Yandex Cloud
  • Services
  • Solutions
  • Why Yandex Cloud
  • Blog
  • Pricing
  • Documentation
  • Contact us
Get started
Language / Region
Yandex project
© 2023 Yandex.Cloud LLC
Yandex Object Storage
  • Getting started
  • Step-by-step instructions
    • All instructions
    • Buckets
      • Creating a bucket
      • Deleting a bucket
      • Limiting the maximum size of a bucket
      • Allowing public access to a bucket
      • Bucket encryption
      • Managing object lifecycles
      • Managing CORS configurations
      • Access policy management
      • Managing bucket versioning
      • Editing the ACL of a bucket
      • Enabling logging
      • Object lock management
    • Objects
      • Uploading an object
      • Getting information about an object
      • Downloading an object
      • Restoring an object's version
      • Getting a public link to an object
      • Configuring an object lock
      • Deleting an object
      • Deleting all objects
      • Deleting a partially uploaded object
      • Editing an object ACL
    • Static website hosting
      • Hosting setup
      • Support for your own domain
      • Support for multiple domain names
      • Configuring HTTPS
  • Tutorials
    • Getting object query statistics with S3 Select
    • Getting website traffic statistics with S3 Select
    • Generating a billing report with resource break-down using S3 Select
    • Server-side encryption
    • Integrating an L7 load balancer with the CDN and Object Storage
    • Blue-green and canary deployment of service versions
    • Analyzing logs in DataLens
    • Using initialization scripts to configure GeeseFS in Yandex Data Proc
    • Mounting a bucket as a disk on Windows
    • Migrating data from Yandex Data Streams using Yandex Data Transfer
  • Concepts
    • Overview
    • Bucket
    • Objects
    • Bucket versioning
    • Object locks
    • Encryption
    • Object lifecycles
    • CORS
    • Static website hosting
    • Pre-signed URLs
    • Multipart upload
    • Access control lists (ACLs)
    • Bucket Policy
    • Uploading files via an HTML form
    • Storage class
    • Logging actions with a bucket
    • Backups
    • TLS protocol
    • S3 Select query language
    • Quotas and limits
  • Tools
    • All tools
    • Console clients
      • AWS CLI
      • S3cmd
    • File browsers
      • CyberDuck
      • WinSCP
    • SDK
      • AWS SDK for Java
      • Python SDK (boto)
      • AWS SDK for .NET
      • AWS SDK for C++
      • AWS SDK for PHP
      • AWS SDK for Go
    • FUSE
      • GeeseFS
      • s3fs
      • goofys
    • FTP
      • Docker container for (S)FTP(S)
  • API reference
    • REST (Amazon S3-compatible)
      • How to use the API
      • Signing requests
      • REST
        • All services and methods
        • Bucket
          • All methods
          • create
          • getBucketEncryption
          • getMeta
          • listObjects
          • listBuckets
          • deleteBucket
          • deleteBucketEncryption
          • putBucketEncryption
          • putBucketVersioning
          • getBucketVersioning
          • putBucketLogging
          • getBucketLogging
          • listObjectVersions
          • putObjectLockConfiguration
          • getObjectLockConfiguration
        • Object
          • All methods
          • upload
          • get
          • copy
          • getObjectMeta
          • delete
          • deleteMultipleObjects
          • options
          • selectObjectContent
          • putObjectRetention
          • putObjectLegalHold
          • getObjectRetention
          • getObjectLegalHold
        • Multipart upload
          • General multipart upload procedure
          • startUpload
          • uploadPart
          • copyPart
          • listParts
          • abortUpload
          • completeUpload
          • listUploads
        • Static Website Hosting
          • All methods
          • upload
          • get
          • delete
          • Static website response codes
        • CORS
          • All methods
          • XML structure of CORS configuration
          • upload
          • get
          • delete
        • Lifecycles
          • All methods
          • XML structure of lifecycle configuration
          • upload
          • get
          • delete
        • ACL
          • All methods
          • XML structure of ACL configuration
          • objectGetAcl
          • objectPutAcl
          • bucketGetAcl
          • bucketPutAcl
        • Bucket Policy
          • All methods
          • GetBucketPolicy
          • PutBucketPolicy
          • DeleteBucketPolicy
          • Data schema
          • Actions
          • Conditions
        • Common request headers
        • Common response headers
        • Responses
    • gRPC and REST
      • Authentication in the API
      • gRPC
        • Overview
        • BucketService
        • OperationService
      • REST
        • Overview
        • Bucket
          • Overview
          • create
          • delete
          • deleteHTTPSConfig
          • get
          • getHTTPSConfig
          • getStats
          • list
          • setHTTPSConfig
          • update
  • Access management
  • Pricing policy
    • Current pricing policy
    • Archive
      • Before January 1, 2019
      • From January 1 to March 1, 2019
  • Questions and answers
  1. Concepts
  2. Bucket Policy

Bucket policy

Written by
Yandex Cloud
  • Bucket access via the management console
  • Sample configurations

Bucket policies set permissions for actions with buckets, objects, and groups of objects.

A policy is triggered when a user makes a request to a resource. As a result, the request is either executed or rejected.

Access is verified at three levels: Yandex Identity and Access Management service verification, the access policy, and the ACL permission list.

  1. If a request passes the IAM check, the next step is the bucket policy check.
  2. Bucket policy rules are checked in the following order:
    1. If the request meets at least one of the Deny rules, access is denied.
    2. If the request meets at least one of the Allow rules, access is allowed.
    3. If the request doesn't meet any of the rules, access is denied.
  3. If the request failed the IAM or bucket policy check, access verification is performed based on an object's ACL.

The bucket policy consists of the following basic elements:

  • Resource: A bucket (arn:aws:s3:::samplebucket), an object in the bucket (arn:aws:s3:::samplebucket/some/key), or a prefix (arn:aws:s3:::samplebucket/some/path/*).
  • Action: A set of resource operations that the policy either prohibits or allows. For more information, see Actions.
  • The result is denying or allowing the requested action. First, the request is checked against the Deny action filter. If matched, the request is rejected and no further checks are performed. If it meets the Allow action filter criteria, the request is allowed. If the request doesn't meet any of the filters, it's rejected.
  • The principal is the recipient of the requested policy permission. This can be an IAM user, a federated user, a service account, or an anonymous user.
  • A condition is specified for when a policy is in effect. For more information, see Conditions.

A JSON-like language is used to describe policy rules.

To apply a policy to a bucket, see the instructions.

Bucket access via the management console

If a bucket has an access policy configured, access to the bucket via the Yandex Cloud management console is disabled by default. To enable bucket access, you need to add a rule under the access policy Statement section to allow any requests to <bucket name>/* and <bucket name> resources via the management console.

Example rule for a specific Yandex Cloud user:

{
  "Effect": "Allow",
  "Principal": {
    "CanonicalUser": "<user ID>"
  },
  "Action": "*",
  "Resource": [
    "arn:aws:s3:::<bucket name>/*",
    "arn:aws:s3:::<bucket name>"
  ],
  "Condition": {
    "StringLike": {
      "aws:referer": "https://console.cloud.yandex.*/folders/*/storage/buckets/your-bucket-name*"
    }
  }
}

You can retrieve the user ID by following instructions in the Yandex Identity and Access Management documentation.

Sample configurations

  • A policy that allows an anonymous user to read objects in the samplebucket bucket over an encrypted connection:

    {
      "Id": "epd4limdp3dgec7enpq5",
      "Version": "2012-10-17",
      "Statement": [
        {
          "Sid": "f1qqoehl1q53l06kqurs",
          "Effect": "Allow",
          "Principal": "*",
          "Action": "s3:GetObject",
          "Resource": "arn:aws:s3:::<bucket name>/*",
          "Condition": {
            "Bool": {
              "aws:SecureTransport": "true"
            }
          }
        }
      ]
    }
    
  • A policy that only enables object download from a specified range of IP addresses:

    {
      "Version": "2012-10-17",
      "Statement": [
        {
          "Effect": "Allow",
          "Principal": "*",
          "Action": "s3:GetObject",
          "Resource": "arn:aws:s3:::<bucket name>/*",
          "Condition": {
            "IpAddress": {
              "aws:SourceIp": "100.101.102.128/30"
            }
          }
        }
      ]
    }
    
  • A policy that prohibits downloading objects from the specified IP address:

    {
      "Version": "2012-10-17",
      "Statement": [
        {
          "Effect": "Allow",
          "Principal": "*",
          "Action": "*",
          "Resource": "arn:aws:s3:::<bucket name>/*"
        },
        {
          "Effect": "Deny",
          "Principal": "*",
          "Action": "s3:GetObject",
          "Resource": "arn:aws:s3:::<bucket name>/*",
          "Condition": {
            "IpAddress": {
              "aws:SourceIp": "100.101.102.103"
            }
          }
        }
      ]
    }
    
  • A policy gives different users full access only to certain folders with each user being able to access their own:

    {
      "Version":"2012-10-17",
      "Statement":[
        {
          "Sid":"User1PermissionsResource",
          "Effect":"Allow",
          "Principal": {
            "CanonicalUser": "<user ID>"
          },
          "Action": "*",
          "Resource":["arn:aws:s3:::<bucket name>/user1path/*"]
        },
        {
          "Sid":"User1PermissionsPrefix",
          "Effect":"Allow",
          "Principal": {
              "CanonicalUser": "<user ID>"
          },
          "Action": "s3:ListBucket",
          "Resource":["arn:aws:s3:::<bucket name>"],
          "Condition": {
            "StringLike": {
              "s3:prefix": "user1path/*"
            }
          }
        },
        {
          "Sid":"User2PermissionsResource",
          "Effect":"Allow",
          "Principal": {
            "CanonicalUser": "<user ID>"
          },
          "Action": "*",
          "Resource":["arn:aws:s3:::<bucket name>/user2path/*"]
        },
        {
          "Sid":"User2PermissionsPrefix",
          "Effect":"Allow",
          "Principal": {
            "CanonicalUser": "<user ID>"
          },
          "Action": "s3:ListBucket",
          "Resource":["arn:aws:s3:::<bucket name>"],
          "Condition": {
            "StringLike": {
              "s3:prefix": "user2path/*"
            }
          }
        }
      ]
    }
    
  • A policy that gives each user and service account full access to a folder named the same as the user ID or service account ID:

    {
      "Version":"2012-10-17",
      "Statement":[
        {
          "Sid": "OwnDirPermissions",
          "Effect": "Allow",
          "Principal": "*",
          "Action": "*",
          "Resource": ["arn:aws:s3:::<bucket name>/${aws:userid}/*"]
        }
      ]
    }
    

Was the article helpful?

Language / Region
Yandex project
© 2023 Yandex.Cloud LLC
In this article:
  • Bucket access via the management console
  • Sample configurations