[Yandex Cloud documentation](../../../index.md) > [Yandex Object Storage](../../index.md) > [Step-by-step guides](../index.md) > Objects > Editing an object's ACL

# Editing an object ACL

Object Storage incorporates several access management mechanisms. To learn how these mechanisms interact, see [Access management methods in Object Storage: Overview](../../security/overview.md).

To manage access to an object in an Object Storage bucket, you can use an [ACL](../../concepts/acl.md).

{% note info %}

If your object already has a configured [ACL](../../concepts/acl.md), it will be completely overwritten once you apply the changes.

{% endnote %}

{% list tabs group=instructions %}

- Management console {#console}

    1. In the [management console](https://console.yandex.cloud), select a folder.
    1. Navigate to **Object Storage**.
    1. Select the bucket from the list.
    1. In the left-hand panel, select ![image](../../../_assets/console-icons/folder-tree.svg) **Objects** and find the object in the list.
    1. To edit the ACL, click ![image](../../../_assets/console-icons/ellipsis.svg) in the row with the object and select **Object ACL**.

        Alternatively, you can click the object's name; on the page that opens, click ![image](../../../_assets/console-icons/ellipsis.svg) at the top right and select **Object ACL**.

        In the **ACL editing** window that opens, grant or revoke the relevant permissions:
        
        1. Select the [subjects](../../../iam/concepts/access-control/index.md#subject) you need from the list. To do this, place the cursor in the subject input field, then select the required [user](../../../overview/roles-and-resources.md#users), [service account](../../../iam/concepts/users/service-accounts.md), [user group](../../../organization/concepts/groups.md), [system group](../../../iam/concepts/access-control/system-group.md), or [public group](../../../iam/concepts/access-control/public-group.md) in the form that appears. If required, use the relevant tabs in the form or the search bar to find a subject by name or email address.
        
            To grant permissions for multiple subjects at the same time, select them one by one.
        
        1. Specify the relevant [permission type](../../concepts/acl.md#permissions-types) for the selected subjects and click **Add**.
        
        1. To grant different types of permission to subjects, repeat the two previous steps.
        
        1. To revoke a subject's permission, click **Cancel** in the permission row.
        
        1. Click **Save**.

        {% note info %}
  
        In the management console, you can only grant permissions to service accounts created in the same folder as the bucket. You can grant permissions to service accounts belonging to other folders using the Yandex Cloud CLI (only for ACL buckets), AWS CLI, Terraform, or API.
  
        {% endnote %}

- Yandex Cloud CLI {#cli}

  If you do not have the Yandex Cloud CLI yet, [install and initialize it](../../../cli/quickstart.md#install).

  The folder used by default is the one specified when [creating](../../../cli/operations/profile/profile-create.md) the CLI profile. To change the default folder, use the `yc config set folder-id <folder_ID>` command. You can also specify a different folder for any command using `--folder-name` or `--folder-id`. If you access a resource by its name, the search will be limited to the default folder. If you access a resource by its ID, the search will be global, i.e., through all folders based on access permissions.

  {% note info %}

  To manage the object's ACL, assign the `storage.admin` [role](../../security/index.md#storage-admin) to the service account used by the Yandex Cloud CLI.

  {% endnote %}


  View the object's current ACL:

  ```bash
  yc storage s3api get-object-acl \
    --bucket <bucket_name> \
    --key <object_key>
  ```

  Where:

  * `--bucket`: Bucket name.
  * `--key`: Object key.

  You can apply a [predefined ACL](../../concepts/acl.md#predefined-acls) to an object or configure permissions for individual users, [service accounts](../../../iam/concepts/users/service-accounts.md), [user groups](../../../organization/concepts/groups.md), and [public groups](../../concepts/acl.md#public-groups) (all internet users, all authenticated Yandex Cloud users). These settings cannot be used together: an object can have either a predefined ACL or individual permissions.

  _Predefined ACL_

  Run this command:

  ```bash
  yc storage s3api put-object-acl \
    --bucket <bucket_name> \
    --key <object_key> \
    --acl <predefined_ACL>
  ```

  Where:

  * `--bucket`: Bucket name.
  * `--key`: Object key.
  * `--acl`: Predefined ACL. For the list of values, see [Predefined ACLs](../../concepts/acl.md#predefined-acls).

