Editing a bucket ACL
Object Storage incorporates multiple mechanisms for managing access to resources. To learn how these mechanisms interact, see Access management methods in Object Storage: Overview.
To configure the ACL of a bucket:
-
In the management console
, select the appropriate folder. -
Select Object Storage.
-
To edit an ACL, click
You can also click the bucket name and then click Bucket ACL on the page that opens.
-
In the ACL editing window that opens, grant or revoke the appropriate permissions.
If you do not have the Yandex Cloud command line interface yet, install and initialize it.
The folder specified in the CLI profile is used by default. You can specify a different folder using the --folder-name
or --folder-id
parameter.
Before setting up an ACL, view a description of the CLI command to edit a bucket:
yc storage bucket update --help
You can apply a predefined ACL to a bucket or configure permissions for individual users, service accounts, user groups and system groups (e.g., a group including all internet users or a group including all authenticated Yandex Cloud users). These settings are not compatible: a bucket should have either a predefined ACL or a set of individual permissions.
- Using a predefined ACL
- Run this command:
yc storage bucket update --name <bucket_name> --acl <predefined_ACL>
Where:
--name
: Bucket name.--acl
: Predefined ACL. For a list of values, see Predefined ACLs.
Result:
name: my-bucket
folder_id: csgeoelk7fl1********
default_storage_class: STANDARD
versioning: VERSIONING_DISABLED
max_size: "1073741824"
acl:
grants:
- permission: PERMISSION_READ
grant_type: GRANT_TYPE_ALL_USERS
created_at: "2022-12-14T19:10:05.957940Z"
- Setting up individual permissions
-
- To grant permissions using an ACL to a Yandex Cloud user, a service account, or a user group, get their ID. For more information, see Getting user information and Getting the service account ID.
-
Run this command:
yc storage bucket update --name <bucket_name> \ --grants grant-type=<permission_grantee_type>,grantee-id=<grantee_ID>,permission=<permission_type>
Where:
grant-type
: Type of the permission grantee. The possible values include:grant-type-account
: User, service account, or user group.grant-type-all-authenticated-users
: System group of all authenticated Yandex Cloud users.grant-type-all-users
: System group of all internet users.
grantee-id
: ID of the user, service account, or user group to grant permission to. It is specified only ifgrant-type=grant-type-account
.permission
: ACL permission type. Possible values arepermission-full-control
,permission-write
, andpermission-read
. For more information about permissions, see Permission types.
To configure multiple permissions, specify the
--grants
parameter multiple times.Permissions specified in the command override the current ACL settings of the bucket, including its predefined ACL. You can retrieve the current permissions using the
yc storage bucket get <bucket_name> --full
command.Result:
name: my-bucket folder_id: csgeoelk7fl1******** default_storage_class: STANDARD versioning: VERSIONING_SUSPENDED max_size: "10737418240" acl: grants: - permission: PERMISSION_READ grant_type: GRANT_TYPE_ACCOUNT grantee_id: ajej2th5699n******** created_at: "2022-12-14T08:42:16.273717Z"
If you don't have Terraform, install it and configure the Yandex Cloud provider.
Before you start, retrieve the static access keys: a secret key and a key ID used for authentication in Object Storage.
-
In the configuration file, describe the parameters of the resources you want to create:
resource "yandex_storage_bucket" "test" { access_key = "<static_key_ID>" secret_key = "<secret_key>" bucket = "<bucket_name>" grant { id = "<user_ID>" type = "CanonicalUser" permissions = ["FULL_CONTROL"] } grant { type = "Group" permissions = ["READ", "WRITE"] uri = "http://acs.amazonaws.com/groups/global/AllUsers" } }
Where:
access_key
: ID of the static access key.secret_key
: Value of the secret access key.bucket
: Bucket name. This is a required parameter.grant
: ACL. This is an optional parameter. To manage this parameter, the service account for which the static access keys were obtained must have thestorage.admin
role for a bucket or a folder.type
: Type of the permission grantee. The possible values include:CanonicalUser
: For a user, service account, or user group.Group
: For a system group.
permissions
: Type of ACL permissions.id
: ID of the user, service account, or user group. It is used with theCanonicalUser
permission grantee type.uri
: System group ID. It is used with theGroup
permission grantee type. The possible values include:http://acs.amazonaws.com/groups/global/AllUsers
: All internet users.http://acs.amazonaws.com/groups/global/AuthenticatedUsers
: All authenticated Yandex Cloud users.
For more information about resources you can create with Terraform, see the provider documentation
. -
Make sure the configuration files are correct.
- In the command line, go to the directory where you created the configuration file.
- Run a check using this command:
terraform plan
If the configuration is described correctly, the terminal will display a list of created resources and their parameters. If the configuration contains any errors, Terraform will point them out.
-
Deploy cloud resources.
- If the configuration does not contain any errors, run this command:
terraform apply
- Confirm that you want to create the resources.
All the resources you need will then be created in the specified folder. You can check the new resources and their configuration using the management console
.
To edit a bucket's ACL, use the update REST API method for the Bucket resource, the BucketService/Update gRPC API call, or the bucketPutAcl S3 API method.