[Yandex Cloud documentation](../../../index.md) > [Yandex Object Storage](../../index.md) > [Step-by-step guides](../index.md) > Buckets > Configuring public access to a bucket

# Configuring public access to a bucket

Object Storage incorporates several access management methods. To learn how these methods work together, see [Access management methods in Object Storage: Overview](../../security/overview.md).

By default, [bucket](../../concepts/bucket.md) [access](../../concepts/bucket.md#bucket-access) is restricted. You can enable public access:

- [To read objects](../../s3/api-ref/object/get.md) in a bucket.
- [To view the list of objects](../../s3/api-ref/bucket/listobjects.md) in a bucket.
- To read settings:
    - [CORS](../../s3/api-ref/cors/get.md)
    - [Static website hosting](../../s3/api-ref/hosting/get.md)
    - [Object lifecycles](../../s3/api-ref/lifecycles/get.md)

Public access to each operation is granted separately. This means, if you have granted only read access to your objects, anonymous users cannot get the list of objects and bucket settings.

## Enabling public access {#open-public-access}

{% note warning %}

Public access is granted to an unlimited number of anonymous users. Use it only when other access grant mechanisms are not available.

{% endnote %}

{% list tabs group=instructions %}

- Management console {#console}

  1. In the [management console](https://console.yandex.cloud), open a folder.
  1. Navigate to **Object Storage**.
  1. Select the bucket to configure public access for.
  1. In the left-hand panel, select ![image](../../../_assets/console-icons/wrench.svg) **Settings**.
  1. Select the **General** tab.
  1. Enable public access for the operation types you need.
  1. Click **Save**.

- Yandex Cloud CLI {#cli}

  If you do not have the Yandex Cloud CLI yet, [install and initialize it](../../../cli/quickstart.md#install).

  The folder used by default is the one specified when [creating](../../../cli/operations/profile/profile-create.md) the CLI profile. To change the default folder, use the `yc config set folder-id <folder_ID>` command. You can also specify a different folder for any command using `--folder-name` or `--folder-id`. If you access a resource by its name, the search will be limited to the default folder. If you access a resource by its ID, the search will be global, i.e., through all folders based on access permissions.

  1. See the description of the CLI command for updating a bucket:

      ```bash
      yc storage bucket update --help
      ```

  1. Get a list of buckets in the default folder:
     
     ```bash
     yc storage bucket list
     ```
     
     Result:
     
     ```text
     +------------------+----------------------+-------------+-----------------------+---------------------+
     |       NAME       |      FOLDER ID       |  MAX SIZE   | DEFAULT STORAGE CLASS |     CREATED AT      |
     +------------------+----------------------+-------------+-----------------------+---------------------+
     | first-bucket     | b1gmit33ngp6******** | 53687091200 | STANDARD              | 2022-12-16 13:58:18 |
     +------------------+----------------------+-------------+-----------------------+---------------------+
     ```
  1. Save the name (from the `NAME` column) of the bucket to which you want to enable public access.
  1. Enable public access to bucket operations:

      ```bash
      yc storage bucket update \
        --name <bucket_name> \
        --public-read \
        --public-list \
        --public-config-read
      ```

      Where:
      * `--name`: Name of the bucket to which you need to enable public access.
      * `--public-read`: Flag to enable public read access to bucket objects.
      * `--public-list`: Flag to enable public view access to the list of bucket objects.
      * `--public-config-read`: Flag to enable public read access to the bucket configuration.

      `name`: This is a required setting. Other parameters are optional. By default, public access to the bucket is disabled.

      Result:

      ```text
      name: first-bucket
      folder_id: b1gmit33ngp6********
      anonymous_access_flags:
        read: true
        list: true
        config_read: true
      default_storage_class: STANDARD
      versioning: VERSIONING_DISABLED
      max_size: "53687091200"
      acl: {}
      created_at: "2022-12-16T13:58:18.933814Z"
      ```

- Terraform {#tf}

  {% note info %}
  
  If you access Object Storage via Terraform under a [service account](../../../iam/concepts/users/service-accounts.md), [assign](../../../iam/operations/sa/assign-role-for-sa.md) to the service account the relevant [role](../../security/index.md#roles-list), e.g., `storage.admin`, for the folder you are going to create the resources in.
  
  {% endnote %}

  With [Terraform](https://www.terraform.io/), you can quickly create a cloud infrastructure in Yandex Cloud and manage it using configuration files. These files store the infrastructure description written in HashiCorp Configuration Language (HCL). If you change the configuration files, Terraform automatically detects which part of your configuration is already deployed, and what should be added or removed.
  
