[Yandex Cloud documentation](../../../index.md) > [Yandex Object Storage](../../index.md) > [Step-by-step guides](../index.md) > Buckets > Editing a bucket's ACL

# Editing a bucket ACL

Object Storage incorporates several access management mechanisms. To learn how these mechanisms interact, see [Access management methods in Object Storage: Overview](../../security/overview.md).

{% note info %}

If your [bucket](../../concepts/bucket.md) already has a configured [ACL](../../concepts/acl.md), it will be completely overwritten once you apply the changes.

{% endnote %}

{% list tabs group=instructions %}

- Management console {#console}

  1. In the [management console](https://console.yandex.cloud), select a folder.
  1. Navigate to **Object Storage**.
  1. In the bucket row, click ![image](../../../_assets/console-icons/ellipsis.svg) and select **Configure ACL**.

      Alternatively, you can click the bucket name, then, on the page that opens, click ![image](../../../_assets/console-icons/ellipsis.svg) at the top right and select **Configure ACL**.

      In the **ACL editing** window that opens, grant or revoke the relevant permissions:
      
      1. Select the [subjects](../../../iam/concepts/access-control/index.md#subject) you need from the list. To do this, place the cursor in the subject input field, then select the required [user](../../../overview/roles-and-resources.md#users), [service account](../../../iam/concepts/users/service-accounts.md), [user group](../../../organization/concepts/groups.md), [system group](../../../iam/concepts/access-control/system-group.md), or [public group](../../../iam/concepts/access-control/public-group.md) in the form that appears. If required, use the relevant tabs in the form or the search bar to find a subject by name or email address.
      
          To grant permissions for multiple subjects at the same time, select them one by one.
      
      1. Specify the relevant [permission type](../../concepts/acl.md#permissions-types) for the selected subjects and click **Add**.
      
      1. To grant different types of permission to subjects, repeat the two previous steps.
      
      1. To revoke a subject's permission, click **Cancel** in the permission row.
      
      1. Click **Save**.

      {% note info %}
  
      In the management console, you can only grant permissions to service accounts created in the same folder as the bucket. You can grant permissions to service accounts belonging to other folders using the Yandex Cloud CLI (only for ACL buckets), AWS CLI, Terraform, or API.
  
      {% endnote %}

- Yandex Cloud CLI {#cli}

  If you do not have the Yandex Cloud CLI yet, [install and initialize it](../../../cli/quickstart.md#install).

  The folder used by default is the one specified when [creating](../../../cli/operations/profile/profile-create.md) the CLI profile. To change the default folder, use the `yc config set folder-id <folder_ID>` command. You can also specify a different folder for any command using `--folder-name` or `--folder-id`. If you access a resource by its name, the search will be limited to the default folder. If you access a resource by its ID, the search will be global, i.e., through all folders based on access permissions.


  You can apply a [predefined ACL](../../concepts/acl.md#predefined-acls) to a bucket or configure permissions for individual users, [service accounts](../../../iam/concepts/users/service-accounts.md), [user groups](../../../organization/concepts/groups.md), and [public groups](../../concepts/acl.md#public-groups) (all internet users, all authenticated Yandex Cloud users). You cannot use these settings together: a bucket can have either a predefined ACL or individual permissions.

  You can edit a bucket's ACL using the following commands:
  * [yc storage bucket update](#yc-storage-bucket-update)
  * [yc storage s3api put-bucket-acl](#yc-storage-s3api-put-bucket-acl)

  **yc storage bucket update** {#yc-storage-bucket-update}

  Before configuring an ACL, see the description of the CLI command for editing a bucket:

  ```bash
  yc storage bucket update --help
  ```

  To view the current ACL of a bucket, run this command:

  ```bash
  yc storage bucket get <bucket_name> --with-acl
  ```

  _Predefined ACL_

  Run this command:

  ```bash
  yc storage bucket update \
    --name <bucket_name> \
    --acl <predefined_ACL>
  ```

  Where:
  * `--name`: Bucket name.
  * `--acl`: Predefined ACL. To view a list of values, see [Predefined ACLs](../../concepts/acl.md#predefined-acls).

  Result:

  ```text
  name: my-bucket
  folder_id: csgeoelk7fl1********
  default_storage_class: STANDARD
  versioning: VERSIONING_DISABLED
  max_size: "1073741824"
  acl:
    grants:
      - permission: PERMISSION_READ
        grant_type: GRANT_TYPE_ALL_USERS
  created_at: "2022-12-14T19:10:05.957940Z"
  ```

  _Setting up individual permissions_

  1. To grant ACL permissions to a Yandex Cloud user, service account, or user group, get their IDs:

      * [User](../../../organization/operations/users-get.md).
      * [Service account](../../../iam/operations/sa/get-id.md).
      * User group: Navigate to the [**Groups**](https://center.yandex.cloud/organization/groups) tab in the Cloud Center interface.

