[Yandex Cloud documentation](../../index.md) > [Yandex Object Storage](../index.md) > [Tools](index.md) > SDK > AWS SDK for Python (boto)

# boto3 and boto


[boto3](https://github.com/boto/boto3) and [boto](https://github.com/boto/boto) are software development kits (SDKs) for the Python 2.x and 3.x programming languages. The SDKs are designed for working with AWS services.


## Getting started {#before-you-begin}

1. [Create a service account](../../iam/operations/sa/create.md).
1. [Assign to the service account the roles](../../iam/operations/sa/assign-role-for-sa.md) required for your project, e.g., [storage.editor](../security/index.md#storage-editor) for a bucket (to work with a particular bucket) or a folder (to work with all buckets in this folder). For more information about roles, see [Access management with Yandex Identity and Access Management](../security/index.md).

          
    To work with objects in an [encrypted](../concepts/encryption.md) bucket, a user or [service account](../../iam/concepts/users/service-accounts.md) must have the following [roles for the encryption key](../../kms/operations/key-access.md) in addition to the `storage.configurer` [role](../security/index.md#storage-configurer):
    
    * `kms.keys.encrypter`: To read the key, [encrypt](../../kms/security/index.md#kms-keys-encrypter) and upload objects.
    * `kms.keys.decrypter`: To read the key, [decrypt](../../kms/security/index.md#kms-keys-decrypter) and download objects.
    * `kms.keys.encrypterDecrypter`: This role includes the `kms.keys.encrypter` and `kms.keys.decrypter` [permissions](../../kms/security/index.md#kms-keys-encrypterDecrypter).
    
    For more information, see [Key Management Service service roles](../../kms/security/index.md#service-roles).


1. [Create a static access key](../../iam/operations/authentication/manage-access-keys.md#create-access-key).

    
    As a result, you will get the static access key data. To authenticate in Object Storage, you will need the following:
    
    * `key_id`: Static access key ID
    * `secret`: Secret key
    
    Save `key_id` and `secret`: you will not be able to get the key value again.



To access the HTTP API directly, you need static key authentication, which is supported by the tools listed in [Supported tools](index.md).
  
{% note info %}

You can [disable using static keys for bucket access](../operations/buckets/disable-statickey-auth.md). Once disabled, access will be denied to all tools using this access option: the AWS CLI, SDK, and third-party applications. Access via [ephemeral keys](../security/ephemeral-keys.md), [temporary Security Token Service access keys](../security/sts.md), and [pre-signed URLs](../security/overview.md#pre-signed) will also be disabled. Only access with an [IAM token](../../iam/concepts/authorization/iam-token.md) or [anonymous access](../security/public-access.md) (if enabled) will remain.

{% endnote %}


You can use Yandex Lockbox to safely store the static key for access to Object Storage. For more information, see [Using a Yandex Lockbox secret to store a static access key](../tutorials/static-key-in-lockbox/index.md).

{% note info %}

A service account is only allowed to view a list of buckets in the folder it was created in.

A service account can perform actions with objects in buckets that are created in folders different from the service account folder. To enable this, [assign](../../iam/operations/sa/assign-role-for-sa.md) the service account [roles](../security/index.md#service-roles) for the appropriate folder or its bucket.

{% endnote %}

## Installation {#installation}

To install `boto`, follow the tutorial in the developer's repository: [boto3](https://github.com/boto/boto3/blob/develop/README.rst#quick-start), [boto](https://github.com/boto/boto#installation).

## Configuration {#setup}

{% list tabs group=instructions %}

- Locally {#locally}

  1. Create a directory to store the authentication data in and navigate to it: 
  
      For macOS and Linux:
  
      ```bash
      mkdir ~/.aws/
      ```
  
      For Windows:
  
      ```bash
      mkdir C:\Users\<username>\.aws\
      ```
  
  1. In the `.aws` directory, create a file named `credentials` and copy the credentials [received earlier](#before-you-begin) into it:
  
      ```text
      [default]
      aws_access_key_id = <static_key_ID>
      aws_secret_access_key = <secret_key>
      ```
  
  1. Create a file named `config` with the default region settings and copy the following information to it:
  
      ```text
      [default]
      region = ru-central1
      endpoint_url = https://storage.yandexcloud.net
      ```
  
      {% note info %}
  
      Some apps designed to work with Amazon S3 do not allow you to specify the region; this is why Object Storage may also accept the main AWS region value, which is the [first row in the table of regions](https://docs.aws.amazon.com/global-infrastructure/latest/regions/aws-regions.html#available-regions).
  
