    • access_key: Static access key ID.
    • secret_key: Secret access key value.
    • acl: Predefined ACL of an object. The default value is private: Yandex Cloud users get permissions based on their roles in IAM.

    For more information about the yandex_storage_object resource parameters in Terraform, see the provider documentation.

  2. Check the configuration using this command:

    terraform validate

    If the configuration is correct, you will get this message:

    Success! The configuration is valid.

  3. Run this command:

    terraform plan

    The terminal will display a list of resources with parameters. No changes will be made at this step. If the configuration contains any errors, Terraform will point them out.

  4. Apply the configuration changes:

    terraform apply

  5. Confirm the changes: type yes into the terminal and press Enter.

    You can check the security group update in the management console.

To edit an object's ACL, use the objectPutAcl S3 API method.

To upload an object an install an ACL, use the upload S3 API method with the X-Amz-Acl, X-Amz-Grant-Read, X-Amz-Grant-Read-Acp, X-Amz-Grant-Write-Acp, and X-Amz-Grant-Full-Control headers.

Previous
Deleting a partially uploaded object
Next
Object label management