  1. Run this command:

      ```bash
      yc storage bucket update --name <bucket_name> \
        --grants grant-type=<permission_grantee_type>,grantee-id=<grantee_ID>,permission=<permission_type>
      ```

      Where:
      * `grant-type`: Permission grantee type. The possible values are as follows:
        * `grant-type-account`: User, [service account](../../../iam/concepts/users/service-accounts.md), or [user group](../../../organization/concepts/groups.md).
        * `grant-type-all-authenticated-users`: [Public group](../../concepts/acl.md#public-groups) that includes all authenticated Yandex Cloud users.
        * `grant-type-all-users`: Public group that includes all internet users.
      * `grantee-id`: ID of the user, service account, or user group you need to grant a permission to. It is specified only if `grant-type=grant-type-account`.
      * `permission`: ACL permission type. The possible values are:
        * `permission-read`: Permission to access the list of objects in the bucket, read various bucket settings (lifecycle, CORS, and static hosting), and read all objects in the bucket.
        * `permission-write`: Permission to write, overwrite, and delete objects in the bucket. It can only be used together with `permission-read`.
        * `permission-full-control`: Full access to the bucket and objects in it.
      
        For more information about permissions, see [Permission types](../../concepts/acl.md#permissions-types).

      To configure multiple permissions, specify the `--grants` parameter multiple times. For example, to grant a write permission for a bucket, run this command:

      ```bash
      yc storage bucket update --name <bucket_name> \
        --grants grant-type=<permission_grantee_type>,grantee-id=<grantee_ID>,permission=permission-read \
        --grants grant-type=<permission_grantee_type>,grantee-id=<grantee_ID>,permission=permission-write
      ```

  **yc storage s3api put-bucket-acl** {#yc-storage-s3api-put-bucket-acl}

  View the bucket's current ACL:

  ```bash
  yc storage s3api get-bucket-acl \
    --bucket <bucket_name>
  ```

  Where `--bucket` is the bucket name.

  _Predefined ACL_

  Run this command:

  ```bash
  yc storage s3api put-bucket-acl \
    --bucket <bucket_name> \
    --acl <predefined_ACL>
  ```

  Where:
  * `--name`: Bucket name.
  * `--acl`: Predefined ACL. For the list of values, see [Predefined ACLs](../../concepts/acl.md#predefined-acls).

  _Setting up individual permissions_

  1. To grant ACL permissions to a Yandex Cloud user, service account, or user group, get their IDs:

      * [User](../../../organization/operations/users-get.md).
      * [Service account](../../../iam/operations/sa/get-id.md).
      * User group: Navigate to the [**Groups**](https://center.yandex.cloud/organization/groups) tab in the Cloud Center interface.

  1. Run this command:

      ```bash
      yc storage s3api put-bucket-acl \
        --bucket <bucket_name> \
        <permission_type> <permission_grantee>
      ```

      Where:
      * `--bucket`: Bucket name.
      * The possible types of ACL permissions are as follows:

        * `--grant-read`: Permission to access the list of objects in the bucket, read various bucket settings (lifecycle, CORS, and static hosting), and read all objects in the bucket.
        * `--grant-write`: Permission to write, overwrite, and delete objects in the bucket. It can only be used together with `--grant-read`.
        * `--grant-full-control`: Full access to the bucket and objects in it.

        For more information about permissions, see [Permission types](../../concepts/acl.md#permissions-types).

      * The possible permission grantees are as follows:

        * `id=<grantee_ID>`: ID of the user, service account, or user group you need to grant a permission to.
        * `uri=http://acs.amazonaws.com/groups/global/AuthenticatedUsers`: [Public group](../../concepts/acl.md#public-groups) that includes all authenticated Yandex Cloud users.
        * `uri=http://acs.amazonaws.com/groups/global/AllUsers`: Public group that includes all internet users.

      To configure multiple permissions, specify the relevant settings, permission type, and permission grantee multiple times. For example, to grant a write permission for a bucket, run this command:

      ```bash
      yc storage s3api put-bucket-acl \
        --bucket <bucket_name> \
        --grant-read id=<grantee_ID> \
        --grant-write id=<grantee_ID>
      ```

- AWS CLI {#aws-cli}

  If you do not have the AWS CLI yet, [install and configure it](../../tools/aws-cli.md).

