[Yandex Cloud documentation](../../../index.md) > [Yandex Object Storage](../../index.md) > [Step-by-step guides](../index.md) > Buckets > Accessing a bucket using Security Token Service

# Accessing a bucket using Security Token Service

# Creating a temporary access key using Security Token Service

With [Security Token Service](../../../iam/concepts/authorization/sts.md), you can get temporary keys for limited access to Yandex Object Storage [buckets](../../concepts/bucket.md).

Temporary access keys as an authentication method are only supported in [Object Storage](../../index.md).

You must have _at least_ the following roles:

* To create a service account and get access keys for it: [iam.serviceAccounts.admin](../../../iam/roles-reference.md#iam-serviceAccounts-admin) for a [folder](../../../resource-manager/concepts/resources-hierarchy.md#folder). If you want to use an existing service account, the `iam.serviceAccounts.admin` role for that service account will be enough.

* To assign the required role to the service account: [storage.admin](../../security/index.md#storage-admin) for a bucket or folder. Alternatively, you can use the `FULL_CONTROL` permission in the bucket's [ACL](../../security/acl.md).

If you have a primitive [admin](../../../iam/roles-reference.md#admin) role for a folder, you do not need to assign any additional roles.


To get a temporary access key:

1. [Create](../../../iam/operations/sa/create.md) a service account. You can also use an existing service account.
1. [Assign](../../../iam/operations/sa/assign-role-for-sa.md) to the service account the required [role](../../security/index.md#roles-list), e.g., [storage.viewer](../../security/index.md#storage-viewer), for the bucket or folder you want to access with a temporary key.

    {% note info %}

    Assign a role for a folder if you want to have access to all buckets in the folder using the service account.

    {% endnote %}

    The selected role must include all the permissions you want to grant using temporary keys.

    {% note tip %}
    
    If a service account has roles in Object Storage for a folder, users with temporary keys will get view access to buckets in that folder. We recommend assigning service account roles for specific buckets, rather than a folder.
    
    {% endnote %}

    Alternatively, you can use [ACL](../../security/acl.md) permissions for a bucket.
1. [Create](../../../iam/operations/authentication/manage-access-keys.md#create-access-key) a static access key for the service account.
1. [Install and configure](../../tools/aws-cli.md) the AWS Command Line Interface (AWS CLI).
1. Describe the [bucket policy](../../concepts/policy.md) configuration as a [data schema](../../s3/api-ref/policy/scheme.md) in JSON format.

    {% note warning %}
    
    One Security Token Service access policy is set only for a specific bucket. You cannot use a single temporary key for multiple buckets.
    
    {% endnote %}

    Temporary Security Token Service keys inherit the access permissions of the service account but are limited by the bucket-level access policy. If you set up a temporary key’s access policy to allow operations the service account has no permissions for, such operations will not be performed.

    {% cut "Policy example" %}

    This policy allows a temporary key user to get objects from the specified bucket [prefix](../../concepts/object.md#folder):

    ```json
    {
      "Version": "2012-10-17",
      "Statement": {
        "Sid": "all",
        "Effect": "Allow",
        "Principal": "*",
        "Action": "s3:GetObject",
        "Resource": "arn:aws:s3:::<bucket_name>/<prefix>"
      }
    }
    ```

    Where:
    * `Version`: (Optional) Version of the bucket policy description, e.g., `2012-10-17`.
    * `Statement`: Bucket policy rules:
      * `Sid`: (Optional) Custom rule ID, e.g., `all`, `Statement Allow`, or `Statement Deny`.
      * `Effect`: Denies or allows the requested action. The possible values are `Allow` and `Deny`.
      * `Principal`: The possible value is `*`. This parameter is required for compatibility with [AWS S3 API](../../s3/index.md).
      * `Action`: [Action](../../s3/api-ref/policy/actions.md) to perform when the policy is triggered, e.g., `s3:GetObject`, `s3:PutObject`, or `*`.
      * `Resource`: Resource to perform the action with. The possible values are: 
        * `arn:aws:s3:::<bucket_name>`: Bucket.
        * `arn:aws:s3:::<bucket_name>/<object_key>`: Bucket object.
        * `arn:aws:s3:::<bucket_name>/<prefix>*`: All objects in the bucket whose keys start with a prefix, e.g., `arn:aws:s3:::samplebucket/some/path/*`. A prefix can be empty, e.g., `arn:aws:s3:::samplebucket/*`, in which case the rule will apply to all bucket objects.
    
