[Yandex Cloud documentation](../../index.md) > [Yandex Virtual Private Cloud](../index.md) > [Step-by-step guides](index.md) > Service connections > Assigning an access policy in Object Storage for a service connection

# Assigning an access policy in Object Storage for a service connection


[Bucket policies](../../storage/concepts/policy.md) set permissions for operations with [buckets](../../storage/concepts/bucket.md), [objects](../../storage/concepts/object.md), and object groups.

The minimum role required to apply or modify an access policy is `storage.configurer`. For more information, see the [role description](../../storage/security/index.md#storage-configurer).

To assign an access policy in Object Storage for a [service connection](../concepts/private-endpoint.md):

{% note info %}

At the [access policy](../../storage/concepts/policy.md) level, you can grant access to the bucket from VPC service connections with IDs specified in the policy. However, as the [access flow chart](../../storage/security/overview.md#scheme) shows, the bucket will still be accessible from the public network, e.g., though an object [ACL](../../storage/concepts/acl.md) or under another enabling rule in the policy.

In addition, a bucket configured this way still supports [server-side copy](../../storage/operations/objects/copy.md), both from and to the bucket.

{% endnote %}

{% list tabs group=instructions %}

- Management console {#console}

  1. In the [management console](https://console.yandex.cloud), select the folder where you configured the VPC service connection.
  1. Navigate to **Object Storage**.
  1. Select the bucket from the list.
  1. In the left-hand menu, go to the ![image](../../_assets/console-icons/persons-lock.svg) **Security** tab.
  1. At the top of the screen, navigate to the **Access policy** tab.
  1. Click **Configure access**.
  1. Enter a bucket policy ID, e.g., `private-endpoint-policy`.
  1. Set up a rule:

      1. Enter a rule ID, e.g., `private-endpoint-rule`.
      1. Configure rule settings:
          * **Result**: Enable.
          * **Selection principle**: Include users.
          * **User**: All users.
          * **Action**: Select **All actions**.
          * **Resource** — `<bucket_name>/*`.

            Click **Add resource** and enter `<bucket_name>`.

            {% note info %}

            A bucket resource does not include resources of all its objects. To make sure a bucket policy rule refers to the bucket and all the objects, specify them as separate resources, e.g., `samplebucket` and `samplebucket/*`.

            {% endnote %}

      1. Add a [condition](../../storage/s3/api-ref/policy/conditions.md) for the rule:

          * In the **Key** field, select `private-endpoint-id`.
          * In the **Operator** field, select `StringEquals`.
          * In the **Value** field, specify the service connection (private endpoint) ID, e.g., `enpd7rq1s3f5********`.
  1. Click **Save**.

- Yandex Cloud CLI {#cli}

  If you do not have the Yandex Cloud CLI yet, [install and initialize it](../../cli/quickstart.md#install).

  The folder used by default is the one specified when [creating](../../cli/operations/profile/profile-create.md) the CLI profile. To change the default folder, use the `yc config set folder-id <folder_ID>` command. You can also specify a different folder for any command using `--folder-name` or `--folder-id`. If you access a resource by its name, the search will be limited to the default folder. If you access a resource by its ID, the search will be global, i.e., through all folders based on access permissions.

  1. See the description of the CLI command for updating bucket settings:

      ```bash
      yc storage bucket update --help
      ```

  1. Describe your bucket policy configuration as a JSON [data schema](../../storage/s3/api-ref/policy/scheme.md):

      ```json
      {
        "Version": "2012-10-17",
        "Statement": {
          "Effect": "Allow",
          "Principal": "*",
          "Action": "*",
          "Resource": [
            "arn:aws:s3:::<bucket_name>/*",
            "arn:aws:s3:::<bucket_name>"
          ],
          "Condition": {
            "StringEquals": {
              "yc:private-endpoint-id": "<connection_ID>"
            }
          }
        }
      }
      ```
      
      Where:
      
      * `<bucket_name>`: Name of the bucket in Object Storage to which you need to apply the access policy, e.g., `my-s3-bucket`.
      * `<connection_ID>`: Service connection ID (private endpoint), e.g., `enpd7rq1s3f5********`.

  1. Save the final configuration to a file named `policy.json`.
  1. Run this command:

      ```bash
      yc storage bucket update \
        --name <bucket_name> \
        --policy-from-file <policy_file_path>
      ```

      Once the bucket policy is applied, you can access the bucket only from the VPC cloud network in which you created the relevant service connection (private endpoint).

- AWS CLI {#aws-cli}

  {% note info %}

  To manage a policy using the AWS CLI, a service account needs the `storage.admin` [role](../../storage/security/index.md#storage-admin).