  Terraform is distributed under the [Business Source License](https://github.com/hashicorp/terraform/blob/main/LICENSE). The [Yandex Cloud provider for Terraform](https://github.com/yandex-cloud/terraform-provider-yandex) is distributed under the [MPL-2.0](https://www.mozilla.org/en-US/MPL/2.0/) license.
  
  For more information about the provider resources, see the guides on the [Terraform](https://www.terraform.io/docs/providers/yandex/index.html) website or [its mirror](../../../terraform/index.md).

  
  If you do not have Terraform yet, [install it and configure the Yandex Cloud provider](../../../tutorials/infrastructure-management/terraform-quickstart.md#install-terraform).
  
  
  To manage infrastructure using Terraform under a service account or user accounts (a Yandex account, a federated account, or a local user), [authenticate](../../../terraform/authentication.md) using the appropriate method.



  To open public access to bucket operations:

  1. Open the Terraform configuration file and add the `anonymous_access_flags` section to the bucket description.

     ```hcl
     resource "yandex_storage_bucket" "log_bucket" {
       access_key = "<static_key_ID>"
       secret_key = "<secret_key>"
       bucket     = "<bucket_name>"

       anonymous_access_flags {
         read        = true
         list        = true
         config_read = true
       }
     }
     ```

     Where:
     * `access_key`: [Static access key](../../../iam/concepts/authorization/access-key.md) ID.

        {% note info %}
        
        In addition to static access keys, you can use an IAM token for authentication in Object Storage. For more details, see [Creating a bucket](create.md) and the [relevant provider documentation](../../../terraform/resources/storage_object.md). 
        
        {% endnote %}

     * `secret_key`: Secret access key value.
     * `bucket`: Name of the bucket to which you need to enable public access.
     * `anonymous_access_flags`: Public access parameters:
       * `read`: Public read access to bucket objects.
       * `list`: Public access to the list of bucket objects.
       * `config_read`: Public read access to the bucket configuration.

     For more information on the properties of the `yandex_storage_bucket` resource in Terraform, see [this provider guide](../../../terraform/resources/storage_bucket.md#bucket-anonymous-access-flags).

  1. Make sure the configuration files are correct.

     1. In the terminal, navigate to the directory where you created your configuration file.
     1. Run a check using this command:

        ```
        terraform plan
        ```

     If the configuration is correct, the terminal will display a list of the resources and their settings. Otherwise, Terraform will show any detected errors.

  1. Deploy the cloud resources.

     1. If the configuration is correct, run this command:

        ```
        terraform apply
        ```

     1. Confirm creating the resources by typing `yes` and pressing **Enter**.

        This will create all the resources you need in the specified folder. You can check the new resources and their settings using the [management console](https://console.yandex.cloud).

- API {#api}

  To open public access to bucket operations, use the [update](../../api-ref/Bucket/update.md) REST API method for the [Bucket](../../api-ref/Bucket/index.md) resource or the [BucketService/Update](../../api-ref/grpc/Bucket/update.md) gRPC API call.

{% endlist %}

{% note info %}

You will not be able to open public access if a restrictive [access policy](policy.md) is configured for the bucket. 

{% endnote %}

## Disabling public access {#close-public-access}

{% list tabs group=instructions %}

- Management console {#console}

  1. In the [management console](https://console.yandex.cloud), select a folder.
  1. Navigate to **Object Storage**.
  1. Select the bucket to disable public access for.
  1. In the left-hand panel, select ![image](../../../_assets/console-icons/wrench.svg) **Settings**.
  1. Select the **General** tab.
  1. Enable restricted access for the operation types you need.
  1. Click **Save**.

- Yandex Cloud CLI {#cli}

  If you do not have the Yandex Cloud CLI yet, [install and initialize it](../../../cli/quickstart.md#install).

  The folder used by default is the one specified when [creating](../../../cli/operations/profile/profile-create.md) the CLI profile. To change the default folder, use the `yc config set folder-id <folder_ID>` command. You can also specify a different folder for any command using `--folder-name` or `--folder-id`. If you access a resource by its name, the search will be limited to the default folder. If you access a resource by its ID, the search will be global, i.e., through all folders based on access permissions.