  {% note info %}

  To manage bucket ACL settings, assign the `storage.admin` [role](../../security/index.md#storage-admin) to the service account used by the AWS CLI.

  {% endnote %}


  View the bucket's current ACL:

  ```bash
  aws s3api get-bucket-acl \
    --endpoint https://storage.yandexcloud.net \
    --bucket <bucket_name>
  ```

  Where:
  * `--bucket`: Bucket name.
  * `--endpoint`: Object Storage endpoint.

  You can apply a [predefined ACL](../../concepts/acl.md#predefined-acls) to a bucket or configure permissions for individual users, [service accounts](../../../iam/concepts/users/service-accounts.md), [user groups](../../../organization/concepts/groups.md), and [public groups](../../concepts/acl.md#public-groups) (all internet users, all authenticated Yandex Cloud users). You cannot use these settings together: a bucket can have either a predefined ACL or individual permissions.

  Predefined ACL

  : Run this command:

    ```bash
      aws s3api put-bucket-acl \
        --endpoint https://storage.yandexcloud.net \
        --bucket <bucket_name> \
        --acl <predefined_ACL>
    ```

    Where:

    * `--endpoint`: Object Storage endpoint.
    * `--bucket`: Bucket name.
    * `--acl`: Predefined ACL. For the list of values, see [Predefined ACLs](../../concepts/acl.md#predefined-acls).

  Setting up individual permissions

  : 1. To grant ACL permissions to a Yandex Cloud user, service account, or user group, get their IDs:

        * [User](../../../organization/operations/users-get.md).
        * [Service account](../../../iam/operations/sa/get-id.md).
        * User group: Navigate to the [**Groups**](https://center.yandex.cloud/organization/groups) tab in the Cloud Center interface.

    1. Run this command:

        ```bash
        aws s3api put-bucket-acl \
          --endpoint https://storage.yandexcloud.net \
          --bucket <bucket_name> \
          <permission_type> <permission_grantee>
        ```

        Where:
        * `--bucket`: Bucket name.
        * `--endpoint`: Object Storage endpoint.
        * The possible types of ACL permissions are as follows:
          * `--grant-read`: Permission to access the list of objects in the bucket, read various bucket settings (lifecycle, CORS, and static hosting), and read all objects in the bucket.
          * `--grant-write`: Permission to write, overwrite, and delete objects in the bucket. It can only be used together with `--grant-read`.
          * `--grant-full-control`: Full access to the bucket and objects in it.

          For more information about permissions, see [Permission types](../../concepts/acl.md#permissions-types).

        * The possible permission grantees are as follows:
          * `id=<grantee_ID>`: ID of the user, service account, or user group you need to grant a permission to.
          * `uri=http://acs.amazonaws.com/groups/global/AuthenticatedUsers`: [Public group](../../concepts/acl.md#public-groups) that includes all authenticated Yandex Cloud users.
          * `uri=http://acs.amazonaws.com/groups/global/AllUsers`: Public group that includes all internet users.

        To configure multiple permissions, specify the relevant settings, permission type, and permission grantee multiple times. For example, to grant a write permission for a bucket, run this command:

        ```bash
        aws s3api put-bucket-acl \
          --endpoint https://storage.yandexcloud.net \
          --bucket <bucket_name> \
          --grant-read id=<grantee_ID> \
          --grant-write id=<grantee_ID>
        ```

- Terraform {#tf}

  {% note info %}
  
  If you access Object Storage via Terraform under a [service account](../../../iam/concepts/users/service-accounts.md), [assign](../../../iam/operations/sa/assign-role-for-sa.md) to the service account the relevant [role](../../security/index.md#roles-list), e.g., `storage.admin`, for the folder you are going to create the resources in.
  
  {% endnote %}


  If you do not have Terraform yet, [install it and configure the Yandex Cloud provider](../../../tutorials/infrastructure-management/terraform-quickstart.md#install-terraform).
  
  
  To manage infrastructure using Terraform under a service account or user accounts (a Yandex account, a federated account, or a local user), [authenticate](../../../terraform/authentication.md) using the appropriate method.


  Before you start, retrieve the [static access keys](../../../iam/operations/authentication/manage-access-keys.md#create-access-key): a secret key and key ID used for Object Storage authentication.

  {% note info %}
  
  In addition to static access keys, you can use an IAM token for authentication in Object Storage. For more details, see [Creating a bucket](create.md) and the [relevant provider documentation](../../../terraform/resources/storage_object.md). 
  
