Configuring an Object Storage restriction for access only from service connections
You can restrict access to a bucket at the service level. This will make access to the bucket possible only from VPC service connections.
Warning
With this option on, the bucket will not be accessible from the public network. Also, as currently implemented, no access to the bucket will be possible from the management console. See also Server side copy.
To allow access to the bucket only from VPC service connections at the service level:
If you do not have the Yandex Cloud (CLI) command line interface yet, install and initialize it.
The folder specified when creating the CLI profile is used by default. To change the default folder, use the yc config set folder-id <folder_ID> command. You can specify a different folder using the --folder-name or --folder-id parameter.
-
Create additional DNS resource records to override the public FQDN of the service to which the connection is created. To do this, enable a special VPC service connection parameter:
yc vpc private-endpoint update \ --id <service_connection_ID> \ --private-dns-records-enabled -
Update the bucket settings by specifying the parameters for access only from VPC service connections:
yc storage bucket update \ --name <bucket_name> \ --enable-private-endpoints true \ --private-endpoints <service_connection_ID>Where:
-
--name: Bucket name. -
--enable-private-endpoints: Parameter for access to the bucket only from VPC service connections. If you do not set this parameter, the bucket will be accessible from both the public network and VPC service connections. -
--private-endpoints: List of IDs of VPC service connections to allow access from.Warning
If you do not specify the IDs of VPC service connections, the bucket will not be accessible from anywhere. However, you can still disable the restrictions for access only from VPC service connections.
-
To restore access to the bucket from the public network:
Update the bucket settings:
yc storage bucket update \
--name <bucket_name> \
--enable-private-endpoints false
Where:
-
--name: Bucket name. -
--enable-private-endpoints: Parameter for access to the bucket only from VPC service connections.Tip
After you remove the restriction for access only from VPC service connections, the list of service connections provided earlier in the
--private-endpointsparameter remains in the bucket settings. If you choose to restrict access again, you do not have to provide the list one more time.
Server-side copy
Server-side copy features in buckets with access restricted to VPC service connections:
- If both the source and target buckets are configured to be accessed only from VPC service connections, server-side copy can only be initiated by a request from a service connection listed among the allowed ones for both buckets, and only if the client has read permissions for the source bucket and write permissions for the target bucket. If the request does not come from a service connection, it will not be executed.
- If the source bucket is configured to be accessed only from VPC service connections, while the target bucket is accessible from the public network, server-side copy can only be initiated by a request from a service connection listed among the allowed ones for the source bucket, and only if the client has read permissions for the source bucket and write permissions for the target bucket.
- If the source bucket is accessible from the public network, while the target bucket is configured to be accessed only from VPC service connections, server-side copy can only be initiated by a request from a service connection listed among the allowed ones for the target bucket, and only if the client has read permissions for the source bucket and write permissions for the target bucket.
- If both the source and target buckets are accessible from the public network, server-side copy can be initiated only if the client has read permissions for the source bucket and write permissions for the target bucket, even if the request came from a service connection.