Authentication with the Object Storage API
You can use the following types of APIs to work with Object Storage:
AWS S3 API
To authenticate in the AWS S3 API and work with Terraform and other supported tools, use a static access key. A static access key is issued for a specific service account, and all actions involving this key are performed on behalf of the associated service account. For more information, see How do I use the S3 API?.
For a full list of S3 API methods, see S3 API reference.
Note
A service account is only allowed to view a list of buckets in the folder it was created in.
A service account can perform actions with objects in buckets that are created in folders different from the service account folder. To enable this, assign the service account roles for the appropriate folder or its bucket.
Yandex Cloud gRPC and REST APIs
For authentication in Yandex Cloud gRPC and REST APIs, get an IAM token. Learn more about how to get an IAM token for different types of accounts:
Specify the received IAM token when accessing Yandex Cloud resources via the API. Pass the IAM token in the Authorization
header in the following format:
Authorization: Bearer <IAM token>
For a full list of Yandex Cloud API calls and methods, see gRPC API and REST API references.
Yandex Cloud API usage example
In the example, a 50GB bucket is created with a standard storage class.
export IAM_TOKEN="<IAM token>"
grpcurl \
-H "Authorization: Bearer $IAM_TOKEN" \
-d '{
"name": "<bucket_name>",
"folder_id": "<folder_ID>",
"default_storage_class": "STANDARD",
"max_size": "53687091200",
"anonymous_access_flags": [{
"read": false,
"list": false,
"configRead": false
}]
}' \
storage.api.cloud.yandex.net:443 \
yandex.cloud.storage.v1.BucketService/Create
Where:
IAM_TOKEN
: IAM token.name
: Bucket name.folder_id
: Folder ID.default_storage_class
: Storage class.max_size
: Bucket size.anonymous_access_flags
: Bucket access settings:read
: Public access to read objects.list
: Public access to the list of objects.configRead
: Public access to read the configuration.
Result:
{
"id": "e3ehmmasama1********",
"description": "create bucket",
"createdAt": "2023-08-10T06:32:19.836842Z",
"createdBy": "ajego134p5h1********",
"modifiedAt": "2023-08-10T06:32:19.836842Z",
"done": true,
"metadata": {"@type":"type.googleapis.com/yandex.cloud.storage.v1.CreateBucketMetadata","name":"<bucket_name>"},
"response": {"@type":"type.googleapis.com/yandex.cloud.storage.v1.Bucket","acl":{},"anonymousAccessFlags":{"read":false,"list":false},"createdAt":"2023-08-10T06:32:17.557756Z","defaultStorageClass":"STANDARD","folderId":"b1gmit33ngp3********","maxSize":"53687091200","name":"<bucket_name>","versioning":"VERSIONING_DISABLED"}
}
export IAM_TOKEN="<IAM token>"
curl -X POST \
-H 'Content-Type: application/json' \
-H "Authorization: Bearer $IAM_TOKEN" \
-d '{
"name": "<bucket_name>",
"folderId": "<folder_ID>",
"defaultStorageClass": "STANDARD",
"maxSize": "53687091200",
"anonymousAccessFlags": {
"read": false,
"list": false,
"configRead": false
}
}' \
https://storage.api.cloud.yandex.net/storage/v1/buckets
Where:
IAM_TOKEN
: IAM token.name
: Bucket name.folderId
: Folder ID.default_storage_class
: Storage class.maxSize
: Bucket size.anonymousAccessFlags
: Bucket access settings:read
: Public access to read objects.list
: Public access to the list of objects.configRead
: Public access to read the configuration.
Result:
{
"done": true,
"metadata": {
"@type": "type.googleapis.com/yandex.cloud.storage.v1.CreateBucketMetadata",
"name": "<bucket_name>"
},
"response": {
"@type": "type.googleapis.com/yandex.cloud.storage.v1.Bucket",
"anonymousAccessFlags": {
"read": false,
"list": false
},
"acl": {},
"name": "<bucket_name>",
"folderId": "b1gmit33ngp3********",
"defaultStorageClass": "STANDARD",
"versioning": "VERSIONING_DISABLED",
"maxSize": "53687091200",
"createdAt": "2023-08-08T12:54:29.321021Z"
},
"id": "e3enrkcct2pt********",
"description": "create bucket",
"createdAt": "2023-08-08T12:54:32.111022Z",
"createdBy": "ajego134p5h1********",
"modifiedAt": "2023-08-08T12:54:32.111022Z"
}