      {% endnote %}
  
  To access Object Storage, use the `https://storage.yandexcloud.net` endpoint.

- Yandex Cloud Functions {#functions}
  
  [Add environment variables](../../functions/operations/function/version-manage.md#version-env) to a function in Cloud Functions:

  * `AWS_ACCESS_KEY_ID`: Static key ID of the service account.
  * `AWS_SECRET_ACCESS_KEY`: Secret key.
  * `AWS_DEFAULT_REGION`: Region ID.

  Use the `storage.yandexcloud.net` address to access Object Storage.

{% endlist %}


## Example {#boto-example}


{% list tabs group=instructions %}

- Locally {#locally}
  
  boto3: 

  ```python
  #!/usr/bin/env python
  #-*- coding: utf-8 -*-
  import boto3
  session = boto3.session.Session()
  s3 = session.client(
      service_name='s3',
      endpoint_url='https://storage.yandexcloud.net'
  )
  
  # Creating a new bucket
  s3.create_bucket(Bucket='bucket-name')
  
  # Uploading objects into a bucket
  
  ## From a string
  s3.put_object(Bucket='bucket-name', Key='object_name', Body='TEST', StorageClass='COLD')
  
  ## From a file
  s3.upload_file('this_script.py', 'bucket-name', 'py_script.py')
  s3.upload_file('this_script.py', 'bucket-name', 'script/py_script.py')
  
  # Getting a list of objects in a bucket
  for key in s3.list_objects(Bucket='bucket-name')['Contents']:
      print(key['Key'])
  
  # Deleting multiple objects
  forDeletion = [{'Key':'object_name'}, {'Key':'script/py_script.py'}]
  response = s3.delete_objects(Bucket='bucket-name', Delete={'Objects': forDeletion})
  
  # Getting an object
  get_object_response = s3.get_object(Bucket='bucket-name',Key='py_script.py')
  print(get_object_response['Body'].read())
  ```

  Boto3 retrieves authentication credentials from the `~/.aws` directory by default, but you can manually set the `AWS_ACCESS_KEY_ID` and `AWS_SECRET_ACCESS_KEY` variables.

  ```python
  ...
  session = boto3.session.Session()
  s3 = session.client(
      service_name='s3',
      endpoint_url='https://storage.yandexcloud.net',
      aws_access_key_id='<static_key_ID>',
      aws_secret_access_key='<secret_key>'
  )
  ```

  {% note info %}

  This method is not considered secure as it poses a risk of key leaks.

  {% endnote %}

  {% cut "boto" %}

  ```python
  #!/usr/bin/env python
  #-*- coding: utf-8 -*-
  import os
  from boto.s3.key import Key
  from boto.s3.connection import S3Connection
  os.environ['S3_USE_SIGV4'] = 'True'
  conn = S3Connection(
      host='storage.yandexcloud.net'
  )
  conn.auth_region_name = 'ru-central1'
  
  # Creating a new bucket
  conn.create_bucket('bucket-name')
  bucket = conn.get_bucket('bucket-name')
  
  # Uploading objects into a bucket
  
  ## From a string
  bucket.new_key('test-string').set_contents_from_string('TEST')
  
  ## From a file
  file_key_1 = Key(bucket)
  file_key_1.key = 'py_script.py'
  file_key_1.set_contents_from_filename('this_script.py')
  file_key_2 = Key(bucket)
  file_key_2.key = 'script/py_script.py'
  file_key_2.set_contents_from_filename('this_script.py')
  
  # Getting a list of objects in a bucket
  keys_list=bucket.list()
  for key in keys_list:
      print (key.key)
  
  # Deleting multiple objects
  response = bucket.delete_keys(['test-string', 'py_script.py'])
  
  # Getting an object
  key = bucket.get_key('script/py_script.py')
  print (key.get_contents_as_string())
  ```

  {% endcut %}

- Yandex Cloud Functions {#functions}

  For an example, see this [video conversion guide](../tutorials/video-converting-queue/index.md).

{% endlist %}