Search code examples
yandexcloud

Granular permissions in Yandex Cloud Object Storage

How to create a service account in Object Storage that has permissions only for one bucket?

I've tried to create service account via Web Console, but can't find any roles related to Object Storage: enter image description here

Solution

  • To restrict access for a service account, you need to use ACL.

    You'll also need to use YC CLI and AWS CLI.

    Let me explain everything from the beginning starting with account creation. 

    # yc iam service-account create name <account name>
id: <service-account id>
folder_id: <folder_id>
created_at: "2019-01-23T45:67:89Z"
name: <account name>

# yc iam access-key create service-account-name <account name>
access_key:
id: <operation id>
service_account_id: <service-account_id>
created_at: "2019-12-34T56:78:90Z"
key_id: <key id>
secret: <secret key>

    Save the key_id and the secret key. Now set the AWS CLI according to the instruction in documentation to work from the admin service account.

    Create a bucket and set access for it. To grant access, you need to set the service_account_id in the put-bucket-acl command of the id field. 

    # aws endpoint-url=https://storage.yandexcloud.net s3  
mb s3://<bucket_name>
make_bucket: <bucket_name>

# aws endpoint-url=https://storage.yandexcloud.net 
s3api put-bucket-acl \
bucket hidden-bucket grant-full-control 
id=<service_account_id> \
grant-read

    P.S. The only problem is that Yandex Object storage doesn't support permission "WRITE", and you can only set full-access for a service account. It means it can edit ACL on its bucket.