Get started
Yandex Object Storage

Access control lists (ACLs)

Yandex.Cloud uses two independent mechanisms for managing access to Object Storage resources:

  • Identity and Access Management settings.
  • An Object Storage ACL is a list of permissions for each object and bucket and is stored directly in Object Storage.

When receiving a request to a bucket or object, Object Storage checks access permissions through both mechanisms. If the required access is granted from either method, Object Storage executes the request. Permissions granted to a bucket apply to all of the objects it contains. With ACLs, you can extend access permissions to individual objects.

By default, Object Storage creates an empty ACL for each new object or bucket. Users with the appropriate access rights can edit and upload ACLs for Object Storage buckets and objects.

You can use ACLs to grant permissions to Yandex.Cloud users, service accounts, and system groups. To do this, you need to know the permission recipient's ID. When granting permissions, you can use predefined ACLs, which contain common permission sets.

To view the ACL structure, see ACL XML schema. You can set up to 100 rules per ACL.

Note

ACLs uploaded for objects are applied immediately. ACLs uploaded for buckets and access permissions updated in the IAM service apply after a delay. For more information about delays, see the IAM documentation.

Permission recipient ID

  • Yandex.Cloud user

    You can get the ID in the following ways:

  • A service account

    To get the ID, go to the Service accounts section in the management console.

  • System group

    Use the system group URI to grant permissions.

ACL operations

  • In the management console, you can edit ACLs for buckets and objects.

  • Using an Amazon S3-compatible API, you can upload or download ACLs for buckets or objects.

    You can't delete ACLs. To remove all access permissions, upload an empty ACL.

Permission types

Permissions correspond to user roles in Identity and Access Management.

Permission IAM role Description
READ viewer For buckets: permission to retrieve a list of objects in the bucket, read various bucket settings (lifecycle, CORS, static hosting), and read all objects in the bucket.

For objects: read permission.
WRITE editor For buckets: permission to write objects to the bucket.
It must be used along with READ. You cannot specify WRITE separately.

For objects: this permission is meaningless, as permission is checked for the bucket when writing an object.
FULL_CONTROL admin Full access to objects and buckets.
READ_ACP viewer ACL read permission. For objects only.
WRITE_ACP editor ACL write permission. For objects only.

Note

If you specify WRITE permission, but not READ when making an ACL, Object Storage will return the code 501 Not Implemented.

Predefined ACLs

ACL Description
private
bucket-owner-full-control		 Yandex.Cloud users get permissions according to their roles in IAM.
public-read The AllUsers system group gets READ permission.
public-read-write The AllUsers system group gets READ and WRITE permissions.
authenticated-read The AuthenticatedUsers system group gets READ permission.

Predefined ACLs can be applied to both objects and buckets. When applied to an object, the public-read-write ACL is the same as public-read.

You can upload a predefined ACL using only an Amazon S3-compatible HTTP API. When uploading an ACL, use the x-amz-acl HTTP header.

System groups

AllUsers

Includes all internet users.

Permission for AllUsers looks like this:

<Grantee xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="Group">
    <URI>http://acs.amazonaws.com/groups/global/AllUsers</URI>
</Grantee>

AuthenticatedUsers

Includes all Yandex.Cloud users.

Permission for AuthenticatedUsers looks like this:

<Grantee xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="Group">
    <URI>http://acs.amazonaws.com/groups/global/AuthenticatedUsers</URI>
</Grantee>