Configuring an Object Storage restriction for access only from service connections
You can restrict access to a bucket at the service level. This will make access to the bucket possible only from VPC service connections.
Warning
With this option on, the bucket will not be accessible from the public network. Also, as currently implemented, no access to the bucket will be possible from the management console. See also Server side copy.
To allow access to the bucket only from VPC service connections at the service level:
If you do not have the Yandex Cloud CLI installed yet, install and initialize it.
By default, the CLI uses the folder specified when creating the profile. To change the default folder, use the yc config set folder-id <folder_ID> command. You can also set a different folder for any specific command using the --folder-name or --folder-id parameter.
-
Create additional DNS resource records to override the public FQDN of the service to which the connection is created. To do this, enable a special VPC service connection parameter:
yc vpc private-endpoint update \ --id <service_connection_ID> \ --private-dns-records-enabled -
Update the bucket settings by specifying the parameters for access only from VPC service connections:
yc storage bucket update \ --name <bucket_name> \ --enable-private-endpoints true \ --private-endpoints <service_connection_ID>Where:
-
--name: Bucket name. -
--enable-private-endpoints: Parameter for access to the bucket only from VPC service connections. If you do not set this parameter, the bucket will be accessible from both the public network and VPC service connections. -
--private-endpoints: List of IDs of VPC service connections to allow access from.Warning
If you do not specify the IDs of VPC service connections, the bucket will not be accessible from anywhere. However, you can still disable the restrictions for access only from VPC service connections.
-
To restore access to the bucket from the public network:
Update the bucket settings:
yc storage bucket update \
--name <bucket_name> \
--enable-private-endpoints false
Where:
-
--name: Bucket name. -
--enable-private-endpoints: Parameter for access to the bucket only from VPC service connections.Tip
After you remove the restriction for access only from VPC service connections, the list of service connections provided earlier in the
--private-endpointsparameter remains in the bucket settings. If you choose to restrict access again, you do not have to provide the list one more time.
Server-side copy
For details on server-side copy in buckets with access restricted to VPC service connections, refer to this table:
| Source bucket | Target bucket | Condition to initiate server-side copying1 |
|---|---|---|
| Access restricted to VPC service connections | Access restricted to VPC service connections | Request from a service connection listed as allowed for both buckets |
| Access restricted to VPC service connections | Access from a public network | Request from a service connection listed as allowed for the source bucket |
| Access from a public network | Access restricted to VPC service connections | Request from a service connection listed as allowed for the target bucket |
| Access from a public network | Access from a public network | Request from a public network or service connection |
1 If the client has permissions to read from the source bucket and write to the target bucket.