Get started
Yandex Object Storage

Access control lists (ACLs)

Yandex.Cloud uses two independent mechanisms for managing access to Object Storage resources:

  • Identity and Access Management settings.
  • An Object Storage ACL is a list of permissions for each object and bucket and is stored directly in Object Storage.

When receiving a request to a bucket or object, Object Storage checks access permissions through both mechanisms. If the required access is granted from either method, Object Storage executes the request. Permissions granted to a bucket apply to all of the objects it contains. With ACLs, you can extend access permissions to individual objects.

Warning

A bucket inherits the same access rights in the IAM service as those of the folder and cloud where it's located.

For example, if users have the viewer role in IAM for the bucket's folder, they can view its contents even if it isn't reflected in the bucket ACL.

By default, Object Storage creates an empty ACL for each new object or bucket. Users with the appropriate access rights can edit and upload ACLs for Object Storage buckets and objects.

You can use ACLs to grant permissions to Yandex.Cloud users, service accounts, and system groups. To do this, you need to know the permission recipient's ID. When granting permissions, you can use predefined ACLs, which contain common permission sets.

To view the ACL structure, see ACL XML schema. You can set up to 100 rules per ACL.

Note

ACLs uploaded for objects are applied immediately. ACLs uploaded for buckets and access permissions updated in the IAM service apply after a delay. For more information about delays, see the IAM documentation.

Permission recipient ID

  • User Yandex.Cloud

    You can get the ID in the following ways:

  • A service account

    To get the ID, go to the Service accounts section in the management console.

  • System group

    Use the system group URI to grant permissions.

ACL operations

  • In the management console, you can edit ACLs for buckets and objects.

  • Using an Amazon S3-compatible API, you can upload or download ACLs for buckets or objects.

    You can't delete ACLs. To remove all access permissions, upload an empty ACL.

Permission types

Permissions correspond to user roles in Identity and Access Management.

Permission IAM role Description
READ viewer For buckets: permission to retrieve a list of objects in the bucket, read various bucket settings (lifecycle, CORS, static hosting), and read all objects in the bucket.

For objects: read permission.
WRITE editor For buckets: permission to write objects to the bucket, rewrite and delete them from there.
It must be used along with READ. You cannot specify WRITE separately.

For objects: this permission is meaningless, as permission is checked for the bucket when writing an object.
FULL_CONTROL admin Full access to objects and buckets.
READ_ACP viewer ACL read permission. For objects only.
WRITE_ACP editor ACL write permission. For objects only.

Note

If you specify WRITE permission, but not READ when making an ACL, Object Storage will return the code 501 Not Implemented.

Predefined ACLs

ACL Description
private
bucket-owner-full-control		 Yandex.Cloud users get permissions according to their roles in IAM.
public-read The AllUsers system group gets READ permission.
public-read-write The AllUsers system group gets READ and WRITE permissions.
authenticated-read The AuthenticatedUsers system group gets READ permission.

Predefined ACLs can be applied to both objects and buckets. When applied to an object, the public-read-write ACL is the same as public-read.

You can upload a predefined ACL using only an Amazon S3-compatible HTTP API. When uploading an ACL, use the x-amz-acl HTTP header.

System groups

AllUsers

Includes all internet users.

Permission for AllUsers looks like this:

<Grantee xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="Group">
    <URI>http://acs.amazonaws.com/groups/global/AllUsers</URI>
</Grantee>

AuthenticatedUsers

Includes all authenticated Yandex.Cloud users: both from your clouds and other users' clouds.

Permission for AuthenticatedUsers looks like this:

<Grantee xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="Group">
    <URI>http://acs.amazonaws.com/groups/global/AuthenticatedUsers</URI>
</Grantee>

Inheritance of bucket access rights by system groups Yandex.Cloud

A bucket inherits the same access rights in the IAM service as those of the folder and cloud where it's located. If users have access rights to the folder or cloud that the bucket belongs to, they'll also have access to the bucket itself.

Warning

Assigning roles to system groups allUsers and allAuthenticatedUsers for the folder or cloud that the bucket belongs to is the same as granting public access to the bucket:

  • allAuthenticatedUsers: All authenticated Yandex.Cloud users get access to the bucket, both from your clouds and other users' clouds.
  • allUsers: Access is granted to all users.

You can grant similar access rights to a bucket by adding access rights for the AuthenticatedUsers and AllUsers groups in the bucket ACL.

How to view bucket access rights inherited from folders

A bucket inherits access rights from its folder. If you want to know exactly what access rights your bucket inherited, get a list of roles for the folder. You can also revoke these roles at any time.

  • To get a list of folder roles, run the command:

    yc resource-manager folder list-access-bindings \
    --id b1g7gvsi89m34qmcm4ke

    Sample command output:

    +---------+--------------+-----------------------+
| ROLE ID | SUBJECT TYPE |      SUBJECT ID       |
+---------+--------------+-----------------------+
| viewer  | system       | allAuthenticatedUsers |
| viewer  | system       | allUsers              |
+---------+--------------+-----------------------+

    The output contains allAuthenticatedUsers and allUsers. This means that users of these groups are granted rights for this folder and all resources contained in it, including buckets.

  • To revoke a role from the allAuthenticatedUsers system group, run the command:

    yc resource-manager folder remove-access-binding \
    --id b1g7gvsi89m34qmcm4ke \
    --role viewer \
    --allAuthenticatedUsers

  • To revoke a role from the allUsers system group, run the command:

    yc resource-manager folder remove-access-binding \
    --id b1g7gvsi89m34qmcm4ke \
    --role viewer \
    --allUsers
In this article: