Enabling public access for bucket operations
Object Storage incorporates multiple mechanisms for managing access to resources. To learn how these mechanisms interact, see Overview of access management methods in Object Storage.
By default, buckets are created with restricted access. You can enable public access:
- To read objects in a bucket.
- To access the list of objects in a bucket.
- To read settings:
Public access to each operation is provided separately. This means, if you have opened read-only access to your objects, anonymous users cannot get the list of objects and bucket settings.
Warning
Public access is granted to an unlimited number of anonymous users. Use it only when other access grant mechanisms are not available.
- In the management console
, select the appropriate folder. - Select Object Storage.
- Click the name of the bucket you need.
- Go to the Settings tab.
- Select the type of access for bucket operations.
- Click Save.
If you do not have the Yandex Cloud command line interface yet, install and initialize it.
The folder specified in the CLI profile is used by default. You can specify a different folder using the --folder-name
or --folder-id
parameter.
-
View a description of the CLI command to update a bucket:
yc storage bucket update --help
-
Get a list of buckets in the default folder:
yc storage bucket list
Result:
+------------------+----------------------+-------------+-----------------------+---------------------+ | NAME | FOLDER ID | MAX SIZE | DEFAULT STORAGE CLASS | CREATED AT | +------------------+----------------------+-------------+-----------------------+---------------------+ | first-bucket | b1gmit33ngp6******** | 53687091200 | STANDARD | 2022-12-16 13:58:18 | +------------------+----------------------+-------------+-----------------------+---------------------+
-
Using the
NAME
column, save the name of the bucket to enable public access to. -
Allow public access to operations with the bucket:
yc storage bucket update \ --name <bucket_name> \ --public-read \ --public-list \ --public-config-read
Where:
--name
: Name of the bucket to enable public access to.--public-read
: Flag to enable public read access to bucket objects.--public-list
: Flag to enable public access to view the list of bucket objects.--public-config-read
: Flag to enable public read access to the bucket configuration.
The
name
parameter is required. Other parameters are optional. By default, no public access to buckets is allowed.Result:
name: first-bucket folder_id: b1gmit33ngp6******** anonymous_access_flags: read: true list: true config_read: true default_storage_class: STANDARD versioning: VERSIONING_DISABLED max_size: "53687091200" acl: {} created_at: "2022-12-16T13:58:18.933814Z"
Terraform
For more information about the provider resources, see the documentation on the Terraform
If you change the configuration files, Terraform automatically detects which part of your configuration is already deployed, and what should be added or removed.
If you don't have Terraform, install it and configure the Yandex Cloud provider.
To enable public access to bucket operations:
-
Open the Terraform configuration file and add a section called
anonymous_access_flags
to the bucket description fragment.resource "yandex_storage_bucket" "log_bucket" { access_key = "<static_key_ID>" secret_key = "<private_key>" bucket = "my-tf-log-bucket" anonymous_access_flags { read = true list = false } }
Where:
access_key
: ID of the static access key.secret_key
: Secret access key value.read
: Read access to bucket objects.list
: Access to list of bucket objects.
For more information about
yandex_storage_bucket
resource parameters in Terraform, see the provider documentation . -
Make sure the configuration files are correct.
-
In the command line, go to the directory where you created the configuration file.
-
Run a check using this command:
terraform plan
If the configuration is described correctly, the terminal will display a list of created resources and their parameters. If the configuration contains any errors, Terraform will point them out.
-
-
Deploy cloud resources.
-
If the configuration does not contain any errors, run this command:
terraform apply
-
Confirm creating the resources: type
yes
in the terminal and press Enter.All the resources you need will then be created in the specified folder. You can check the new resources and their configuration using the management console
.
-
To allow public access to operations with your bucket, use the update REST API method for the Bucket resource or the BucketService/Update gRPC API call.
Note
If your bucket has access policies, you will also need to configure them for public access to work properly.