Help Center/ Object Storage Service/ API Reference/ Bucket APIs/ Block Public Access (BPA)/ Configuring BPA for a Bucket

Updated on 2026-04-16 GMT+08:00

Configuring BPA for a Bucket

Functions

Public access means that a requester can access a bucket and its data without specific permissions or identity authentication. This poses risks such as data leak and malicious access. OBS supports Block Public Access (BPA) for buckets. You can call this API to configure bucket-level BPA to ensure data security in your bucket. For more information about how to configure bucket-level BPA, see Block Public Access.

If BPA is enabled, existing public access permissions are ignored and new public access permissions cannot be configured. If BPA is disabled, existing public access permissions continue to apply and new public access permissions can be configured.

Constraints

You can block public access only for buckets, not for accounts or specified objects.
To ensure that Block Public Access can work appropriately, the total size of all bucket policies cannot exceed 20 KB, and the combined size of all ACLs and bucket policies cannot exceed 32 KB. If the size exceeds the upper limit, requests for setting bucket policies or bucket ACLs, querying the public status of buckets, and enabling Block Public Access may be denied, with error code 400 and message "Bucket policy and bucket acl is too large/complicated to perform block public access analysis" returned.
Block Public Access is not available for mirroring-based back to source scenarios.
During cross-region replication, if the destination bucket has the BlockPublicAcls setting, objects with public ACLs in the source bucket will fail to be replicated.

To use Block Public Access, you must have the following permissions.

**Table 1** Permissions required for using Block Public Access
Operation	Required Permissions
Configuring Block Public Access for a bucket	Bucket owner or a user with the PutBucketPublicAccessBlock permission
Obtaining the Block Public Access configuration of a bucket	Bucket owner or a user with the GetBucketPublicAccessBlock permission
Deleting the Block Public Access configuration of a bucket	Bucket owner or a user with the DeleteBucketPublicAccessBlock permission
Obtaining the public access status of a bucket policy	Bucket owner or a user with the GetBucketPolicyPublicStatus permission
Obtaining the public access status of a bucket	Bucket owner or a user with the GetBucketPublicStatus permission

Authorization Information

To call this API, you must be the bucket owner or have the permission to configure BPA for a bucket. You are advised to use IAM or bucket policies for authorization. For details about OBS authorization methods, see Differences Between OBS Permissions Control Methods.

If you use IAM for authorization, you need to use either role/policy-based authorization or identity policy-based authorization and configure the required permissions:

If you use role/policy-based authorization (IAM v3 APIs in the old IAM version), you need to grant the obs:bucket:PutBucketPublicAccessBlock permission. For details, see Creating a Custom IAM Policy.

If you use identity policy-based authorization (IAM v5 APIs in the new IAM version), you need to grant the obs:bucket:putBucketPublicAccessBlock permission, as shown in the following table. For details, see Creating a Custom IAM Identity Policy.

Action	Access Level	Resource Type (*: Required)	Condition Key	Alias	Dependencies
obs:bucket:putBucketPublicAccessBlock	Permission_management	bucket *	g:EnterpriseProjectId g:ResourceTag/<tag-key>	-	-
-	obs:EpochTime obs:SourceIp obs:TlsVersion obs:CustomDomain

Action

Access Level

Resource Type (*: Required)

Condition Key

Alias

Dependencies

obs:bucket:putBucketPublicAccessBlock

Permission_management

bucket *

obs:EpochTime
obs:SourceIp
obs:TlsVersion
obs:CustomDomain

If you use bucket policies for authorization, you need to grant the obs:bucket:PutBucketPublicAccessBlock permission. For details, see Creating a Custom Bucket Policy.

Request Syntax

PUT /?publicAccessBlock HTTP/1.1
Host: bucketname.obs.region.myhuaweicloud.com 
Date: date
Authorization: authorization
Content-Type: application/xml
Content-Length: length

<?xml version="1.0" encoding="UTF-8"?>
<PublicAccessBlockConfiguration>
	<BlockPublicAcls>boolean</BlockPublicAcls>
	<IgnorePublicAcls>boolean</IgnorePublicAcls>
	<BlockPublicPolicy>boolean</BlockPublicPolicy>
	<RestrictPublicBuckets>boolean</RestrictPublicBuckets>
</PublicAccessBlockConfiguration>

Description of the OBS request structure

An OBS request consists of the request method, request URI, request headers, and request body. The following figure shows an example of a request for creating a bucket. The bucket name is configured in the Host header, and the signature information is configured in the Authorization header. For details about how to calculate the signature, see Using an Authorization Header. For more information, see Constructing a Request.

URI Parameters

This request contains no parameters.

Request Headers

This request uses common headers. For details, see Table 3.

Request Body

This request uses request body parameters. For details, see Table 2.

