Help Center/ Object Storage Service/ User Guide/ Data Security/ Configuring Access Control with Both VPC Endpoint Policies and OBS Bucket Policies

Updated on 2025-08-26 GMT+08:00

View PDF

Configuring Access Control with Both VPC Endpoint Policies and OBS Bucket Policies

Scenarios

You can apply both VPC endpoint policies and OBS bucket policies to control access to OBS resources at the VPC level. This dual-policy approach ensures that data is transmitted within a secure network environment and minimizes the risk of unauthorized access. This approach is particularly useful in the following scenarios:

Preventing Internet access to sensitive data: Healthcare organizations often store sensitive data such as medical images and electronic medical records in OBS. For compliance and security purposes, this data must not be transmitted over the Internet. Only authorized servers (ECSs, CCE, or BMSs) in a specific Huawei Cloud VPC can access the data over the intranet. Access from the other VPCs will be denied.
Assigning VPC-specific access: Enterprises often need to share their data stored in OBS across departments with varying access levels. The development team in VPC1 requires read and write access to all data, the test team in VPC2 requires read access to all data, and other teams in VPC3 require read access to only a set of data.

Context

Virtual Private Cloud (VPC) allows you to provision logically isolated virtual private networks for cloud resources, such as cloud servers, containers, and databases. You can create and manage cloud resources in a VPC, which is secure and flexible. For more information, see What Is Virtual Private Cloud?

VPC Endpoint (VPCEP) provides secure, private channels that connect your VPCs to VPC endpoint services, for example, OBS. This allows resources within a VPC to access OBS without using EIPs. For more information, see What Is VPC Endpoint?

You can use VPCEP to share data stored in OBS with VPCs. You can also share data stored in OBS with on-premises data centers via Direct Connect or Virtual Private Network (VPN) to build a hybrid cloud network where you can flexibly integrate resources.

Figure 1 Sharing data in OBS with a VPC
Click to enlarge

In the same region, if you want to use a VPC endpoint to access OBS over a private network, add OBS as a VPC endpoint service, and create a corresponding VPC endpoint in your VPC. You can then access OBS via the VPC endpoint.

Figure 2 Sharing data in OBS with an on-premises data center
Click to enlarge

If you want to access OBS from an on-premises data center over a private network, use Direct Connect or a VPN gateway to set up a bridge between the on-premises data center and the VPC that is in the same region as OBS. Then, use a VPC endpoint to connect the VPC to OBS.

How the Dual-Policy Approach Works

Figure 3 How the dual-policy approach works
Click to enlarge

VPC endpoint policies and OBS bucket policies ensure data security by working on the request sources and the requested resources, respectively.

A VPC endpoint policy defines which resources in OBS can be accessed by servers (ECSs or CCE) in a given VPC. As shown in Figure 3, VPC endpoint 1 allows servers in VPC1 to access bucket A but not bucket B. Therefore, VPC1 can access bucket A but cannot access bucket B.

A bucket policy specifies servers in which VPC can access specific OBS buckets. As shown in Figure 3, bucket A's bucket policy allows requests from VPC1 but denies requests from VPC2. Therefore, VPC1 can access bucket A, but VPC2 cannot.

Syntax of VPC Endpoint Policies

VPC endpoint policies comply with the principle of least privilege. If a policy does not explicitly allow access, it will deny access by default. When you purchase a VPC endpoint, the system assigns a default policy for it. This policy allows full access to OBS. You can modify the default policy when creating a VPC endpoint or adjust the policy after the VPC endpoint is created. Note the following when using VPC endpoint policies:

A VPC endpoint policy becomes effective 10 minutes after configuration.
VPC endpoint policies differ from IAM permissions in that VPC endpoint policies do not contain the sid field or the Condition tag.

A VPC endpoint policy consists of Effect, Action, and Resource.

