Access management methods in Object Storage: Overview
Object Storage incorporates various access management methods:
- Yandex Identity and Access Management (IAM)
- Access control list (ACL)
- Bucket policy
- Public access
- Security Token Service
- Pre-signed URLs
The flow chart below shows how these methods work together in Object Storage.
All checks follow this algorithm:
- IAM and bucket ACL:
- If the request passes the IAM or bucket ACL check, it is checked whether the bucket access policy is enabled.
- If the request fails the IAM and bucket ACL checks, the public access to the bucket is checked.
- Public access:
- If public access to perform the action is enabled, it is checked whether the bucket access policy is enabled.
- If public access to perform the action is disabled, the next step is to check the access based on the object ACL.
- Bucket access policy:
- If access policy is enabled:
- If the request meets at least one of the
Deny
rules of the bucket policy, the next step is to check the access based on the object ACL. - If the request meets at least one of the
Allow
rules of the bucket policy, it is checked whether the access is performed via Security Token Service. - If the request does not meet any of the rules of the bucket policy, the next step is to check the access based on the object ACL.
- If the request meets at least one of the
- If the access policy is not enabled, it is checked whether access is performed via Security Token Service.
- If access policy is enabled:
- Security Token Service:
- If the request is made using Security Token Service:
- If the request meets at least one of the
Deny
policy rules for the temporary key, the next step is to check the access based on the object ACL. - If the request meets at least one of the
Allow
policy rules for the temporary key, access will be allowed. - If the request does not meet any of the policy rules for the temporary key, the next step is to check the access based on the object ACL.
- If the request meets at least one of the
- If the request is made directly, access will be allowed.
- If the request is made using Security Token Service:
- Object ACL:
- If the request passes the object ACL check, access will be allowed.
- If the request fails the object ACL check, access will be denied.
Identity and Access Management
Identity and Access Management: Basic method for managing access in Yandex Cloud using role assignment. It defines basic access permissions. For more details, see Which roles exist in the service.
Access grantees include:
- Yandex account
- Service account
- Federated user
- User group
- System group
Access is granted to a cloud, folder, or bucket.
Access control list (ACL)
An access control list (ACL) is a list of action permissions stored directly in Object Storage. It defines basic access permissions. ACL permissions for buckets and objects are different; see Permission types for details.
Note
If you do not need to differentiate access to specific objects, we recommend using Identity and Access Management.
Access grantees include:
- Yandex account
- Service account
- Federated user
- User group
- System group
Access is granted to a bucket or object.
Bucket policy
A bucket policy is a list of rules that prohibit or allow actions when certain conditions are met. Allows you to granularly differentiate access to buckets, objects and groups of objects.
Access grantees include:
- Yandex account
- Service account
- Federated user
- Anonymous user
Access is granted to a bucket, object, or a group of objects.
Public access
Public access defines access permissions for anonymous users to read objects, list of objects and bucket settings.
Access is granted to a bucket.
Warning
Public access is granted to an unlimited number of anonymous users. Use it only when other access grant mechanisms are not available.
Security Token Service
Note
The Security Token Service feature is at the Preview stage.
Security Token Service: Identity and Access Management component to get temporary access keys compatible with AWS S3 API.
With temporary keys, you can set up granular access to buckets for multiple users with a single service account.
Pre-signed URLs
Pre-signed URLs are a way of giving anonymous users temporary access to certain actions in Object Storage using URLs that contain request authorization data in their parameters.
Access is granted to a bucket or object.