  _Setting up individual permissions_

  1. To grant ACL permissions to a Yandex Cloud user, service account, or user group, get their IDs:

      * [User](../../../organization/operations/users-get.md).
      * [Service account](../../../iam/operations/sa/get-id.md).
      * User group: Navigate to the [**Groups**](https://center.yandex.cloud/organization/groups) tab in the Cloud Center interface.

  1. Run this command:

      ```bash
      yc storage s3api put-object-acl \
        --bucket <bucket_name> \
        --key <object_key> \
        <permission_type> <permission_grantee>
      ```

      Where:

      * `--bucket`: Bucket name.
      * `--key`: Object key.
      * The possible types of ACL permissions are as follows:

          * `--grant-read`: Read access to the object.
          * `--grant-full-control`: Full access to the object.
          * `--grant-read-acp`: Read access to the object ACL.
          * `--grant-write-acp`: Edit access to the object ACL.

          You can specify multiple permissions in a single command.

      * The possible permission grantees are as follows:

          * `id=<grantee_ID>`: ID of the user, service account, or user group you need to grant a permission to.
          * `uri=http://acs.amazonaws.com/groups/global/AuthenticatedUsers`: [Public group](../../concepts/acl.md#public-groups) that includes all authenticated Yandex Cloud users.
          * `uri=http://acs.amazonaws.com/groups/global/AllUsers`: Public group that includes all internet users.

- AWS CLI {#aws-cli}

  If you do not have the AWS CLI yet, [install and configure it](../../tools/aws-cli.md).

  {% note info %}

  To manage bucket ACL settings, assign the `storage.admin` [role](../../security/index.md#storage-admin) to the service account used by the AWS CLI.

  {% endnote %}


  View the object's current ACL:

  ```bash
  aws s3api get-object-acl \
    --endpoint https://storage.yandexcloud.net \
    --bucket <bucket_name> \
    --key <object_key>
  ```

  Where:
  * `--endpoint`: Object Storage endpoint.
  * `--bucket`: Bucket name.
  * `--key`: Object key.

  You can apply a [predefined ACL](../../concepts/acl.md#predefined-acls) to an object or configure permissions for individual users, [service accounts](../../../iam/concepts/users/service-accounts.md), [user groups](../../../organization/concepts/groups.md), and [public groups](../../concepts/acl.md#public-groups) (all internet users, all authenticated Yandex Cloud users). These settings cannot be used together: an object can have either a predefined ACL or individual permissions.

  _Predefined ACL_

  Run this command:

  ```bash
  aws s3api put-object-acl \
    --endpoint https://storage.yandexcloud.net \
    --bucket <bucket_name> \
    --key <object_key> \
    --acl <predefined_ACL>
  ```

  Where:

  * `--endpoint`: Object Storage endpoint.
  * `--bucket`: Bucket name.
  * `--key`: Object key.
  * `--acl`: Predefined ACL. For the list of values, see [Predefined ACLs](../../concepts/acl.md#predefined-acls).

  _Setting up individual permissions_

  1. To grant ACL permissions to a Yandex Cloud user, service account, or user group, get their IDs:

      * [User](../../../organization/operations/users-get.md).
      * [Service account](../../../iam/operations/sa/get-id.md).
      * User group: Navigate to the [**Groups**](https://center.yandex.cloud/organization/groups) tab in the Cloud Center interface.

  1. Run this command:

      ```bash
      aws s3api put-object-acl \
        --endpoint https://storage.yandexcloud.net \
        --bucket <bucket_name> \
        --key <object_key> \
        <permission_type> <permission_grantee>
      ```

        Where:
        * `--endpoint`: Object Storage endpoint.
        * `--bucket`: Bucket name.
        * `--key`: Object key.
        * The possible types of ACL permissions are as follows:
          * `--grant-read`: Read access to the object.
          * `--grant-full-control`: Full access to the object.
          * `--grant-read-acp`: Read access to the object ACL.
          * `--grant-write-acp`: Edit access to the object ACL.

