Yandex.Cloud
  • Services
  • Why Yandex.Cloud
  • Pricing
  • Documentation
  • Contact us
Get started
Yandex Object Storage
  • Getting started
  • Step-by-step instructions
    • All instructions
    • Buckets
      • Creating a bucket
      • Deleting a bucket
      • Limiting the maximum size of a bucket
      • Allowing public access to a bucket
      • Bucket encryption
      • Managing object lifecycles
      • Managing CORS configurations
      • Editing a bucket ACL
      • Logging actions with the bucket
    • Objects
      • Uploading an object
      • Getting information about an object
      • Downloading an object
      • Getting a public link to an object
      • Deleting an object
      • Deleting a partially uploaded object
      • Editing an object ACL
    • Static website hosting
      • Hosting setup
      • Support for your own domain
      • Support for multiple domain names
      • Configuring HTTPS
  • Concepts
    • Overview
    • Bucket
    • Objects
    • Bucket versioning
    • Object lifecycles
    • CORS
    • Static website hosting
    • Pre-signed URLs
    • Multipart upload
    • Access control lists (ACLs)
    • Bucket Policy
    • Upload file via HTML form
    • Storage class
    • Logging actions with a bucket
    • Backups
    • TLS protocol
    • Quotas and limits
  • Tools
    • All tools
    • Console clients
      • AWS CLI
      • S3cmd
    • File browsers
      • CyberDuck
      • WinSCP
    • SDK
      • AWS SDK for Java
      • Python SDK (boto)
    • FUSE
      • s3fs
      • goofys
  • Amazon S3-compatible HTTP API
    • How to use the API
    • Signing requests
    • API reference
      • All services and methods
      • Bucket
        • All methods
        • create
        • getBucketEncryption
        • getMeta
        • listObjects
        • listBuckets
        • deleteBucket
        • deleteBucketEncryption
        • putBucketEncryption
        • putBucketVersioning
        • getBucketVersioning
        • putBucketLogging
        • getBucketLogging
        • listObjectVersions
      • Object
        • All methods
        • upload
        • get
        • copy
        • getObjectMeta
        • delete
        • deleteMultipleObjects
        • options
      • Multipart upload
        • General multipart upload procedure
        • startUpload
        • uploadPart
        • copyPart
        • listParts
        • abortUpload
        • completeUpload
        • listUploads
      • Static Website Hosting
        • All methods
        • upload
        • get
        • delete
        • Static website response codes
      • CORS
        • All methods
        • XML structure of CORS configuration
        • upload
        • get
        • delete
      • Lifecycles
        • All methods
        • XML structure of lifecycle configuration
        • upload
        • get
        • delete
      • ACL
        • All methods
        • XML structure of ACL configuration
        • objectGetAcl
        • objectPutAcl
        • bucketGetAcl
        • bucketPutAcl
      • Bucket Policy
        • All methods
        • GetBucketPolicy
        • PutBucketPolicy
        • DeleteBucketPolicy
        • Data schema
        • Actions
        • Conditions
      • Common request headers
      • Common response headers
      • Responses
  • Access management
  • Pricing policy
    • Current pricing policy
    • Archive
      • Before January 1, 2019
      • From January 1 to March 1, 2019
  • Questions and answers
  1. Concepts
  2. Access control lists (ACLs)

Access control lists (ACLs)

  • Permission recipient ID
  • ACL operations
  • Permission types
  • Predefined ACLs
  • System groups
    • AllUsers
    • AuthenticatedUsers
  • Inheritance of bucket access rights by system groups Yandex.Cloud
    • How to view bucket access rights inherited from folders

Yandex.Cloud uses two independent mechanisms for managing access to Object Storage resources:

  • Identity and Access Management settings.
  • An Object Storage ACL is a list of permissions for each object and bucket and is stored directly in Object Storage.

When receiving a request to a bucket or object, Object Storage checks access permissions through both mechanisms. If the required access is granted from either method, Object Storage executes the request. Permissions granted to a bucket apply to all of the objects it contains. With ACLs, you can extend access permissions to individual objects.

Warning

A bucket inherits the same access rights in the IAM service as those of the folder and cloud where it's located.

For example, if users have the viewer role in IAM for the bucket's folder, they can view its contents even if it isn't reflected in the bucket ACL.

By default, Object Storage creates an empty ACL for each new object or bucket. Users with the appropriate access rights can edit and upload ACLs for Object Storage buckets and objects.

You can use ACLs to grant permissions to Yandex.Cloud users, service accounts, and system groups. To do this, you need to know the permission recipient's ID. When granting permissions, you can use predefined ACLs, which contain common permission sets.

To view the ACL structure, see ACL XML schema. You can set up to 100 rules per ACL.

Note

ACLs uploaded for objects are applied immediately. ACLs uploaded for buckets and access permissions updated in the IAM service apply after a delay. For more information about delays, see the IAM documentation.

