Help Center/ Object Storage Service/ Permissions Configuration Guide/ Configuration Cases in Typical Permission Control Scenarios/ Restricting Access to a Bucket for Specific IP Addresses
Updated on 2024-05-31 GMT+08:00
View PDF

Restricting Access to a Bucket for Specific IP Addresses

Scenario

This case describes how to restrict the source IP addresses that can access an OBS bucket. The following shows how to deny a client access whose source IP address is within the range of 114.115.1.0/24.

Recommended Configuration

Bucket policy

Procedure

  1. In the navigation pane of OBS Console, choose Object Storage.
  2. In the bucket list, click the bucket name you want to go to the Objects page.
  3. In the navigation pane, choose Permissions > Bucket Policy.
  4. On the Bucket Policies page, click Create.
  5. Locate the row containing Custom policy and click Create Custom Policy.
  6. Configure parameters for a bucket policy.

    Figure 1 Configuring bucket policy parameters
    Table 1 Parameters for configuring a bucket policy

    Parameter

    Description

    Policy View

    Set this parameter based on your own habits. Visual editor is used here.

    Policy Name

    Enter a policy name.

    Policy Content
    • Select Deny.
    • Parameters under Principal:
      • Principal: Select Anonymous user.
      • User Policy: Select Include specified users.
    • Parameters under Resources:
      • Resource: Select both Current bucket and Object in bucket.
      • Object in bucket: Select All objects.
      • Resource Policy: Select Include specified resources.
    • Parameters under Actions:
      • Select *, which indicates that all operations can be performed.
    • Conditions:
      1. Key: Select SourceIp.
      2. Conditional Operator: Select IpAddress.
      3. Value: Enter 114.115.1.0/24.
        NOTICE:

        The IP address specified here is only for reference. Configure it based on the site requirements.

        NOTE:

        If multiple IP addresses (CIDR blocks) need to be configured, separate them with commas (,).

        These settings are only for restricting source IP addresses, but cannot distinguish whether they are from an intranet or from the Internet.

    If you want to allow clients whose IP addresses are outside the configured range to access your bucket, grant access permissions to anonymous users by referring to Granting Permissions to Anonymous Users.

  7. After configuring the required parameters, click Next.
  8. Ensure all the configurations are correct and click Create.

Verification

Initiate an access request from an IP address within the range of 114.115.1.0/24. The access is denied. Initiate an access request from an IP address outside the range of 114.115.1.0/24. The access is allowed.

Related Scenarios

To allow only a specified IP address to access the OBS bucket, set Condition Operator to NotIpAddress and specify the allowed IP address as the Value.