  1. See the description of the CLI command for updating a bucket:

      ```bash
      yc storage bucket update --help
      ```

  1. Get a list of buckets in the default folder:
     
     ```bash
     yc storage bucket list
     ```
     
     Result:
     
     ```text
     +------------------+----------------------+-------------+-----------------------+---------------------+
     |       NAME       |      FOLDER ID       |  MAX SIZE   | DEFAULT STORAGE CLASS |     CREATED AT      |
     +------------------+----------------------+-------------+-----------------------+---------------------+
     | first-bucket     | b1gmit33ngp6******** | 53687091200 | STANDARD              | 2022-12-16 13:58:18 |
     +------------------+----------------------+-------------+-----------------------+---------------------+
     ```
  1. Save the name (from the `NAME` column) of the bucket to which you want to disable public access.
  1. Disable public access to bucket operations:

      ```bash
      yc storage bucket update \
        --name <bucket_name> \
        --public-read=false \
        --public-list=false \
        --public-config-read=false
      ```

      Where:
      * `--name`: Name of the bucket to which you need to disable public access.
      * `--public-read`: Flag to manage public read access to bucket objects. To disable public access, set it to `false`.
      * `--public-list`: Flag to manage public view access to the list of bucket objects. To disable public access, set it to `false`.
      * `--public-config-read`: Flag to manage public read access to the bucket configuration. To disable public access, set it to `false`.

      `name`: This is a required setting. Other parameters are optional. By default, public access to the bucket is disabled.

      Result:

      ```text
      name: first-bucket
      folder_id: b1gmit33ngp6********
      anonymous_access_flags:
        read: false
        list: false
        config_read: false
      default_storage_class: STANDARD
      versioning: VERSIONING_DISABLED
      max_size: "53687091200"
      acl: {}
      created_at: "2022-12-16T13:58:18.933814Z"
      ```

- Terraform {#tf}

  With [Terraform](https://www.terraform.io/), you can quickly create a cloud infrastructure in Yandex Cloud and manage it using configuration files. These files store the infrastructure description written in HashiCorp Configuration Language (HCL). If you change the configuration files, Terraform automatically detects which part of your configuration is already deployed, and what should be added or removed.
  
  Terraform is distributed under the [Business Source License](https://github.com/hashicorp/terraform/blob/main/LICENSE). The [Yandex Cloud provider for Terraform](https://github.com/yandex-cloud/terraform-provider-yandex) is distributed under the [MPL-2.0](https://www.mozilla.org/en-US/MPL/2.0/) license.
  
  For more information about the provider resources, see the guides on the [Terraform](https://www.terraform.io/docs/providers/yandex/index.html) website or [its mirror](../../../terraform/index.md).

  
  If you do not have Terraform yet, [install it and configure the Yandex Cloud provider](../../../tutorials/infrastructure-management/terraform-quickstart.md#install-terraform).
  
  
  To manage infrastructure using Terraform under a service account or user accounts (a Yandex account, a federated account, or a local user), [authenticate](../../../terraform/authentication.md) using the appropriate method.



  To disable public access to bucket operations:

  1. Open the Terraform configuration file and add the `anonymous_access_flags` section to the bucket description.

     ```hcl
     resource "yandex_storage_bucket" "log_bucket" {
       access_key = "<static_key_ID>"
       secret_key = "<secret_key>"
       bucket     = "<bucket_name>"

       anonymous_access_flags {
         read        = false
         list        = false
         config_read = false
       }
     }
     ```

     Where:
     * `access_key`: [Static access key](../../../iam/concepts/authorization/access-key.md) ID.
     * `secret_key`: Secret access key value.
     * `bucket`: Name of the bucket to which you need to disable public access.
     * `anonymous_access_flags`: Public access parameters:
       * `read`: Public read access to bucket objects.
       * `list`: Public access to the list of bucket objects.
       * `config_read`: Public read access to the bucket configuration.

     For more information on the properties of the `yandex_storage_bucket` resource in Terraform, see [this provider guide](../../../terraform/resources/storage_bucket.md#bucket-anonymous-access-flags).

  1. Make sure the configuration files are correct.

     1. In the terminal, navigate to the directory where you created your configuration file.
     1. Run a check using this command:

        ```
        terraform plan
        ```

     If the configuration is correct, the terminal will display a list of the resources and their settings. Otherwise, Terraform will show any detected errors.

  1. Deploy the cloud resources.

     1. If the configuration is correct, run this command:

        ```
        terraform apply
        ```

     1. Confirm creating the resources by typing `yes` and pressing **Enter**.

        This will create all the resources you need in the specified folder. You can check the new resources and their settings using the [management console](https://console.yandex.cloud).

- API {#api}

  To disable public access to bucket operations, use the [update](../../api-ref/Bucket/update.md) REST API method for the [Bucket](../../api-ref/Bucket/index.md) resource or the [BucketService/Update](../../api-ref/grpc/Bucket/update.md) gRPC API call.

{% endlist %}

When disabling public access to your bucket, make sure the `All users` [public group](../../../iam/concepts/access-control/public-group.md) has no `viewer`, `storage.viewer`, or higher [role](../../security/index.md#service-roles) assigned for the folder or bucket. Otherwise, the bucket will still be publicly accessible.