**Table 1** VPC endpoint policy parameters
Parameter	Description
Effect	Determines whether to allow or deny the specified actions. Allow: The specified actions are allowed. Deny: The specified actions are denied. The default value is Deny. If both Allow and Deny apply to the same action, Deny takes precedence.
Action	Actions that can be performed on OBS resources. The format is Service name:Resource type:Operation. A policy can contain one or more actions. An asterisk () is allowed to indicate all of the services, resource types, or operations depending on its location in the action. Actions are case insensitive. OBS has two types of resources: buckets and objects. A bucket-related action is in the obs:bucket:*Operation format. For example, obs:bucket:ListAllMybuckets grants permission to list OBS buckets. obs is the service name, bucket is the resource type, and ListAllMybuckets is the operation. An object-related action is in the obs:object:Operation format. For details about actions, see Bucket Actions and Object Actions.
Resource	Resources which the policy applies to. The resource format is *obs:::*Resource type:Resource path. Resource types are case insensitive. The options are as follows: bucket: It indicates that the policy applies to buckets. object: It indicates that the policy applies to objects. : A wildcard character () indicates that the policy applies to both buckets and objects. The resource path format is Bucket name or Bucket name/Object name. A wildcard () is allowed. Resource paths are case sensitive. The following gives some examples: obs:::bucket:: all OBS buckets obs:::object:my-bucket/my-object/: all objects in the my-object* directory of the my-bucket bucket

Typical Scenarios and Policy Configuration Examples

The following provides typical application scenarios and configuration examples of the dual-policy approach.

Example 1: Letting a VPC Access Only a Specified OBS Bucket

Figure 4 Example 1
Click to enlarge

Description

The servers in VPC1 can download objects from bucket A only. Bucket A has no bucket policy configured, so other VPCs can also access bucket A.

Configuration

Configure the VPC endpoint policy for VPC1 as follows:

Path: Service List > VPC Endpoint > Click the ID of the corresponding VPC endpoint > Policy > Edit

[
    {
        "Action": [
            "obs:object:GetObject"
        ],
        "Resource": [
            "obs:*:*:object:bucketA/*"
        ],
        "Effect": "Allow"
    }
]

Example 2: Letting a VPC Perform Only Specified Operations on a Specified OBS Bucket

Description

The servers in VPC1 can download objects from bucket A only.

Servers in VPC1 are allowed to download all objects except object myobject from bucket A.

Configuration

Configure the VPC endpoint policy for VPC1 as follows:

Path: Service List > VPC Endpoint > Click the ID of the corresponding VPC endpoint > Policy > Edit

[
    {
        "Action": [
            "obs:object:GetObject"
        ],
        "Resource": [
            "obs:*:*:object:bucketA/*"
        ],
        "Effect": "Allow"
    },
    {
        "Action": [
            "obs:object:GetObject"
        ],
        "Resource": [
            "obs:*:*:object:bucketA/myobject"
        ],
        "Effect": "Deny"
    }
]

Example 3: Letting a VPC Access Only a Specified OBS Bucket and an OBS Bucket Be Accessed Only by a Specified VPC

Figure 5 Example 3
Click to enlarge

Description

Upload and download access is restricted exclusively to servers in VPC1 and to bucket A.

The ID of VPC1 is 4dad1f75-0361-4aa4-ac75-1ffdda3a0fec.

Configuration

Configure the VPC endpoint policy for VPC1 as follows:

Path: Service List > VPC Endpoint > Click the ID of the corresponding VPC endpoint > Policy > Edit

[
    {
        "Action": [
            "obs:object:GetObject",
	    "obs:object:PutObject"
        ],
        "Resource": [
            "obs:*:*:object:bucketA/*"
        ],
        "Effect": "Allow"
    }
]

Configure the bucket policy for bucket A as follows:
For details, see Creating a Custom Bucket Policy (JSON View).

You need to configure two bucket policies:
- Bucket policy 1: Allow servers in VPC1 to upload objects to or download objects from bucket A.
  In the example below, you can customize statementId. domainId and userId must be set to the account ID and user ID that are allowed to upload and download objects. For details, see Bucket Policies.
```
{
    "Statement": [
        {
            "Sid": "statementId",
            "Effect": "Allow",
            "Principal": {
                "ID": ["domain/domainId:user/userId"]
            },
            "Action": ["GetObject", "PutObject"],
            "Resource": ["bucketA/*"],
            "Condition": {
                "StringEquals": {
                    "SourceVpc": ["4dad1f75-0361-4aa4-ac75-1ffdda3a0fec"]
                }
            }
        }
    ]
}
```
- Bucket policy 2: Prevent servers in VPCs other than VPC1 from operating bucket A and the objects therein.
  You can customize DenyReqNotFromVpc.
```
{
    "Statement": [
        {
            "Sid": "DenyReqNotFromVpc",
            "Effect": "Deny",
            "Principal": {
                "ID": ["*"]
            },
            "Action": "*",
            "Resource": ["bucketA", "bucketA/*"],
            "Condition": {
                "StringNotEquals": {
                    "SourceVpc": ["4dad1f75-0361-4aa4-ac75-1ffdda3a0fec"]
                }
            }
        }
    ]
}
```
  After the bucket policies are configured, authorized IAM users can still upload or download objects using SDKs or APIs. If uploads or downloads on OBS Console or OBS Browser+ are required, the obs:bucket:ListAllMyBuckets and obs:bucket:ListBucket permissions must be configured in IAM. Otherwise, an error will be reported during the access to OBS Console or OBS Browser+ and buckets and their objects cannot be displayed.

