Contact UsGet started
© 2025 Direct Cursus Technology L.L.C.

Access management methods in Object Storage: Overview

Written by
Updated at March 19, 2025

Object Storage uses various access management methods:

The flow chart below shows how these methods work together in Object Storage.

The checks follow this algorithm:

  1. IAM and bucket ACL:
    • If the request passes the IAM or bucket ACL check, it is checked whether the bucket policy is enabled.
    • If the request fails the IAM and bucket ACL checks, it is checked whether public access to the bucket is enabled.
  2. Public access:
    • If public access to perform the action is allowed, it is checked whether the bucket policy is enabled.
    • If public access to perform the action is denied, an access check based on the object ACL is performed.
  3. Bucket policy:
    • If access policy is enabled:
      1. If the request meets at least one of the Deny rules in the bucket policy, an access check based on the object ACL is performed.
      2. If the request meets at least one of the Allow rules in the bucket policy, it is checked whether there is access via Security Token Service.
      3. If the request does not meet any of the bucket policy rules, an access check based on the object ACL is performed.
    • If the access policy is not enabled, it is checked whether there is access via Security Token Service.
  4. Security Token Service:
    • If the request is made using Security Token Service:
      1. If the request meets at least one of the Deny rules in the policy for the temporary key, an access check based on the object ACL is performed.
      2. If the request meets at least one of the Allow rules in the policy for the temporary key, access will be allowed.
      3. If the request does not meet any of the policy rules for the temporary key, an access check based on the object ACL is performed.
    • If the request is made directly, access will be allowed.
  5. Object ACL:
    • If the request passes the object ACL check, access will be allowed.
    • If the request fails the object ACL check, access will be denied.

Identity and Access Management

Identity and Access Management is a main method for managing access in Yandex Cloud using roles. It enables the basic access control policy. For more details, see Roles existing in the service.

The access grantees include:

Access is granted for a cloud, folder, or bucket.

Access control list (ACL)

An access control list (ACL) is a list of action permissions stored directly in Object Storage. It enables the basic access control policy. ACL permissions for buckets and objects are different; see Permission types for details.

Note

If you do not need to differentiate access to specific objects, we recommend using Identity and Access Management.

The access grantees include:

Access is granted for a bucket or object.

Bucket policy

A bucket policy is a list of rules that prohibit or allow actions when certain conditions are met. It allows you to granularly differentiate access to buckets, objects, and groups of objects.

The access grantees include:

Access is granted for a bucket, object, or a group of objects.

Public access

Public access defines access permissions for anonymous users to read objects, list of objects, and bucket settings.

Access is granted for a bucket.

Warning

Public access is granted to an unlimited number of anonymous users. Use it only when other access grant mechanisms are not available.

Security Token Service

Security Token Service is an Identity and Access Management component to get temporary access keys compatible with AWS S3 API.

With temporary keys, you can set up granular access to buckets for multiple users with a single service account.

Pre-signed URLs

Pre-signed URLs are a way of giving anonymous users temporary access to certain actions in Object Storage using URLs that contain request authorization data in their parameters.

Access is granted for a bucket or object.

See also

Previous
Docker container for (S)FTP(S)
Next
Identity and Access Management