Permission recipient ID

  • User Yandex.Cloud

    You can get the ID in the following ways:

    • In the IAM section of the management console.
    • Using the CLI or IAM API.
  • A service account

    To get the ID, go to the Service accounts section in the management console.

  • System group

    Use the system group URI to grant permissions.

ACL operations

  • In the management console, you can edit ACLs for buckets and objects.

  • Using an Amazon S3-compatible API, you can upload or download ACLs for buckets or objects.

    You can't delete ACLs. To remove all access permissions, upload an empty ACL.

Permission types

Permissions correspond to user roles in Identity and Access Management.

Permission IAM role Description
READ viewer For buckets: permission to retrieve a list of objects in the bucket, read various bucket settings (lifecycle, CORS, static hosting), and read all objects in the bucket.

For objects: read permission.
WRITE editor For buckets: permission to write objects to the bucket, rewrite and delete them from there.
It must be used along with READ. You cannot specify WRITE separately.

For objects: this permission is meaningless, as permission is checked for the bucket when writing an object.
FULL_CONTROL admin Full access to objects and buckets.
READ_ACP viewer ACL read permission. For objects only.
WRITE_ACP editor ACL write permission. For objects only.

Note

If you specify WRITE permission, but not READ when making an ACL, Object Storage will return the code 501 Not Implemented.

Predefined ACLs

ACL Description
private
bucket-owner-full-control
Yandex.Cloud users get permissions according to their roles in IAM.
public-read The AllUsers system group gets READ permission.
public-read-write The AllUsers system group gets READ and WRITE permissions.
authenticated-read The AuthenticatedUsers system group gets READ permission.

Predefined ACLs can be applied to both objects and buckets. When applied to an object, the public-read-write ACL is the same as public-read.

You can upload a predefined ACL using only an Amazon S3-compatible HTTP API. When uploading an ACL, use the x-amz-acl HTTP header.

System groups

AllUsers

Includes all internet users.

Permission for AllUsers looks like this:

<Grantee xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="Group">
    <URI>http://acs.amazonaws.com/groups/global/AllUsers</URI>
</Grantee>

AuthenticatedUsers

Includes all authenticated Yandex.Cloud users: both from your clouds and other users' clouds.

Permission for AuthenticatedUsers looks like this:

<Grantee xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="Group">
    <URI>http://acs.amazonaws.com/groups/global/AuthenticatedUsers</URI>
</Grantee>

Inheritance of bucket access rights by system groups Yandex.Cloud

A bucket inherits the same access rights in the IAM service as those of the folder and cloud where it's located. If users have access rights to the folder or cloud that the bucket belongs to, they'll also have access to the bucket itself.

Warning

Assigning roles to system groups allUsers and allAuthenticatedUsers for the folder or cloud that the bucket belongs to is the same as granting public access to the bucket:

  • allAuthenticatedUsers: All authenticated Yandex.Cloud users get access to the bucket, both from your clouds and other users' clouds.
  • allUsers: Access is granted to all users.

You can grant similar access rights to a bucket by adding access rights for the AuthenticatedUsers and AllUsers groups in the bucket ACL.

How to view bucket access rights inherited from folders

A bucket inherits access rights from its folder. If you want to know exactly what access rights your bucket inherited, get a list of roles for the folder. You can also revoke these roles at any time.

  • To get a list of folder roles, run the command:

    yc resource-manager folder list-access-bindings \
        --id b1g7gvsi89m34qmcm4ke
    

    Sample command output:

    +---------+--------------+-----------------------+
    | ROLE ID | SUBJECT TYPE |      SUBJECT ID       |
    +---------+--------------+-----------------------+
    | viewer  | system       | allAuthenticatedUsers |
    | viewer  | system       | allUsers              |
    +---------+--------------+-----------------------+
    

    The output contains allAuthenticatedUsers and allUsers. This means that users of these groups are granted rights for this folder and all resources contained in it, including buckets.

  • To revoke a role from the allAuthenticatedUsers system group, run the command:

    yc resource-manager folder remove-access-binding \
        --id b1g7gvsi89m34qmcm4ke \
        --role viewer \
        --allAuthenticatedUsers
    
  • To revoke a role from the allUsers system group, run the command:

    yc resource-manager folder remove-access-binding \
        --id b1g7gvsi89m34qmcm4ke \
        --role viewer \
        --allUsers
    
In this article:
  • Permission recipient ID
  • ACL operations
  • Permission types
  • Predefined ACLs
  • System groups
  • AllUsers
  • AuthenticatedUsers
  • Inheritance of bucket access rights by system groups Yandex.Cloud
  • How to view bucket access rights inherited from folders
Language
Careers
Privacy policy
Terms of use
© 2021 Yandex.Cloud LLC