Example 4: Authorizing Another Cloud Service to Access the Bucket After a Bucket Has Both VPC Endpoint Policies and Bucket Policies Configured

Description

After both VPC endpoint policies for VPC1 and bucket policies for bucket A are configured, any other cloud services, including OBS, cannot access bucket A. If you want to authorize another cloud service to access bucket A, you can create an agency.

The ID of VPC1 is 4dad1f75-0361-4aa4-ac75-1ffdda3a0fec.

Configuration

Configure the VPC endpoint policy for VPC1 as follows:

Allow only servers in VPC1 to upload objects to or download objects from bucket A.

Path: Service List > VPC Endpoint > Click the ID of the corresponding VPC endpoint > Policy > Edit
```
[
    {
        "Action": [
            "obs:object:GetObject",
	    "obs:object:PutObject"
        ],
        "Resource": [
            "obs:*:*:object:bucketA/*"
        ],
        "Effect": "Allow"
    }
]
```
Create an IAM agency to delegate a cloud service to access bucket A. For example, to delegate OBS to access bucket A, you can create an agency and associate the system-defined policy OBS FullAccess with it, or create a custom policy and apply it to the agency.

Configure the bucket policy for bucket A as follows:

Allow only objects in bucket A to be accessed by servers in VPC1 or by the cloud service whose agency is testAgencyName. testAgencyName needs to be replaced with the name of the IAM agency created in 2.

{
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {"ID": ["*"]},
            "Action": ["*"],
            "Resource": ["bucketA/*"],
            "Condition": {
                "StringEquals": {
                    "SourceVpc": ["4dad1f75-0361-4aa4-ac75-1ffdda3a0fec"]
                }
            }
        },
        {
            "Effect": "Allow",
            "Principal": {"ID": ["*"]},
            "Action": ["*"],
            "Resource": ["bucketA/*"],
            "Condition": {
                "StringEquals": {
                    "ServiceAgency": ["testAgencyName"]
                }
            }
        }
    ]
}

The bucket policy can also be configured as follows to get the same result.

{
    "Statement": [
        {
            "Effect": "Deny",
            "Principal": {"ID": ["*"]},
            "Action": ["*"],
            "Resource": ["bucketA/*"],
            "Condition": {
                "StringNotEquals": {
                    "SourceVpc": ["4dad1f75-0361-4aa4-ac75-1ffdda3a0fec"],
                    "ServiceAgency": ["testAgencyName"]
                }
            }
        }
    ]
}

Securing Access with Both VPC Endpoint Policies and OBS Bucket Policies

The following uses access from an ECS in a VPC to an OBS bucket as an example (as shown in Figure 6) to show how to secure access by configuring both VPC endpoint policies and OBS bucket policies.

Figure 6 Securing access by configuring both VPC endpoint policies and OBS bucket policies
Click to enlarge

**Table 2** Resource planning
Resource	Region	Quantity	Resource Name	Description
VPC	CN-Hong Kong	2	example-vpc1	It contains the example-ecs1 ECS and is associated with example-vpcep1.
VPC		2	example-vpc2	It contains the example-ecs2 ECS and is associated with example-vpcep2.
VPC endpoint		2	example-vpcep1	It is associated with example-vpc1 and controls the requests from example-vpc1. example-vpcep1 grants permission to upload objects to and download objects from example-bucket-a.
VPC endpoint		2	example-vpcep2	It is associated with example-vpc2 and controls the requests from example-vpc2. example-vpcep2 grants permission to upload objects to and download objects from example-bucket-a.
ECS		2	example-ecs1	Create this ECS in the example-vpc1 VPC and select a Linux OS, for example, Ubuntu 24.04 server 64bit(10GiB).
ECS		2	example-ecs2	Create this ECS in the example-vpc2 VPC and select a Linux OS, for example, Ubuntu 24.04 server 64bit(10GiB).
OBS		1	example-bucket-a	The bucket policy allows access from example-vpc1 and denies access from example-vpc2.

