Access control lists (ACLs)
Access control lists allow you to control access to buckets and objects.
Yandex.Cloud uses two independent mechanisms for managing access to Object Storage resources:
- Identity and Access Management (IAM documentation)
- ACL Object Storage.
Object Storage creates ACLs for all objects and buckets. ACLs are empty by default. Users with the appropriate IAM rights can upload ACLs for Object Storage resources. Each ACL contains a list of users who are allowed to access objects and buckets and specifies user permissions. Permissions and users in the IAM and ACL may differ. To learn how Object Storage verifies access to resources, see Checking permissions.
You can grant permission to Yandex.Cloud users, service accounts, and system groups.
To grant permission to a Yandex.Cloud user, you need to know their account ID. You can find the account ID:
- In the IAM section of the management console.
- Using the CLI or API.
To grant permission to a service account by retrieving its ID in the Service accounts section of the management console.
To grant permission to a system group, you need to know its URI. Learn more in System groups.
Object Storage supports predefined ACLs, which contain common permission sets.
To view the ACL structure, see ACL XML schema.
Object Storage supports operations for uploading and downloading ACLs. No operation is available to delete ACLs. To remove all access permissions, upload an empty ACL. Object Storage creates an empty ACL for each new object or bucket by default.
Note
ACLs uploaded for objects are applied immediately. ACLs uploaded for buckets and access permissions updated in the IAM service apply after a delay. For more information about delays, see IAM documentation.
Checking permissions
Yandex.Cloud uses two mechanisms for managing access to Object Storage resources:
- Identity and Access Management
- ACL
When receiving a request to a bucket or object, Object Storage checks access permissions through both mechanisms. If the required access is granted from either method, Object Storage executes the request.
Permissions granted to a bucket apply to all of the objects it contains. You can extend user permissions to individual objects by adding them to the relevant objects' ACL.
Permission types
Permissions correspond to user roles in Identity and Access Management.
| Permission | IAM role | Description |
|---|---|---|
READ |
viewer |
For buckets: permission to retrieve a list of objects in the bucket, read various bucket settings (lifecycle, CORS, static hosting), and read all objects in the bucket. For objects: read permission. |
WRITE |
editor |
For buckets: permission to write objects to the bucket. It must be used along with READ. You cannot specify WRITE separately.For objects: this permission is meaningless, as permission is checked for the bucket when writing an object. |
FULL_CONTROL |
admin |
Full access to objects and buckets. |
READ_ACP |
viewer |
ACL read permission. For objects only. |
WRITE_ACP |
editor |
ACL write permission. For objects only. |
Note
If you specify WRITE permission, but not READ when making an ACL, Object Storage will return the code 501 Not Implemented.
Predefined ACLs
| ACL | Description |
|---|---|
privatebucket-owner-full-control |
Cloud users get permissions according to their roles in IAM. |
public-read |
The AllUsers system group gets READ permission. |
public-read-write |
The AllUsers system group gets READ and WRITE permissions. |
authenticated-read |
The AuthenticatedUsers system group gets READ permission. |
Predefined ACLs can be applied to both objects and buckets. When applied to an object, the public-read-write ACL is the same as public-read.
System groups
AllUsers
Includes all internet users.
Permission for AllUsers looks like this:
<Grantee xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="Group">
<URI>http://acs.amazonaws.com/groups/global/AllUsers</URI>
</Grantee>
AuthenticatedUsers
Includes all Yandex.Cloud users.
Permission for AuthenticatedUsers looks like this:
<Grantee xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="Group">
<URI>http://acs.amazonaws.com/groups/global/AuthenticatedUsers</URI>
</Grantee>