Configuring Access Control with Both VPC Endpoint and Bucket Policies
Example 1: Configuring a VPC Endpoint Policy Only
Description
Only servers in VPC1 are allowed to download objects from bucket mybucket.
The ID of VPC1 is 4dad1f75-0361-4aa4-ac75-1ffdda3a0fec.
Configuration
Configure the VPC endpoint policy for VPC1 as follows:
Path: Service List > VPC Endpoint > ID of a desired VPC endpoint > Policy > Edit
[{"Action": ["obs:object:GetObject"],"Resource": ["obs:*:*:object:mybucket/*"],"Effect": "Allow"}]
Example 2: Configuring a VPC Endpoint Policy to Protect Specified Resources from Being Downloaded
Description
Servers in VPC1 are allowed to download all objects, except object myobject, from bucket mybucket.
Configuration
Configure the VPC endpoint policy for VPC1 as follows:
Path: Service List > VPC Endpoint > ID of a desired VPC endpoint > Policy > Edit
[{"Action": ["obs:object:GetObject"],"Resource": ["obs:*:*:object:mybucket/*"],"Effect": "Allow"},{"Action": ["obs:object:GetObject"],"Resource": ["obs:*:*:object:mybucket/myobject"],"Effect": "Deny"}]
Example 3: Configuring Both VPC Endpoint and Bucket Policies
Description
Only servers in VPC1 are allowed to upload or download objects to or from bucket mybucket, and only objects in bucket mybucket can be uploaded or downloaded by servers in VPC1.
The ID of VPC1 is 4dad1f75-0361-4aa4-ac75-1ffdda3a0fec.
Configuration
- Configure the VPC endpoint policy for VPC1 as follows:
Path: Service List > VPC Endpoint > ID of a desired VPC endpoint > Policy > Edit
[{"Action": ["obs:object:GetObject","obs:object:PutObject"],"Resource": ["obs:*:*:object:mybucket/*"],"Effect": "Allow"}] - Configure the bucket policy for bucket mybucket as follows:
For details, see Creating a Custom Bucket Policy (JSON View).
You need to configure two bucket policies:
- Bucket policy 1: Allow servers in VPC1 to upload or download objects to or from bucket mybucket.
In the example below, you can customize statementId. domainId and userId must be set to the domain ID and user ID that are allowed to upload and download objects. For details, see Bucket Policies.
{"Statement": [{"Sid": "statementId","Effect": "Allow","Principal": {"ID": ["domain/domainId:user/userId"]},"Action": ["GetObject", "PutObject"],"Resource": ["mybucket/*"],"Condition": {"StringEquals": {"SourceVpc": ["4dad1f75-0361-4aa4-ac75-1ffdda3a0fec"]}}}]} - Bucket policy 2: Prevent servers in VPCs other than VPC1 from performing operations on bucket mybucket and the objects therein.
You can customize DenyReqNotFromVpc.
{"Statement": [{"Sid": "DenyReqNotFromVpc","Effect": "Deny","Principal": {"ID": ["*"]},"Action": "*","Resource": ["mybucket", "mybucket/*"],"Condition": {"StringNotEqual": {"SourceVpc": ["4dad1f75-0361-4aa4-ac75-1ffdda3a0fec"]}}}]}NoteAfter this bucket policy is configured, authorized IAM users can still upload objects to or download objects from OBS using SDKs or APIs. If uploads or downloads on OBS Console or OBS Browser+ are required, the obs:bucket:ListAllMyBuckets and obs:bucket:ListBucket permissions must be configured in IAM. Otherwise, an error will be reported during the login to OBS Console or OBS Browser+ and buckets and their objects cannot be displayed.
- Bucket policy 1: Allow servers in VPC1 to upload or download objects to or from bucket mybucket.
Example 4: Authorizing Other Cloud Services to Access a Bucket After Configuring Both VPC Endpoint and Bucket Policies
Description
After both a VPC endpoint policy for VPC1 and a bucket policy for bucket mybucket are configured, other cloud services, including OBS, cannot access bucket mybucket. If you want to authorize a cloud service to access bucket mybucket, you can create an agency.
The ID of VPC1 is 4dad1f75-0361-4aa4-ac75-1ffdda3a0fec.
Configuration
- Configure the VPC endpoint policy for VPC1 as follows:
Allow only servers in VPC1 to upload or download objects to or from bucket mybucket.
Path: Service List > VPC Endpoint > ID of a desired VPC endpoint > Policy > Edit
[{"Action": ["obs:object:GetObject","obs:object:PutObject"],"Resource": ["obs:*:*:object:mybucket/*"],"Effect": "Allow"}] - Create an IAM agency to delegate a cloud service to access bucket mybucket. For example, to delegate OBS to access bucket mybucket, bind the system-defined policy OBS FullAccess or create a custom policy and bind it to the agency. For details, see section "Creating an Agency (by a Delegating Party)" in the Identity and Access Management User Guide.
- Configure the bucket policy for bucket mybucket as follows:
Allow only objects in bucket mybucket to be accessed by servers in VPC1 or by the cloud service whose agency is testAgencyName. The testAgencyName needs to be replaced with the name of the IAM agency created in 2.
{"Statement": [{"Effect": "Allow","Principal": {"ID": ["*"]},"Action": ["*"],"Resource": ["mybucket/*"],"Condition": {"StringEquals": {"SourceVpc": ["4dad1f75-0361-4aa4-ac75-1ffdda3a0fec"]}}},{"Effect": "Allow","Principal": {"ID": ["*"]},"Action": ["*"],"Resource": ["mybucket/*"],"Condition": {"StringEquals": {"ServiceAgency": ["testAgencyName"]}}}]}The bucket policy can also be configured as follows to get the same result.
{"Statement": [{"Effect": "Deny","Principal": {"ID": ["*"]},"Action": ["*"],"Resource": ["mybucket/*"],"Condition": {"StringNotEquals": {"SourceVpc": ["4dad1f75-0361-4aa4-ac75-1ffdda3a0fec"],"ServiceAgency": ["testAgencyName"]}}}]}
- Example 1: Configuring a VPC Endpoint Policy Only
- Example 2: Configuring a VPC Endpoint Policy to Protect Specified Resources from Being Downloaded
- Example 3: Configuring Both VPC Endpoint and Bucket Policies
- Example 4: Authorizing Other Cloud Services to Access a Bucket After Configuring Both VPC Endpoint and Bucket Policies