How to create a service account in Object Storage that has permissions only for one bucket?
I've tried to create service account via Web Console, but can't find any roles related to Object Storage:
Asked
Active
Viewed 597 times
1
myaut
- 11,174
- 2
- 30
- 62
1 Answers
2
To restrict access for a service account, you need to use ACL.
You'll also need to use YC CLI and AWS CLI.
Let me explain everything from the beginning starting with account creation.
# yc iam service-account create name <account name>
id: <service-account id>
folder_id: <folder_id>
created_at: "2019-01-23T45:67:89Z"
name: <account name>
# yc iam access-key create service-account-name <account name>
access_key:
id: <operation id>
service_account_id: <service-account_id>
created_at: "2019-12-34T56:78:90Z"
key_id: <key id>
secret: <secret key>
Save the key_id and the secret key. Now set the AWS CLI according to the instruction in documentation to work from the admin service account.
Create a bucket and set access for it. To grant access, you need to set the service_account_id in the put-bucket-acl command of the id field.
# aws endpoint-url=https://storage.yandexcloud.net s3
mb s3://<bucket_name>
make_bucket: <bucket_name>
# aws endpoint-url=https://storage.yandexcloud.net
s3api put-bucket-acl \
bucket hidden-bucket grant-full-control
id=<service_account_id> \
grant-read
P.S. The only problem is that Yandex Object storage doesn't support permission "WRITE", and you can only set full-access for a service account. It means it can edit ACL on its bucket.
