Access control lists (ACLs)

Access control lists allow you to control access to buckets and objects.

Yandex.Cloud uses two independent mechanisms for managing access to Object Storage resources:

• Identity and Access Management (IAM documentation)
• ACL Object Storage

Object Storage creates ACLs for all objects and buckets. ACLs are empty by default. Users with the appropriate IAM rights can upload ACLs for Object Storage resources. Each ACL contains a list of users who are allowed to access objects and buckets and specifies user permissions. Permissions and users in the IAM and ACL may differ. To learn how Object Storage verifies access to resources, see Checking permissions.

You can grant permission to Yandex.Cloud users, service accounts, and system groups.

To grant permission to a Yandex.Cloud user, you need to know their account ID. You can find the account ID:

• In the IAM section of the management console.
• Using the CLI or API.

To grant permission to a service account you need to retrieve its ID in the Service accounts section of the management console.

To grant permission to a system group, you need to know its URI. For more information, see System groups.

Object Storage supports predefined ACLs, which contain common permission sets.

The ACL structure can be viewed in the ACL XML schema.

Object Storage supports operations for uploading and downloading ACLs. No operation is available to delete ACLs. To remove all access permissions, upload an empty ACL. Object Storage creates an empty ACL for each new object or bucket by default.

Checking permissions

Yandex.Cloud uses two mechanisms for managing access to Object Storage resources:

• Identity and Access Management
• ACL

When receiving a request to a bucket or object, Object Storage checks access permissions with both mechanisms. If the required access is granted from either method, Object Storage executes the request.

Permissions granted to a bucket apply to all of the objects it contains. You can extend user permissions to individual objects by adding them to the relevant objects' ACL.

Permission types

Permissions correspond to user roles in Identity and Access Management.

Permission	IAM role	Description
READ	viewer	For buckets: permission to retrieve a list of objects in the bucket, read various bucket settings (lifecycle, CORS, static hosting), and read all objects in the bucket. For objects: read permission.
WRITE	editor	For buckets: permission to write objects to the bucket. It must be used along with READ. You cannot specify WRITE separately. For objects: this permission is meaningless, as permission is checked for the bucket when writing an object.
FULL_CONTROL	admin	Full access to objects and buckets.
READ_ACP	viewer	ACL read permission. For objects only.
WRITE_ACP	editor	ACL write permission. For objects only.

Predefined ACLs

ACL	Description
private bucket-owner-full-control	Cloud users are granted permissions according to their roles in IAM.
public-read	The system AllUsers group has READ permission.
public-read-write	The system AllUsers group has READ and WRITE permissions.
authenticated-read	The system AuthenticatedUsers group has READ permission.

Predefined ACLs can be applied to both objects and buckets. When applied to an object, the public-read-write ACL is the same as public-read.

System groups

AllUsers

Includes all internet users.

Permission for AllUsers looks like this:

<Grantee xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="Group">
    <URI>http://acs.amazonaws.com/groups/global/AllUsers</URI>
</Grantee>

AuthenticatedUsers

Includes all Yandex.Cloud users.

Permission for AuthenticatedUsers looks like this:

<Grantee xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="Group">
    <URI>http://acs.amazonaws.com/groups/global/AuthenticatedUsers</URI>
</Grantee>