  {% endnote %}

  If you do not have the AWS CLI yet, [install and configure it](../../storage/tools/aws-cli.md).

  1. Describe your bucket policy configuration as a JSON [data schema](../../storage/s3/api-ref/policy/scheme.md):

      ```json
      {
        "Version": "2012-10-17",
        "Statement": {
          "Effect": "Allow",
          "Principal": "*",
          "Action": "*",
          "Resource": [
            "arn:aws:s3:::<bucket_name>/*",
            "arn:aws:s3:::<bucket_name>"
          ],
          "Condition": {
            "StringEquals": {
              "yc:private-endpoint-id": "<connection_ID>"
            }
          }
        }
      }
      ```
      
      Where:
      
      * `<bucket_name>`: Name of the bucket in Object Storage to which you need to apply the access policy, e.g., `my-s3-bucket`.
      * `<connection_ID>`: Service connection ID (private endpoint), e.g., `enpd7rq1s3f5********`.

  1. Save the final configuration to a file named `policy.json`.

  1. Run this command:

      ```bash
      aws s3api put-bucket-policy \
        --endpoint https://storage.yandexcloud.net \
        --bucket <bucket_name> \
        --policy file://policy.json
      ```

  Once the bucket policy is applied, you can access the bucket only from the VPC cloud network in which you created the relevant service connection (private endpoint).

- Terraform {#tf}

  If you do not have Terraform yet, [install it and configure the Yandex Cloud provider](../../tutorials/infrastructure-management/terraform-quickstart.md#install-terraform).
  
  
  To manage infrastructure using Terraform under a service account or user accounts (a Yandex account, a federated account, or a local user), [authenticate](../../terraform/authentication.md) using the appropriate method.

  By default, Terraform uses an IAM token for authentication in Object Storage. In addition to an IAM token, you can use a service account and static access keys for authentication in Object Storage. For more information about Terraform authentication in Object Storage, see the [relevant provider documentation](../../terraform/resources/storage_bucket.md).

  {% note info %}
  
  If you access Object Storage via Terraform under a [service account](../../iam/concepts/users/service-accounts.md), [assign](../../iam/operations/sa/assign-role-for-sa.md) to the service account the relevant [role](../../storage/security/index.md#roles-list), e.g., `storage.admin`, for the folder you are going to create the resources in.
  
  {% endnote %}

  1. Open the Terraform configuration file and specify the policy using the `yandex_storage_bucket_policy` resource:

     ```hcl
     resource "yandex_storage_bucket_policy" "bpolicy" {
       bucket = "my-policy-bucket"
       policy = <<POLICY
     {
       "Version": "2012-10-17",
       "Statement": {
         "Effect": "Allow",
         "Principal": "*",
         "Action": "*",
         "Resource": [
           "arn:aws:s3:::<bucket_name>/*",
           "arn:aws:s3:::<bucket_name>"
         ],
         "Condition": {
           "StringEquals": {
             "yc:private-endpoint-id": "<connection_ID>"
           }
         }
       }
     }
     POLICY
     }
     ```

     Where:
     * `<bucket_name>`: Name of the bucket in Object Storage to which you need to apply the access policy, e.g., `my-s3-bucket`.
     * `<connection_ID>`: Service connection ID (private endpoint), e.g., `enpd7rq1s3f5********`.

     For more information about `yandex_storage_bucket_policy` properties, see [this provider guide](../../terraform/resources/storage_bucket_policy.md).

  1. Apply the changes:

     1. In the terminal, navigate to the configuration file directory.
     1. Make sure the configuration is correct using this command:
     
        ```bash
        terraform validate
        ```
     
        If the configuration is valid, you will get this message:
     
        ```bash
        Success! The configuration is valid.
        ```
     
     1. Run this command:
     
        ```bash
        terraform plan
        ```
     
        You will see a list of resources and their properties. No changes will be made at this step. Terraform will show any errors in the configuration.
     1. Apply the configuration changes:
     
        ```bash
        terraform apply
        ```
     
     1. Type `yes` and press **Enter** to confirm the changes.

     You can check the update using the [management console](https://console.yandex.cloud).

- API {#api}

  To configure a bucket policy, use the [update](../../storage/api-ref/Bucket/update.md) REST API method for the [Bucket](../../storage/api-ref/Bucket/index.md) resource, the [BucketService/Update](../../storage/api-ref/grpc/Bucket/update.md) gRPC API call, or the [PutBucketPolicy](../../storage/s3/api-ref/policy/put.md) S3 API method. If the bucket already had a bucket policy configured, it will be completely overwritten once you apply the new policy.

{% endlist %}

Learn more about managing a bucket policy in [Bucket policy management](../../storage/operations/buckets/policy.md).