Contact UsTry it for free
© 2026 Direct Cursus Technology L.L.C.

Assigning an access policy in Object Storage for a service connection

Written by
Updated at March 6, 2026

Warning

The VPC Private Endpoints feature is at the Preview stage. To request access to the feature, contact your account manager.

Bucket policies set permissions for operations with buckets, objects, and object groups.

The minimum role required to apply or modify an access policy is storage.configurer. For more information, see the role description.

To assign an access policy in Object Storage for a service connection:

Note

At the access policy level, you can grant access to the bucket from VPC service connections with IDs specified in the policy. However, as the access flow chart shows, the bucket will still be accessible from the public network, e.g., though an object ACL or under another enabling rule in the policy.

In addition, a bucket configured this way still supports server-side copy, both from and to the bucket.

  1. In the management console, select the folder where you configured the VPC service connection.

  2. Go to Object Storage.

  3. Select the bucket from the list.

  4. In the left-hand menu, go to the Security tab.

  5. At the top of the screen, navigate to the Access policy tab.

  6. Click Configure access.

  7. Enter a bucket policy ID, e.g., private-endpoint-policy.

  8. Set up a rule:

    1. Enter a rule ID, e.g., private-endpoint-rule.

    2. Configure rule settings:

      • Result: Enable.

      • Selection principle: Include users.

      • User: All users.

      • Action: Select All actions.

      • Resource<bucket_name>/*.

        Click Add resource and enter <bucket_name>.

        Note

        A bucket resource does not include resources of all its objects. To make sure a bucket policy rule refers to the bucket and all the objects, specify them as separate resources, e.g., samplebucket and samplebucket/*.

    3. Add a condition for the rule:

      • In the Key field, select private-endpoint-id.
      • In the Operator field, select StringEquals.
      • In the Value field, specify the service connection (private endpoint) ID, e.g., enpd7rq1s3f5********.

  9. Click Save.

If you do not have the Yandex Cloud CLI installed yet, install and initialize it.

By default, the CLI uses the folder specified when creating the profile. To change the default folder, use the yc config set folder-id <folder_ID> command. You can also set a different folder for any specific command using the --folder-name or --folder-id options.

  1. See the description of the CLI command for updating bucket settings:

    yc storage bucket update --help

  2. Describe your bucket policy configuration as a JSON data schema:

    {
  "Version": "2012-10-17",
  "Statement": {
    "Effect": "Allow",
    "Principal": "*",
    "Action": "*",
    "Resource": [
      "arn:aws:s3:::<bucket_name>/*",
      "arn:aws:s3:::<bucket_name>"
    ],
    "Condition": {
      "StringEquals": {
        "yc:private-endpoint-id": "<connection_ID>"
      }
    }
  }
}

    Where:

    • <bucket_name>: Name of the bucket in Object Storage to which you need to apply the access policy, e.g., my-s3-bucket.
    • <connection_ID>: Service connection ID (private endpoint), e.g., enpd7rq1s3f5********.

  3. Save the final configuration to a file named policy.json.

  4. Run this command:

    yc storage bucket update \
  --name <bucket_name> \
  --policy-from-file <policy_file_path>

    Once the bucket policy is applied, you can access the bucket only from the VPC cloud network in which you created the relevant service connection (private endpoint).

Note

To manage a policy using the AWS CLI, a service account needs the storage.admin role.

If you do not have the AWS CLI yet, install and configure it.

  1. Describe your bucket policy configuration as a JSON data schema:

    {
  "Version": "2012-10-17",
  "Statement": {
    "Effect": "Allow",
    "Principal": "*",
    "Action": "*",
    "Resource": [
      "arn:aws:s3:::<bucket_name>/*",
      "arn:aws:s3:::<bucket_name>"
    ],
    "Condition": {
      "StringEquals": {
        "yc:private-endpoint-id": "<connection_ID>"
      }
    }
  }
}

    Where:

    • <bucket_name>: Name of the bucket in Object Storage to which you need to apply the access policy, e.g., my-s3-bucket.
    • <connection_ID>: Service connection ID (private endpoint), e.g., enpd7rq1s3f5********.

  2. Save the final configuration to a file named policy.json.

  3. Run this command:

    aws s3api put-bucket-policy \
  --endpoint https://storage.yandexcloud.net \
  --bucket <bucket_name> \
  --policy file://policy.json

Once the bucket policy is applied, you can access the bucket only from the VPC cloud network in which you created the relevant service connection (private endpoint).

If you do not have Terraform yet, install it and configure the Yandex Cloud provider.

By default, Terraform uses an IAM token for authentication in Object Storage. In addition to an IAM token, you can use a service account and static access keys for authentication in Object Storage. For more information about Terraform authentication in Object Storage, see the relevant provider documentation.

Note

If you access Object Storage via Terraform under a service account, assign to the service account the relevant role, e.g., storage.admin, for the folder you are going to create the resources in.

  1. Open the Terraform configuration file and specify the policy using the yandex_storage_bucket_policy resource:

    resource "yandex_storage_bucket_policy" "bpolicy" {
  bucket = "my-policy-bucket"
  policy = <<POLICY
{
  "Version": "2012-10-17",
  "Statement": {
    "Effect": "Allow",
    "Principal": "*",
    "Action": "*",
    "Resource": [
      "arn:aws:s3:::<bucket_name>/*",
      "arn:aws:s3:::<bucket_name>"
    ],
    "Condition": {
      "StringEquals": {
        "yc:private-endpoint-id": "<connection_ID>"
      }
    }
  }
}
POLICY
}

    Where:

    • <bucket_name>: Name of the bucket in Object Storage to which you need to apply the access policy, e.g., my-s3-bucket.
    • <connection_ID>: Service connection ID (private endpoint), e.g., enpd7rq1s3f5********.

    For more information about yandex_storage_bucket_policy properties, see this provider guide.

  2. Apply the changes:

    1. In the terminal, go to the directory where you edited the configuration file.

    2. Make sure the configuration file is correct using this command:

      terraform validate

      If the configuration is correct, you will get this message:

      Success! The configuration is valid.

    3. Run this command:

      terraform plan

      You will see a detailed list of resources. No changes will be made at this step. If the configuration contains any errors, Terraform will show them.

    4. Apply the changes:

      terraform apply

    5. Type yes and press Enter to confirm the changes.

    You can check the update using the management console.

To configure a bucket policy, use the update REST API method for the Bucket resource, the BucketService/Update gRPC API call, or the PutBucketPolicy S3 API method. If the bucket already had a bucket policy configured, it will be completely overwritten once you apply the new policy.

Learn more about managing a bucket policy in Bucket policy management.

Previous
Getting service connection info
Next
Configuring an Object Storage restriction for access only from service connections