          You can specify multiple permissions in a single command.
        * The possible permission grantees are as follows:
          * `id=<grantee_ID>`: ID of the user, service account, or user group you need to grant a permission to.
          * `uri=http://acs.amazonaws.com/groups/global/AuthenticatedUsers`: [Public group](../../concepts/acl.md#public-groups) that includes all authenticated Yandex Cloud users.
          * `uri=http://acs.amazonaws.com/groups/global/AllUsers`: Public group that includes all internet users.

- Terraform {#tf}

  {% note info %}
  
  If you access Object Storage via Terraform under a [service account](../../../iam/concepts/users/service-accounts.md), [assign](../../../iam/operations/sa/assign-role-for-sa.md) to the service account the relevant [role](../../security/index.md#roles-list), e.g., `storage.admin`, for the folder you are going to create the resources in.
  
  {% endnote %}


  With [Terraform](https://www.terraform.io/), you can quickly create a cloud infrastructure in Yandex Cloud and manage it using configuration files. These files store the infrastructure description written in HashiCorp Configuration Language (HCL). If you change the configuration files, Terraform automatically detects which part of your configuration is already deployed, and what should be added or removed.
  
  Terraform is distributed under the [Business Source License](https://github.com/hashicorp/terraform/blob/main/LICENSE). The [Yandex Cloud provider for Terraform](https://github.com/yandex-cloud/terraform-provider-yandex) is distributed under the [MPL-2.0](https://www.mozilla.org/en-US/MPL/2.0/) license.
  
  For more information about the provider resources, see the relevant documentation on the [Terraform](https://www.terraform.io/docs/providers/yandex/index.html) website or [its mirror](../../../terraform/index.md).

  
  If you do not have Terraform yet, [install it and configure the Yandex Cloud provider](../../../tutorials/infrastructure-management/terraform-quickstart.md#install-terraform).
  
  
  To manage infrastructure using Terraform under a service account or user accounts (a Yandex account, a federated account, or a local user), [authenticate](../../../terraform/authentication.md) using the appropriate method.



  To edit an object ACL:

  1. Open the Terraform configuration file and add the `acl` parameter to the object description:

     ```hcl
     ...
     resource "yandex_storage_object" "cute-cat-picture" {
       access_key = "<static_key_ID>"
       secret_key = "<secret_key>"
       bucket     = "cat-pictures"
       key        = "cute-cat"
       source     = "/images/cats/cute-cat.jpg"
       acl        = "public-read"
     }
     ...
     ```

     Where:
     * `access_key`: Static access key ID.

        {% note info %}
        
        In addition to static access keys, you can use an IAM token for authentication in Object Storage. For more details, see [Creating a bucket](../buckets/create.md) and the [relevant provider documentation](../../../terraform/resources/storage_object.md). 
        
        {% endnote %}

     * `secret_key`: Secret access key value.
     * `acl`: Object's [predefined ACL](../../concepts/acl.md#predefined-acls). The default value is `private`: Yandex Cloud users get permissions according to their roles in IAM.

     For more information about the `yandex_storage_object` properties in Terraform, see [this provider guide](../../../terraform/resources/storage_object.md).

  1. Apply the changes:

      1. In the terminal, navigate to the configuration file directory.
      1. Make sure the configuration is correct using this command:
      
         ```bash
         terraform validate
         ```
      
         If the configuration is valid, you will get this message:
      
         ```bash
         Success! The configuration is valid.
         ```
      
      1. Run this command:
      
         ```bash
         terraform plan
         ```
      
         You will see a list of resources and their properties. No changes will be made at this step. Terraform will show any errors in the configuration.
      1. Apply the configuration changes:
      
         ```bash
         terraform apply
         ```
      
      1. Type `yes` and press **Enter** to confirm the changes.

     You can check the update using the [management console](https://console.yandex.cloud).

- API {#api}

  To edit an object ACL, use the [objectPutAcl](../../s3/api-ref/acl/objectput.md) S3 API method.

  To upload an object an install an ACL, use the [upload](../../s3/api-ref/object/upload.md) S3 API method with the `X-Amz-Acl`, `X-Amz-Grant-Read`, `X-Amz-Grant-Read-Acp`, `X-Amz-Grant-Write-Acp`, and `X-Amz-Grant-Full-Control` headers.

{% endlist %}