  {% endnote %}

  To edit a bucket ACL, you can use these resources:
  * [yandex_storage_bucket_grant](#tf-storage-bucket-grant)
  * [yandex_storage_bucket](#tf-yandex_storage_bucket) (obsolete)

  {% note warning %}
  
  You cannot use the [yandex_storage_bucket_grant](../../../terraform/resources/storage_bucket_grant.md) resource if the [yandex_storage_bucket_iam_binding](../../../terraform/resources/storage_bucket_iam_binding.md) resource is simultaneously used to assign [primitive roles](../../security/index.md#primitive-roles), such as `viewer`, `editor`, or `admin` for a bucket, or if the `acl` or `grant` parameters of the [yandex_storage_bucket](../../../terraform/resources/storage_bucket.md) resource are simultaneously in use.
  
  {% endnote %}

  One `yandex_storage_bucket` bucket can only be mapped to one `yandex_storage_bucket_grant` resource. Using multiple resources for a single bucket may lead to configuration errors.

  **yandex_storage_bucket_grant** {#tf-storage-bucket-grant}

  1. In the configuration file, specify the properties of the resources you want to create:

     ```hcl
     resource "yandex_storage_bucket_grant" "my_bucket_grant" {
       bucket = "<existing_bucket_name>"
       grant {
         id          = "<user_1_ID>"
         permissions = ["READ", "WRITE"]
         type        = "CanonicalUser"
       }
       grant {
         id          = "<user_2_ID>"
         permissions = ["FULL_CONTROL"]
         type        = "CanonicalUser"
       }
       grant {
         uri         = "http://acs.amazonaws.com/groups/global/AuthenticatedUsers"
         permissions = ["READ"]
         type        = "Group"
       }
     }
     ```

     Where:

     * `bucket`: Existing bucket’s name.
     * `grant`: [ACL](../../concepts/acl.md) settings. To manage it, the service account with static access keys must have the `storage.admin` [role](../../security/index.md#roles-list) for the bucket or folder.
       * `type`: Permission grantee type. The possible values are:
         * `CanonicalUser`: For a user, [service account](../../../iam/concepts/users/service-accounts.md), or [user group](../../../organization/concepts/groups.md).
         * `Group`: For a [public group](../../concepts/acl.md#public-groups).
       * `permissions`: Type of ACL [permissions](../../concepts/acl.md#permissions-types). It can take the following values:
         * `READ`: Permission to access the list of objects in the bucket, read various bucket settings (lifecycle, CORS, and static hosting), and read all objects in the bucket.
         * `WRITE`: Permission to write, overwrite, and delete objects in the bucket. It can only be used together with `READ`, e.g., `permissions = ["READ", "WRITE"]`.
         * `FULL_CONTROL`: Full access to the bucket and objects in it.

         For more information about permissions, see [Permission types](../../concepts/acl.md#permissions-types).

       * `id`: ID of the user, service account, or user group:

         * [User](../../../organization/operations/users-get.md).
         * [Service account](../../../iam/operations/sa/get-id.md).
         * User group: Navigate to the [**Groups**](https://center.yandex.cloud/organization/groups) tab in the Cloud Center interface.

         It is used with the `CanonicalUser` type of permission grantee.

       * `uri`: Public group ID. It is used with the `Group` type of permission grantee. The possible values are:
         * `http://acs.amazonaws.com/groups/global/AllUsers`: All internet users.
         * `http://acs.amazonaws.com/groups/global/AuthenticatedUsers`: All authenticated Yandex Cloud users.

     Instead of `grant`, you can specify `acl`, i.e., the [predefined ACL](../../concepts/acl.md#predefined-acls) of the bucket. The default value is `private`: Yandex Cloud users get permissions according to their roles in IAM.

     For more information about the `yandex_storage_bucket_grant` properties, see [this provider guide](../../../terraform/resources/storage_bucket_grant.md).

  1. If you plan to use the [yandex_storage_bucket_iam_binding](../../../terraform/resources/storage_bucket_iam_binding.md) resource together with [yandex_storage_bucket_grant](../../../terraform/resources/storage_bucket_grant.md) for the same bucket, we recommend creating them sequentially. To do this, add a dependency on the `yandex_storage_bucket_grant` resource to the `yandex_storage_bucket_iam_binding` section.

