Access control lists (ACLs)
Object Storage incorporates multiple mechanisms for managing access to resources. To learn how these mechanisms interact, see Access management methods in Object Storage: Overview.
An Object Storage ACL is a list of permissions for each object and bucket. It is stored directly in Object Storage.
Permissions granted to a bucket apply to all objects it contains. With ACLs, you can also extend access permissions to individual objects.
Warning
A bucket inherits the same access permissions in IAM as those of the folder and the cloud where it is located.
For example, if a user has the
viewer
role in IAM for the bucket's folder, they can view its content, even though such permissions are not provided in the bucket ACL.
By default, Object Storage creates an empty ACL for each new object or bucket. Users with the appropriate access permissions can edit and upload ACLs for Object Storage buckets and objects.
You can use ACLs to grant permissions to a Yandex Cloud user, service account, user group, or public group (the group of all internet users, the group of all authenticated Yandex Cloud users). To do this, you need to know the permission grantee's ID. When granting permissions, you can use predefined ACLs, which contain common permission sets.
In the management console, you can only grant permissions to service accounts created in the same directory as the bucket. You can grant permissions to service accounts belonging to other directories using the YC CLI (only for the ACL bucket), AWS CLI, Terraform, or API.
To view the ACL structure description, see ACL XML schema. You can set up to 100 rules per ACL.
Note
ACLs uploaded for objects apply immediately. ACLs uploaded for buckets, as well as access permissions updated in the IAM service, apply with a delay. For more information about delays, see the IAM documentation.
Permission recipient ID
-
Yandex Cloud user
You can get the ID in the following ways:
- In the IAM
section of the management console. - Using the IAM CLI or API.
- In the IAM
-
To get the ID, go to the Service accounts section in the management console.
-
Use the public group URI to grant permissions.
-
To get the ID, navigate to the Groups
tab in the Cloud Organization interface.You can specify a user group using the Yandex Cloud CLI, AWS CLI, Terraform, and the API. For more information, see Editing a bucket ACL and Editing an object ACL.
ACL operations
-
In the management console, you can edit ACLs for buckets and objects.
-
Using an Amazon S3-compatible API, you can upload or download ACLs for buckets or objects.
You cannot delete ACLs. To remove all access permissions, upload an empty ACL.
Permission types
Permissions correspond to user roles in IAM.
Permission | Role in IAM | Description |
---|---|---|
READ |
viewer |
For buckets: Permission to retrieve a list of objects in the bucket, read various bucket settings (lifecycle, CORS, static hosting), and read all objects in the bucket. For objects: Read permission. |
WRITE |
editor |
For buckets: Permission to write, rewrite, and delete objects in the bucket. It must be used together with the READ permission; you cannot specify WRITE separately.For objects: This permission is meaningless because, when writing an object, the permission is checked for the bucket. |
FULL_CONTROL |
admin |
Full access to objects and buckets. |
READ_ACP |
viewer |
ACL read permission. For objects only. |
WRITE_ACP |
editor |
ACL write permission. For objects only. |
Note
If you specify the WRITE
permission without READ
when creating an ACL, Object Storage will return the 501 Not Implemented
error code.
Predefined ACLs
ACL | Description |
---|---|
private bucket-owner-full-control |
Yandex Cloud users get permissions according to their roles in IAM. |
public-read |
The AllUsers public group gets the READ permission. |
public-read-write |
The AllUsers public group gets both the READ and WRITE permissions. |
authenticated-read |
The AuthenticatedUsers public group gets the READ permission. |
Predefined ACLs can be applied to both objects and buckets. When applied to an object, the public-read-write
ACL is the same as public-read
.
You can upload a predefined ACL using only an Amazon S3-compatible HTTP API. When uploading an ACL, use the X-Amz-Acl
HTTP header.
Public groups
AllUsers
This system group includes all internet users.
A permission for AllUsers
looks as follows:
<Grantee xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="Group">
<URI>http://acs.amazonaws.com/groups/global/AllUsers</URI>
</Grantee>
AuthenticatedUsers
This group includes all authenticated Yandex Cloud users: both from your clouds and other users' clouds.
A permission for AuthenticatedUsers
looks as follows:
<Grantee xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="Group">
<URI>http://acs.amazonaws.com/groups/global/AuthenticatedUsers</URI>
</Grantee>
Inheritance of bucket access permissions by Yandex Cloud public groups
A bucket inherits the same access permissions in IAM as those of the folder and cloud where it is located. If a user has permissions to access the folder or cloud the bucket belongs to, they will also have permissions to access the bucket itself.
Warning
Assigning roles to the AllUsers
and allAuthenticatedUsers
public groups for the folder or cloud the bucket belongs to is equivalent to granting public access to the bucket:
All authenticated users
: All authenticated Yandex Cloud users get access to the bucket, both from your cloud and other user clouds.All users
: Access is granted to all users.
You can grant the same access rights to a bucket by adding access rights for the AuthenticatedUsers
and AllUsers
groups to the bucket ACL.
Viewing bucket access rights inherited from folders
A bucket inherits access rights from its folder. If you want to know exactly what access rights your bucket inherited, get a list of roles for the folder. You can also revoke these roles at any time.
-
To get a list of folder roles, run this command:
yc resource-manager folder list-access-bindings \ --id b1g7gvsi89m3********
Result:
+---------+--------------+-----------------------+ | ROLE ID | SUBJECT TYPE | SUBJECT ID | +---------+--------------+-----------------------+ | viewer | system | allAuthenticatedUsers | | viewer | system | allUsers | +---------+--------------+-----------------------+
The output contains
allAuthenticatedUsers
andallUsers
. This means the users of these groups are granted rights for this folder and all resources it contains, including buckets. -
To revoke a role from the
All authenticated users
public group, run the following command:yc resource-manager folder remove-access-binding \ --id b1g7gvsi89m3******** \ --role viewer \ --allAuthenticatedUsers
-
To revoke a role from the
All users
public group, run the following command:yc resource-manager folder remove-access-binding \ --id b1g7gvsi89m3******** \ --role viewer \ --allUsers