Step 1: Create VPCs

Create two VPCs named example-vpc1 and example-vpc2:

Go to the VPC creation page. Then, configure VPC parameters as instructed, choose the CN-Hong Kong region, and retain the default settings for other parameters. You can also customize VPCs. For details, see Creating a VPC and Subnet.

Click to enlarge

Step 2: Create Linux ECSs

Create two ECSs named example-ecs1 and example-ecs2, and associate example-ecs1 with example-vpc1 and example-ecs2 with example-vpc2.

Go to the Custom Config page of the ECS console.
Configure ECS parameters as instructed and choose the CN-Hong Kong region.
Choose an OS (Ubuntu 24.04 server 64bit(10GiB) as an example).
In the Network area, select the VPC created in Step 1: Create VPCs. Associate example-ecs1 with example-vpc1 and example-ecs2 with example-vpc2.
Retain the default settings for other parameters. You can also customize ECSs. For details, see Purchasing an ECS in Custom Config Mode.
Click Submit in the lower right corner.

Step 3: Create an OBS Bucket and Upload an Object to the Bucket

Create a bucket named example-bucket-a and upload the test.txt object to it.

Create a bucket named example-bucket-a.

Go to the OBS bucket creation page. Then, choose the CN-Hong Kong region, the Standard storage class, and the Private bucket policy. Retain the default settings for other parameters. You can also customize a bucket. For details, see Creating a Bucket.
Upload the test.txt object to example-bucket-a. For details, see Uploading an Object.

Step 4: Configure Bucket Policies

Configure two bucket policies for the bucket. One allows only servers in example-vpc1 to download objects from example-bucket-a. The other denies servers in other VPCs to operate example-bucket-a or objects in it.

Log in to OBS Console. In the navigation pane, choose Object Storage.
In the bucket list, click example-bucket-a created in Step 3: Create an OBS Bucket and Upload an Object to the Bucket. The Objects page is displayed.
In the navigation pane, choose Permissions > Bucket Policies.
Click Create and click the JSON tab.

Configure the first bucket policy to allow the servers in example-vpc1 to download objects from example-bucket-a.

**Table 3** Bucket policy parameters
Parameter	Description
domainId	ID of the account that is allowed to download objects from example-bucket-a. To obtain an account ID, see Obtaining Account, IAM User, Group, Project, Region, and Agency Information.
userId	ID of the IAM user that is allowed to download objects from example-bucket-a. To obtain an IAM user ID, see Obtaining Account, IAM User, Group, Project, Region, and Agency Information.
VPC ID of example-vpc1	ID of the VPC that is allowed to download objects from example-bucket-a. The ID of example-vpc1 is used here. To obtain a VPC ID, see Obtaining a VPC ID.

{
    "Statement": [
        {
            "Sid": "exampleSidId1",
            "Effect": "Allow",
            "Principal": {
                "ID": ["domain/domainId:user/userId"]
            },
            "Action": ["GetObject"],
            "Resource": ["example-bucket-a/*"],
            "Condition": {
                "StringEquals": {
                    "SourceVpc": ["VPC ID of example-vpc1"]
                }
            }
        }
    ]
}

Click Create. The first bucket policy is configured.
Click Create. On the JSON tab page, create the second bucket policy.

Configure the second bucket policy that denies servers in all VPCs except example-vpc1 to operate example-bucket-a or the objects in it.

VPC ID of example-vpc1 is the ID of example-vpc1. To obtain a VPC ID, see Obtaining a VPC ID.

{
    "Statement": [
        {
            "Sid": "exampleSidId2",
            "Effect": "Deny",
            "Principal": {
                "ID": ["*"]
            },
            "Action": "*",
            "Resource": ["example-bucket-a", "example-bucket-a/*"],
            "Condition": {
                "StringNotEquals": {
                    "SourceVpc": ["VPC ID of example-vpc1"]
                }
            }
        }
    ]
}

In this policy, Principal is set to a wildcard (*) and there is Condition configured, so this policy is applied to all visitors. If the bucket owner does not access the bucket from the specified VPC, its access will be denied too. Therefore, if you do not want to deny the access from the bucket owner, you can add a condition to the bucket policy as follows.