**Table 2** Request body parameters
Element	Type	Mandatory (Yes/No)	Description
PublicAccessBlockConfiguration	XML	Yes	Definition Root node of the PublicAccessBlockConfiguration parameter. Constraints None Range None Default Value None
BlockPublicAcls	Boolean	No	Definition Whether to prohibit specifying the ACL as public access to a bucket or objects in the bucket. If the parameter is set to true, the following applies: If you specify an ACL as public access when uploading an object, the object fails to be uploaded and the error "403 Access Denied" is returned. If you specify an ACL as public access when modifying a bucket ACL or an object ACL, the ACL fails to be modified and the error "403 Access Denied" is returned. Constraints This configuration does not affect existing buckets or objects. Range true: This feature is enabled. false: This feature is disabled. Default Value false
BlockPublicPolicy	Boolean	No	Definition Whether to prohibit the configuration of a bucket policy that allows public access to a bucket. If this parameter is set to true, such a bucket policy will fail to be configured and the error "403 Access Denied" will be returned. Constraints This configuration does not affect existing buckets. Range true: This feature is enabled. false: This feature is disabled. Default Value false
IgnorePublicAcls	Boolean	No	Definition Whether to ignore the existing ACL that allows public access to the bucket or objects in the bucket. If this parameter is set to true, the public access ACL of the bucket or objects in the bucket becomes invalid. Constraints This configuration does not affect existing ACLs or prohibit the configuration of new public access ACLs. Range true: This feature is enabled. false: This feature is disabled. Default Value false
RestrictPublicBuckets	Boolean	No	Definition Whether to restrict the existing public bucket policy. If this parameter is set to true, only the cloud service and bucket owner accounts are allowed to access the bucket. Constraints This configuration does not affect existing bucket policies or prohibit the configuration of new public bucket policies. Range true: This feature is enabled. false: This feature is disabled. Default Value false

Response Syntax

HTTP/1.1 status_code
Date: date

Description of the OBS response structure

An OBS response consists of a response status code, response headers, and the response body. The following figure shows an example of a response for obtaining the bucket's ACL configuration.

Response Headers

This response uses common headers. For details, see Table 1.

Response Body

The response of this API does not contain a response body.

Error Responses

Table 3 describes possible special errors in this request.

**Table 3** Error Responses
Error	Description	HTTP Status Code
InvalidRequest	BlockPublicAcls, BlockPublicPolicy, IgnorePublicAcls, and RestrictPublicBuckets are not specified. At least one of them must be specified.	400
MethodNotAllowed	The involved method is not allowed (the corresponding feature is disabled).	405

For other errors, see Table 2.

Sample Request: Setting All Four Parameters to true

put /?publicAccessBlock HTTP/1.1
User-Agent: curl/7.29.0
Host: examplebucket.obs.region.myhuaweicloud.com
Accept: */*
Date: Sat, 16 Nov 2024 08:59:07 GMT
Authorization: OBS H4IPJX0TQTHTHEBQQCEC:75/Y4Ng1izvzc1nTGxpMXTE6ynw=
Content-Length: 288

<?xml version="1.0" encoding="UTF-8"?>
<PublicAccessBlockConfiguration>
	<BlockPublicAcls>true</BlockPublicAcls>
	<IgnorePublicAcls>true</IgnorePublicAcls>
	<BlockPublicPolicy>true</BlockPublicPolicy>
	<RestrictPublicBuckets>true</RestrictPublicBuckets>
</PublicAccessBlockConfiguration>

Sample Response: Setting All Four Parameters to true

HTTP/1.1 200 OK
Server: OBS
x-obs-request-id: BF260000016435CE298386946AE4C482
x-obs-id-2: 32AAAQAAEAABSAAgAAEAABAAAQAAEAABCT9W2tcvLmMJ+plfdopaD62S0npbaRUz
Date: Sat, 16 Nov 2024 08:59:08 GMT
Content-Length: 0

Sample Request: Setting Only BlockPublicAcls to true

PUT /?publicAccessBlock HTTP/1.1
User-Agent: curl/7.29.0
Host: examplebucket.obs.region.myhuaweicloud.com
Accept: */*
Date: Sat, 16 Nov 2024 08:59:07 GMT
Authorization: OBS H4IPJX0TQTHTHEBQQCEC:75/Y4Ng1izvzc1nTGxpMXTE6ynw=
Content-Length: 147

<?xml version="1.0" encoding="UTF-8"?>
<PublicAccessBlockConfiguration>
	<BlockPublicAcls>true</BlockPublicAcls>
</PublicAccessBlockConfiguration>

Sample Response: Setting Only BlockPublicAcls to true

HTTP/1.1 200 OK
Server: OBS
x-obs-request-id: BF260000016435CE298386946AE4C482
x-obs-id-2: 32AAAQAAEAABSAAgAAEAABAAAQAAEAABCT9W2tcvLmMJ+plfdopaD62S0npbaRUz
Date: Sat, 16 Nov 2024 08:59:08 GMT
Content-Length: 0

Using SDKs to Call APIs

You are advised to use OBS SDKs to call APIs. SDKs encapsulate APIs to simplify development. You can call SDK API functions to access OBS without manually calculating signatures.

Java

Python

C: not supported

BrowserJS: not supported

.NET: not supported

Android: not supported

iOS: not supported

PHP: not supported

Node.js: not supported

References

For more information about how to configure block public access for buckets, see Block Public Access.
For details about the billing items involved in API operations, see Billing Items.

Parent Topic: Block Public Access (BPA)

Previous topic: Block Public Access (BPA)

Next topic: Obtaining the BPA Configuration of a Bucket

Feedback

Was this page helpful?

Helpful Not helpful

Provide feedback

Thank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.

The system is busy. Please try again later.

For any further questions, feel free to contact us through the chatbot.

Chatbot