Access control lists (ACLs)
Yandex.Cloud uses two independent mechanisms for managing access to Object Storage resources:
- Identity and Access Management settings.
- An Object Storage ACL is a list of permissions for each object and bucket and is stored directly in Object Storage.
When receiving a request to a bucket or object, Object Storage checks access permissions through both mechanisms. If the required access is granted from either method, Object Storage executes the request. Permissions granted to a bucket apply to all of the objects it contains. With ACLs, you can extend access permissions to individual objects.
A bucket inherits the same access rights in the IAM service as those of the folder and cloud where it's located.
For example, if users have the
viewerrole in IAM for the bucket's folder, they can view its contents even if it isn't reflected in the bucket ACL.
By default, Object Storage creates an empty ACL for each new object or bucket. Users with the appropriate access rights can edit and upload ACLs for Object Storage buckets and objects.
You can use ACLs to grant permissions to Yandex.Cloud users, service accounts, and system groups. To do this, you need to know the permission recipient's ID. When granting permissions, you can use predefined ACLs, which contain common permission sets.
To view the ACL structure, see ACL XML schema. You can set up to 100 rules per ACL.
ACLs uploaded for objects are applied immediately. ACLs uploaded for buckets and access permissions updated in the IAM service apply after a delay. For more information about delays, see the IAM documentation.
Permission recipient ID
You can get the ID in the following ways:
To get the ID, go to the Service accounts section in the management console.
Use the system group URI to grant permissions.
Using an Amazon S3-compatible API, you can upload or download ACLs for buckets or objects.
You can't delete ACLs. To remove all access permissions, upload an empty ACL.
Permissions correspond to user roles in Identity and Access Management.
||For buckets: permission to retrieve a list of objects in the bucket, read various bucket settings (lifecycle, CORS, static hosting), and read all objects in the bucket.
For objects: read permission.
||For buckets: permission to write objects to the bucket, rewrite and delete them from there.
It must be used along with
For objects: this permission is meaningless, as permission is checked for the bucket when writing an object.
||Full access to objects and buckets.|
||ACL read permission. For objects only.|
||ACL write permission. For objects only.|
If you specify
WRITE permission, but not
READ when making an ACL, Object Storage will return the code
501 Not Implemented.
||Yandex.Cloud users get permissions according to their roles in IAM.|
Predefined ACLs can be applied to both objects and buckets. When applied to an object, the
public-read-write ACL is the same as
You can upload a predefined ACL using only an Amazon S3-compatible HTTP API. When uploading an ACL, use the
x-amz-acl HTTP header.
Includes all internet users.
AllUsers looks like this:
<Grantee xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="Group"> <URI>http://acs.amazonaws.com/groups/global/AllUsers</URI> </Grantee>
Includes all authenticated Yandex.Cloud users: both from your clouds and other users' clouds.
AuthenticatedUsers looks like this:
<Grantee xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="Group"> <URI>http://acs.amazonaws.com/groups/global/AuthenticatedUsers</URI> </Grantee>
Inheritance of bucket access rights by system groups Yandex.Cloud
A bucket inherits the same access rights in the IAM service as those of the folder and cloud where it's located. If users have access rights to the folder or cloud that the bucket belongs to, they'll also have access to the bucket itself.
Assigning roles to system groups
allAuthenticatedUsers for the folder or cloud that the bucket belongs to is the same as granting public access to the bucket:
allAuthenticatedUsers: All authenticated Yandex.Cloud users get access to the bucket, both from your clouds and other users' clouds.
allUsers: Access is granted to all users.
You can grant similar access rights to a bucket by adding access rights for the
AllUsers groups in the bucket ACL.
How to view bucket access rights inherited from folders
A bucket inherits access rights from its folder. If you want to know exactly what access rights your bucket inherited, get a list of roles for the folder. You can also revoke these roles at any time.
To get a list of folder roles, run the command:
yc resource-manager folder list-access-bindings \ --id b1g7gvsi89m34qmcm4ke
Sample command output:
+---------+--------------+-----------------------+ | ROLE ID | SUBJECT TYPE | SUBJECT ID | +---------+--------------+-----------------------+ | viewer | system | allAuthenticatedUsers | | viewer | system | allUsers | +---------+--------------+-----------------------+
The output contains
allUsers. This means that users of these groups are granted rights for this folder and all resources contained in it, including buckets.
To revoke a role from the
allAuthenticatedUserssystem group, run the command:
yc resource-manager folder remove-access-binding \ --id b1g7gvsi89m34qmcm4ke \ --role viewer \ --allAuthenticatedUsers
To revoke a role from the
allUserssystem group, run the command:
yc resource-manager folder remove-access-binding \ --id b1g7gvsi89m34qmcm4ke \ --role viewer \ --allUsers