Access management methods in Object Storage: Overview
Object Storage incorporates various access management methods:
- Yandex Identity and Access Management (IAM)
- Access control list (ACL)
- Bucket policy
- Public access
- Security Token Service
- Pre-signed URLs
The flow chart below shows how these methods work together in Object Storage.
All checks follow this algorithm:
- IAM and bucket ACL:
- If the request passes the IAM or bucket ACL check, it is checked whether the bucket access policy is enabled.
- If the request fails the IAM and bucket ACL checks, the public access to the bucket is checked.
- Public access:
- If public access to perform the action is enabled, it is checked whether the bucket access policy is enabled.
- If public access to perform the action is disabled, the next step is to check the access based on the object ACL.
- Bucket access policy:
- If access policy is enabled:
- If the request meets at least one of the
Deny
rules of the bucket policy, the next step is to check the access based on the object ACL. - If the request meets at least one of the
Allow
rules of the bucket policy, it is checked whether the access is performed via Security Token Service. - If the request does not meet any of the rules of the bucket policy, the next step is to check the access based on the object ACL.
- If the request meets at least one of the
- If the access policy is not enabled, it is checked whether access is performed via Security Token Service.
- If access policy is enabled:
- Security Token Service:
- If the request is made using Security Token Service:
- If the request meets at least one of the
Deny
policy rules for the temporary key, the next step is to check the access based on the object ACL. - If the request meets at least one of the
Allow
policy rules for the temporary key, access will be allowed. - If the request does not meet any of the policy rules for the temporary key, the next step is to check the access based on the object ACL.
- If the request meets at least one of the
- If the request is made directly, access will be allowed.
- If the request is made using Security Token Service:
- Object ACL:
- If the request passes the object ACL check, access will be allowed.
- If the request fails the object ACL check, access will be denied.
Identity and Access Management
Identity and Access Management: Basic method for managing access in Yandex Cloud using role assignment. It defines basic access permissions. For more details, see Which roles exist in the service.
Access grantees include:
- Yandex account
- Service account
- Federated user
- User group
- System group
- Public group
Access is granted to a cloud, folder, or bucket.
Access control list (ACL)
An access control list (ACL) is a list of action permissions stored directly in Object Storage. It defines basic access permissions. ACL permissions for buckets and objects are different; see Permission types for details.
Note
If you do not need to differentiate access to specific objects, we recommend using Identity and Access Management.
Access grantees include:
- Yandex account
- Service account
- Federated user
- User group (you can specify a user group using the Yandex Cloud CLI, AWS CLI, Terraform, and the API, see Editing a bucket ACL and Editing an object ACL)
- System group
- Public group
Access is granted to a bucket or object.
Bucket policy
A bucket policy is a list of rules that prohibit or allow actions when certain conditions are met. Allows you to granularly differentiate access to buckets, objects and groups of objects.
Access grantees include:
- Yandex account
- Service account
- Federated user
- User group (you can specify a user group in the policy using the Yandex Cloud CLI, AWS CLI, Terraform, and the API)
- Anonymous user
Access is granted to a bucket, object, or a group of objects.
Public access
Public access defines access permissions for anonymous users to read objects, list of objects and bucket settings.
Access is granted to a bucket.
Warning
Public access is granted to an unlimited number of anonymous users. Use it only when other access grant mechanisms are not available.
Security Token Service
Security Token Service: Identity and Access Management component to get temporary access keys compatible with AWS S3 API.
With temporary keys, you can set up granular access to buckets for multiple users with a single service account.
Pre-signed URLs
Pre-signed URLs are a way of giving anonymous users temporary access to certain actions in Object Storage using URLs that contain request authorization data in their parameters.
Access is granted to a bucket or object.