        A bucket resource does not include resources of all its objects. To make sure a bucket policy rule applies to the bucket and all its objects, specify them as separate resources, e.g., `arn:aws:s3:::samplebucket` and `arn:aws:s3:::samplebucket/*`.

      If you apply a bucket policy without rules when creating temporary access keys, access by temporary key will be denied.

    {% endcut %}

    Once the configuration is complete, save it to a file named `policy.json`.

    {% note warning %}
    
    The access is checked by object [ACL](../../security/acl.md) after checking the Security Token Service policy. Therefore, if the service account through which you obtain temporary access keys has ACL permissions configured for objects in the bucket, those objects will become available for temporary access key requests, regardless of the specified policy. For more information, see [how the access management works](../../security/overview.md) in Object Storage.
    
    {% endnote %}

1. Get a temporary access key:

    {% list tabs group=instructions %}

    - AWS CLI {#aws-cli}

      Run this command:

      ```bash
      aws --endpoint https://sts.yandexcloud.net/ sts assume-role \
        --role-arn <description> \
        --role-session-name <key_name> \
        --duration-seconds <key_lifetime> \
        --policy file://policy.json
      ```

      Where:
      * `--endpoint`: Security Token Service endpoint.
      * `--role-arn`: Description of at least 20 characters. You can use Latin letters, numbers, `_` and `-`.
      * `--role-session-name`: Unique key name. You can use Latin letters, numbers, `_` and `-`.
      * `--duration-seconds`: Key lifetime in seconds, which cannot exceed `43200`.
      * `--policy file://`: Path to the bucket policy file.

      For more information about the `aws sts assume-role` command, see the [AWS documentation](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/sts/assume-role.html).

      Result:

      ```json
      {
          "Credentials": {
              "AccessKeyId": "YCAJEkNuezZyt4b**********",
              "SecretAccessKey": "YCMUWwxFAnZ**********...",
              "SessionToken": "s1.9euelZqPjcj**********...",
              "Expiration": "2024-02-29T23:30:53+00:00"
          },
          "AssumedRoleUser": {
              "Arn": "a1234567891234567890/test-2"
          },
          "PackedPolicySize": 0,
          "SourceIdentity": ""
      }
      ```

      Where:
      * `AccessKeyId`: Key ID (same as the static key ID).
      * `SecretAccessKey`: Secret key.
      * `SessionToken`: Session token.

      Save these parameters.

    {% endlist %}

1. Add the resulting temporary access key parameters to the environment variables for the user to whom you want to grant access permissions to the bucket:

    ```bash
    export AWS_ACCESS_KEY_ID=<key_ID>
    export AWS_SECRET_ACCESS_KEY=<secret_key>
    export AWS_SESSION_TOKEN=<session_token>
    ```

1. To test access to a bucket, save the object from the prefix of the bucket that was accessed to the client device:

    {% list tabs group=instructions %}

    - AWS CLI {#aws-cli}

      ```bash
      aws --endpoint https://storage.yandexcloud.net s3 cp \
        s3://<bucket_name>/<prefix><object_name> ./
      ```

      Result:

      ```text
      download: s3://<bucket_name>/<prefix><object_name> to ./<object_name>
      ```

    {% endlist %}

#### See also {#see-also}

* [Access management methods in Object Storage: Overview](../../security/overview.md)
* [Accessing a bucket using an ephemeral access key](manage-ephemeral-keys.md)