Updated on 2025-08-04 GMT+08:00

Restricting Access to a Bucket for Specific IP Addresses

Scenario

This case describes how to restrict the source IP addresses that can access an OBS bucket. The following shows how to deny a client access whose source IP address is within the range of 114.115.1.0/24.

Recommended Configuration

Bucket policy

Procedure

  1. In the navigation pane of OBS Console, choose Buckets.
  2. In the bucket list, click the bucket name you want to go to the Objects page.
  3. In the navigation pane, choose Permissions > Bucket Policies.
  4. On the Bucket Policies page, click Create.
  5. Configure a bucket policy.

    Figure 1 Configuring a bucket policy
    Table 1 Parameters for configuring a bucket policy

    Parameter

    Description

    Policy view

    Select Visual Editor or JSON based on your own habits. Visual Editor is used here.

    Policy Name

    Enter a policy name.

    Effect

    Select Deny.

    Principal

    • Select All accounts.

    Resources

    • Method 1:
      • Select Entire bucket (including the objects in it).
    • Method 2:
      • Select Current bucket and Specified objects.
      • Set the resource path to * to indicate all objects in the bucket.

    Actions

    • Choose Customize.
    • Select * (indicating all actions).

    Conditions (Optional)

    • Key: Select SourceIp.
    • Tag Key: not required (default)
    • Qualifier: Select default.
    • Condition Operator: Select IpAddress
    • Value: Enter 114.115.1.0/24.
      NOTE:
      • The IP address specified here is only for reference. Configure it based on the site requirements.
      • If multiple IP addresses (CIDR blocks) need to be configured, separate them with commas (,).
      • These settings are only for restricting source IP addresses, but cannot distinguish whether they are from an intranet or from the Internet.
      • If you access OBS through an ECS, and both the ECS and OBS belong to CN North-Beijing1, you can use the SourceIP condition key to allow access only from the IP address of this ECS. Submit a service ticket if needed.
      • If the ECS uses a public DNS, the value is EIP of the ECS.
      • If the ECS uses a Huawei Cloud private DNS, the value is 100.64.0.0/10,214.0.0.0/7,Private IP address of the ECS.

        IP addresses in the range starting with 100 or 214 are for ECSs to access OBS over an intranet.

    If you want to allow clients whose IP addresses are outside the configured range to access your bucket, grant access permissions to all accounts by referring to Granting Permissions to All Accounts.

  6. Confirm and click Create.

Verification

Initiate an access request from an IP address within 114.115.1.0/24. The access is denied. Initiate an access request from an IP address outside 114.115.1.0/24. The access is allowed.

Related Scenarios

  • To allow only a specified IP address to access the OBS bucket, set Condition Operator to NotIpAddress and specify the allowed IP address as the Value.
  • If you want to allow only specific private IP addresses to access a bucket over an intranet, you need to buy a gateway VPC endpoint. (Select Find a service by name for Service Category. To obtain a service name, submit a ticket.) When using a private IP address to access a bucket through a VPC endpoint, the private IP address is identified as a source IP address. You can control bucket access by specifying private IP addresses in a bucket policy.