      ```hcl
      resource "yandex_storage_bucket_iam_binding" "mybucket-viewers" {
        ...
      
        depends_on = [
          yandex_storage_bucket_grant.my_bucket_grant
        ]
      }
      ```

  1. Apply the configuration:

     1. In the terminal, navigate to the configuration file directory.
     1. Make sure the configuration is correct using this command:
     
        ```bash
        terraform validate
        ```
     
        If the configuration is valid, you will get this message:
     
        ```bash
        Success! The configuration is valid.
        ```
     
     1. Run this command:
     
        ```bash
        terraform plan
        ```
     
        You will see a list of resources and their properties. No changes will be made at this step. Terraform will show any errors in the configuration.
     1. Apply the configuration changes:
     
        ```bash
        terraform apply
        ```
     
     1. Type `yes` and press **Enter** to confirm the changes.

     You can check the resource updates in the [management console](https://console.yandex.cloud) or using this [CLI](../../../cli/index.md) command:

     ```bash
     yc storage bucket get <bucket_name> --full
     ```

  **yandex_storage_bucket (obsolete)** {#tf-yandex_storage_bucket}

  1. In the configuration file, specify the properties of the resources you want to create:

     ```hcl
     resource "yandex_storage_bucket" "test" {
       access_key = "<static_key_ID>"
       secret_key = "<secret_key>"
       bucket = "<bucket_name>"
       grant {
         id          = "<user_ID>"
         type        = "CanonicalUser"
         permissions = ["FULL_CONTROL"]
       }

       grant {
         type        = "Group"
         permissions = ["READ", "WRITE"]
         uri         = "http://acs.amazonaws.com/groups/global/AllUsers"
       }
     }
     ```

     Where:

     * `access_key`: Static access key ID.
     * `secret_key`: Secret access key value.
     * `bucket`: Bucket name. This is a required setting.
     * `grant`: [ACL](../../concepts/acl.md) settings. This is an optional setting. To manage it, the service account with static access keys must have the `storage.admin` [role](../../security/index.md#roles-list) for the bucket or folder.
       * `type`: Permission grantee type. The possible values are:
         * `CanonicalUser`: For a user, [service account](../../../iam/concepts/users/service-accounts.md), or [user group](../../../organization/concepts/groups.md).
         * `Group`: For a [public group](../../concepts/acl.md#public-groups).
       * `permissions`: Type of ACL [permissions](../../concepts/acl.md#permissions-types). It can take the following values:
         * `READ`: Permission to access the list of objects in the bucket, read various bucket settings (lifecycle, CORS, and static hosting), and read all objects in the bucket.
         * `WRITE`: Permission to write, overwrite, and delete objects in the bucket. It can only be used together with `READ`, e.g., `permissions = ["READ", "WRITE"]`.
         * `FULL_CONTROL`: Full access to the bucket and objects in it.

         For more information about permissions, see [Permission types](../../concepts/acl.md#permissions-types).

       * `id`: ID of the user, service account, or user group:

         * [User](../../../organization/operations/users-get.md).
         * [Service account](../../../iam/operations/sa/get-id.md).
         * User group: Navigate to the [**Groups**](https://center.yandex.cloud/organization/groups) tab in the Cloud Center interface.

         It is used with the `CanonicalUser` type of permission grantee.

       * `uri`: Public group ID. It is used with the `Group` type of permission grantee. The possible values are:
         * `http://acs.amazonaws.com/groups/global/AllUsers`: All internet users.
         * `http://acs.amazonaws.com/groups/global/AuthenticatedUsers`: All authenticated Yandex Cloud users.

     Instead of `grant`, you can specify `acl`, i.e., the [predefined ACL](../../concepts/acl.md#predefined-acls) of the bucket. The default value is `private`: Yandex Cloud users get permissions according to their roles in IAM.

     For more information about the `yandex_storage_bucket` properties, see [this provider guide](../../../terraform/resources/storage_bucket.md).

  1. Apply the configuration:

     1. In the terminal, navigate to the configuration file directory.
     1. Make sure the configuration is correct using this command:
     
        ```bash
        terraform validate
        ```
     
        If the configuration is valid, you will get this message:
     
        ```bash
        Success! The configuration is valid.
        ```
     
     1. Run this command:
     
        ```bash
        terraform plan
        ```
     
        You will see a list of resources and their properties. No changes will be made at this step. Terraform will show any errors in the configuration.
     1. Apply the configuration changes:
     
        ```bash
        terraform apply
        ```
     
     1. Type `yes` and press **Enter** to confirm the changes.

     You can check the resource updates in the [management console](https://console.yandex.cloud) or using this [CLI](../../../cli/index.md) command:

     ```bash
     yc storage bucket get <bucket_name> --full
     ```

- API {#api}

  To edit a bucket's ACL, use the [update](../../api-ref/Bucket/update.md) REST API method for the [Bucket](../../api-ref/Bucket/index.md) resource, the [BucketService/Update](../../api-ref/grpc/Bucket/update.md) gRPC API call, or the [bucketPutAcl](../../s3/api-ref/acl/bucketput.md) S3 API method.

{% endlist %}