Contact UsTry it for free
© 2026 Direct Cursus Technology L.L.C.

yandex_storage_bucket_grant (Resource)

Written by
Updated at February 12, 2026

Allows management of grants on an existing Yandex Cloud Storage Bucket.

Warning

By default, for authentication, you need to use IAM token with the necessary permissions.

Warning

Alternatively, you can provide static access keys (Access and Secret). To generate these keys, you will need a Service Account with the appropriate permissions.

This resource should be used for managing Primitive roles only.

Declaring multiple yandex_storage_bucket_grant resources to the same bucket will cause a perpetual difference in configuration.

Example usage

provider "yandex" {
  cloud_id           = "<my_cloud_id>"
  folder_id          = "<my_folder_id>"
  storage_access_key = "<my_storage_access_key>"
  storage_secret_key = "<my_storage_secret_key>"
  token              = "<my_iam_token>"
}

resource "yandex_storage_bucket_grant" "my_grant_0" {
  bucket = "my_bucket_name_0"
  grant {
    id          = "<user_id>"
    permissions = ["READ", "WRITE", "FULL_CONTROL"]
    type        = "CanonicalUser"
  }
}

resource "yandex_storage_bucket_grant" "my_grant_1" {
  bucket = "my_bucket_name_1"
  grant {
    id          = "<user_id>"
    permissions = ["FULL_CONTROL"]
    type        = "CanonicalUser"
  }
  grant {
    uri         = "<group_uri>"
    permissions = ["READ"]
    type        = "Group"
  }
}

//
// Create new grants on an existing Storage Bucket.
//
resource "yandex_storage_bucket_grant" "my_bucket_grant" {
  bucket = "my_bucket_name_0"
  grant {
    id          = "<user0_id>"
    permissions = ["READ", "WRITE"]
    type        = "CanonicalUser"
  }
  grant {
    id          = "<user1_id>"
    permissions = ["FULL_CONTROL"]
    type        = "CanonicalUser"
  }
  grant {
    uri         = "http://acs.amazonaws.com/groups/global/AuthenticatedUsers"
    permissions = ["READ"]
    type        = "Group"
  }
}

Arguments & Attributes Reference

  • access_key (String). The access key to use when applying changes. This value can also be provided as storage_access_key specified in provider config (explicitly or within shared_credentials_file) is used.
  • acl (String). The predefined ACL to apply. Defaults to private. Conflicts with grant.

Warning

To change ACL after creation, service account with storage.admin role should be used, though this role is not necessary to create a bucket with any ACL.

  • bucket (Required)(String). The name of the bucket.
  • secret_key (String). The secret key to use when applying changes. This value can also be provided as storage_secret_key specified in provider config (explicitly or within shared_credentials_file) is used.
  • grant [Block]. An ACL policy grant. Conflicts with acl.
    All permissions for a single grantee must be specified in a single grant block.

Warning

To manage grant argument, service account with storage.admin role should be used.

  • id (String). Canonical user id to grant for. Used only when type is CanonicalUser.
  • permissions (Required)(Set Of String). List of permissions to apply for grantee. Valid values are READ, WRITE, FULL_CONTROL.
  • type (Required)(String). Type of grantee to apply for. Valid values are CanonicalUser and Group.
  • uri (String). URI address to grant for. Used only when type is Group.

Import

The resource can be imported by using their resource ID. For getting it you can use Yandex Cloud Web Console or Yandex Cloud CLI.

# The resource can be imported by using their resource ID.
# For getting a resource ID you can use Yandex Cloud Web UI or YC CLI.

# terraform import yandex_storage_bucket_grant.<resource_name> resource_id
terraform import yandex_storage_bucket_grant.<resource_name> ...
Previous
storage_bucket
Next
storage_bucket_iam_binding