In the following example, IAM user ID of bucket owner is the IAM user ID of the bucket owner. To obtain an IAM user ID, see Obtaining Account, IAM User, Group, Project, Region, and Agency Information.

{
    "Statement": [
        {
            "Sid": "exampleSidId2",
            "Effect": "Deny",
            "Principal": {
                "ID": ["*"]
            },
            "Action": "*",
            "Resource": ["example-bucket-a", "example-bucket-a/*"],
            "Condition": {
                "StringNotEquals": {
                    "SourceVpc": ["VPC ID of example-vpc1"],
                    "g:UserId": ["IAM user ID of bucket owner"]
                }
            }
        }
    ]
}

Click Create. The second bucket policy is configured.

Step 5: Create VPC Endpoints and Configure VPC Endpoint Policies

Create two VPC endpoints example-vpcep1 and example-vpcep2 and associate example-vpcep1 with example-vpc1 and example-vpcep2 with example-vpc2.

Go to the VPC Endpoints page.
Click Buy VPC Endpoint in the upper right corner.
Select a region that the VPC endpoint belongs to. The region must be the same as that of the VPC and OBS bucket.
Set Billing Mode to Pay-per-use.
Choose Find a service by name for Service Category.
Obtain the service name and verify it.

Submit a service ticket to obtain the service name. When submitting the service ticket, provide the OBS bucket name to technical support. Then, enter the obtained service name in the VPC Endpoint Service Name text box and click Verify.
Specify the VPC.

Choose the VPC created in Step 1: Create VPCs from the VPC drop-down list. Choose example-vpc1 for example-vpcep1 and example-vpc2 for example-vpcep2. Retain the default settings for the route table and subnet.
Configure VPC endpoint policies.
Enable Policy and edit the VPC endpoint policy. The following policy is used as an example. It allows ECSs in example-vpc1 to upload objects to or download objects from example-bucket-a. Enter the following policy for both example-vpcep1 and example-vpcep2.
```
[
    {
        "Action": [
            "obs:object:GetObject",
	    "obs:object:PutObject"
        ],
        "Resource": [
            "obs:*:*:object:example-bucket-a/*"
        ],
        "Effect": "Allow"
    }
]
```
Click Next in the lower right corner.
Confirm the endpoint configuration and click Submit.

Step 6: Use ECSs in VPCs to Access OBS

Log in to example-ecs1 and download the object from example-bucket-a. example-vpcep1 allows access to example-bucket-a, and the bucket policy allows access from example-vpc1, so the download is successful as expected.

Log in to the example-ecs1 ECS.

In this example, log in to the Linux ECS using CloudShell. To use other login methods, see Login Overview (Linux).
Download and install obsutil on the ECS. For details, see Downloading and Installing obsutil.
Initialize obsutil.

Initialize obsutil using the account (specified in the first bucket policy) that is allowed to access example-bucket-a. For details, see Initializing the Configuration. To obtain the AK/SK, see Access Keys.
Download the test.txt object from example-bucket-a to your local PC:
```
./obsutil cp obs://example-bucket-a/test.txt  test.txt
```
If the following output is displayed, the download is successful. This means that example-ecs1 can access example-bucket-a.

Log in to example-ecs2 and download the object from example-bucket-a. The bucket policy of example-bucket-a denies access from example-vpc2, so the download request is denied and the download fails, as expected.

Log in to the example-ecs2 ECS.

In this example, log in to the Linux ECS using CloudShell. To use other login methods, see Login Overview (Linux).
Download and install obsutil on the ECS. For details, see Downloading and Installing obsutil.
Initialize obsutil.

Initialize obsutil using the account (specified in the first bucket policy) that is allowed to access example-bucket-a. For details, see Initializing the Configuration.
Download the test.txt object from example-bucket-a to your local PC:
```
./obsutil cp obs://example-bucket-a/test.txt  test.txt
```
If the following output is displayed, the download fails. This is because the download request from example-ecs2 is denied, which is as expected.

Related Operations

When securing access by configuring both VPC endpoint policies and OBS bucket policies, you may also need to perform the following operations:

Updating the Policy of an Existing VPC Endpoint

Go to the VPC Endpoints page.
Click the endpoint whose policy is to be updated. The endpoint details page is displayed.
Click the Policy tab.
Click Edit.
Configure the VPC endpoint policy. For details, see Syntax of VPC Endpoint Policies.
Click Confirm.