Assigning an access policy in Object Storage for a service connection
Warning
The Service connections functionality (VPC Private Endpoints) is at the Preview stage and will become available for testing from September 26, 2024. To request access, contact your account manager.
Bucket policies set permissions for operations with buckets, objects, and object groups.
The minimum role required to apply or modify an access policy is storage.configurer
. For more information, see the role description.
To assign an access policy in Object Storage for a service connection:
-
In the management console
, select the folder where you configured the VPC service connection. -
Select Object Storage.
-
Select a bucket from the list.
-
Go to the
Security tab in the left-hand menu. -
At the top of the screen, go to the Access policy tab.
-
Click Configure access.
-
Enter a bucket policy ID, e.g.,
private-endpoint-policy
. -
Set up a rule:
-
Enter a rule ID, e.g.,
private-endpoint-rule
. -
Configure rule settings:
-
Result: Enable.
-
Selection principle: Include users.
-
User: All users.
-
Action: Select All actions.
-
Resource —
<bucket_name>/*
.Click Add resource and enter
<bucket_name>
.Note
A bucket resource does not include resources of all its objects. To make sure a bucket policy rule refers to the bucket and all objects, specify them as separate resources, such as
samplebucket
andsamplebucket/*
.
-
-
Add a condition for the rule:
- In the Key field, select
private-endpoint-id
. - In the Operator field, select
StringEquals
. - In the Value field, specify the service connection (Private Endpoint) ID, e.g.,
enpd7rq1s3f5********
.
- In the Key field, select
-
-
Click Save.
Note
To manage a policy using the AWS CLI, a service account must have the storage.admin
role assigned.
If you do not have the AWS CLI yet, install and configure it.
-
Describe your access policy configuration as a data schema in JSON format:
{ "Version": "2012-10-17", "Statement": { "Effect": "Allow", "Principal": "*", "Action": "*", "Resource": [ "arn:aws:s3:::<bucket_name>/*", "arn:aws:s3:::<bucket_name>" ], "Condition": { "StringEquals": { "yc:private-endpoint-id": "<connection_ID>" } } } }
Where:
<bucket_name>
: Name of the bucket in Object Storage to apply the access policy to, e.g.,my-s3-bucket
.<connection_ID>
: Service connection ID (Private Endpoint), e.g.,enpd7rq1s3f5********
.
-
Once complete, save the configuration to a file named
policy.json
. -
Run this command:
aws s3api put-bucket-policy \ --endpoint https://storage.yandexcloud.net \ --bucket <bucket_name> \ --policy file://policy.json
After successfully applying the bucket policy, connection to the bucket will be possible only from the VPC cloud network in which the relevant service connection (Private Endpoint) was created.
To learn more about managing a bucket policy, see Bucket policy management.