Access control lists (ACLs)

Written by

Permission recipient ID
ACL operations
Permission types
Predefined ACLs
System groups
- AllUsers
- AuthenticatedUsers
Inheritance of bucket access rights by system groups Yandex Cloud
- How to view bucket access rights inherited from folders

Yandex Cloud uses two independent mechanisms for managing access to Object Storage resources:

Identity and Access Management.
An Object Storage ACL is a list of permissions for each object and bucket and is stored directly in Object Storage.

When receiving a request to a bucket or object, Object Storage checks access permissions through both mechanisms. If the required access is granted from either method, Object Storage executes the request. Permissions granted to a bucket apply to all of the objects it contains. With ACLs, you can extend access permissions to individual objects.

Warning

A bucket inherits the same access rights in the IAM service as those of the folder and cloud where it's located.

For example, if users have the viewer role in IAM for the bucket's folder, they can view its contents even if it isn't reflected in the bucket ACL.

By default, Object Storage creates an empty ACL for each new object or bucket. Users with the appropriate access rights can edit and upload ACLs for Object Storage buckets and objects.

You can use ACLs to grant permissions to Yandex Cloud users, service accounts, and system groups. To do this, you need to know the permission recipient's ID. When granting permissions, you can use predefined ACLs, which contain common permission sets.

To view the ACL structure, see ACL XML schema. You can set up to 100 rules per ACL.

Note

ACLs uploaded for objects are applied immediately. ACLs uploaded for buckets and access permissions updated in the IAM service apply after a delay. For more information about delays, see the IAM documentation.

Permission recipient ID

User Yandex Cloud

You can get the ID in the following ways:
- In the IAM section of the management console.
- Using the CLI or CLIIAM.
Service account.

To get the ID, go to the Service accounts section in the management console.
System groups

Use the system group URI to grant permissions.

ACL operations

In the management console, you can edit ACLs for buckets and objects.
Using an Amazon S3-compatible API, you can upload or download ACLs for buckets or objects.

You can't delete ACLs. To remove all access permissions, upload an empty ACL.

Permission types

Permissions correspond to user roles in IAM.

Permission	Role in IAM	Description
`READ`	`viewer`	For buckets: permission to retrieve a list of objects in the bucket, read various bucket settings (lifecycle, CORS, static hosting), and read all objects in the bucket. For objects: read permission.
`WRITE`	`editor`	For buckets: permission to write, rewrite, and delete objects in the bucket. It must be used along with `READ`. You cannot specify `WRITE` separately. For objects: this permission is meaningless, as permission is checked for the bucket when writing an object.
`FULL_CONTROL`	`admin`	Full access to objects and buckets.
`READ_ACP`	`viewer`	ACL read permission. For objects only.
`WRITE_ACP`	`editor`	ACL write permission. For objects only.

Note

If you specify WRITE permission, but not READ when making an ACL, Object Storage will return the code 501 Not Implemented.

Predefined ACLs

ACL	Description
`private` `bucket-owner-full-control`	Yandex Cloud users get permissions according to their roles in IAM.
`public-read`	The `AllUsers` system group gets `READ` permission.
`public-read-write`	The `AllUsers` system group gets `READ` and `WRITE` permissions.
`authenticated-read`	The `AuthenticatedUsers` system group gets `READ` permission.

Predefined ACLs can be applied to both objects and buckets. When applied to an object, the public-read-write ACL is the same as public-read.

You can upload a predefined ACL using only an Amazon S3-compatible HTTP API. When uploading an ACL, use the X-Amz-Acl HTTP header.

System groups

AllUsers

Includes all internet users.

Permission for AllUsers looks like this:

<Grantee xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="Group">
    <URI>http://acs.amazonaws.com/groups/global/AllUsers</URI>
</Grantee>

AuthenticatedUsers

Includes all authenticated Yandex Cloud users: both from your clouds and other users' clouds.

Permission for AuthenticatedUsers looks like this:

<Grantee xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="Group">
    <URI>http://acs.amazonaws.com/groups/global/AuthenticatedUsers</URI>
</Grantee>

Inheritance of bucket access rights by system groups Yandex Cloud

A bucket inherits the same access rights in the IAM service as those of the folder and cloud where it's located. If users have access rights to the folder or cloud that the bucket belongs to, they'll also have access to the bucket itself.

Warning

Assigning roles to system groups allUsers and allAuthenticatedUsers for the folder or cloud that the bucket belongs to is the same as granting public access to the bucket:

allAuthenticatedUsers: All authenticated Yandex Cloud users get access to the bucket, both from your clouds and other users' clouds.
allUsers: Access is granted to all users.

You can grant similar access rights to a bucket by adding access rights for the AuthenticatedUsers and AllUsers groups in the bucket ACL.

How to view bucket access rights inherited from folders

A bucket inherits access rights from its folder. If you want to know exactly what access rights your bucket inherited, get a list of roles for the folder. You can also revoke these roles at any time.

To get a list of folder roles, run the command:

yc resource-manager folder list-access-bindings \
  --id b1g7gvsi89m34qmcm4ke

Result:

+---------+--------------+-----------------------+
| ROLE ID | SUBJECT TYPE |      SUBJECT ID       |
+---------+--------------+-----------------------+
| viewer  | system       | allAuthenticatedUsers |
| viewer  | system       | allUsers              |
+---------+--------------+-----------------------+

The output contains allAuthenticatedUsers and allUsers. This means that users of these groups are granted rights for this folder and all resources contained in it, including buckets.

To revoke a role from the allAuthenticatedUsers system group, run the command:

yc resource-manager folder remove-access-binding \
  --id b1g7gvsi89m34qmcm4ke \
  --role viewer \
  --allAuthenticatedUsers

To revoke a role from the allUsers system group, run the command:

yc resource-manager folder remove-access-binding \
  --id b1g7gvsi89m34qmcm4ke \
  --role viewer \
  --allUsers