Help Center/ Object Storage Service/ API Reference/ APIs/ Advanced Bucket Settings/ Configuring Public Access Block for a Bucket
Updated on 2026-03-06 GMT+08:00
View PDF
Share

Configuring Public Access Block for a Bucket

Functions

This API creates or modifies the public access block configuration of an OBS bucket by enabling or disabling the feature.

To perform this operation, you must have the PutBucketPublicAccessBlock permission. The bucket owner can perform this operation by default and can grant this permission to others by using a bucket policy or a user policy.

If public access block is enabled, existing public access permissions are ignored and new public access permissions cannot be configured. If public access block is disabled, existing public access permissions continue to apply and new public access permissions can be configured.

Authorization Information

To call this API, you must be the bucket owner or have the permission to configure public access block for a bucket. You are advised to use IAM or bucket policies for authorization. For details about OBS authorization methods, see Differences Between OBS Permissions Control Methods.

  • If you use IAM for authorization, you need to use either role/policy-based authorization or identity policy-based authorization and configure the required permissions:
    • If you use role/policy-based authorization (IAM v3 APIs in the old IAM version), you need to grant the obs:bucket:PutBucketPublicAccessBlock permission. For details, see Creating a Custom IAM Policy.
    • If you use identity policy-based authorization (IAM v5 APIs in the new IAM version), you need to grant the obs:bucket:putBucketPublicAccessBlock permission, as shown in the following table. For details, see Creating a Custom IAM Identity Policy.

      Action

      Access Level

      Resource Type (*: Required)

      Condition Key

      Alias

      Dependencies

      obs:bucket:putBucketPublicAccessBlock

      Permission_management

      bucket *

      -

      -

      -
      • obs:EpochTime
      • obs:SourceIp
      • obs:TlsVersion
      • obs:CustomDomain
  • If you use bucket policies for authorization, you need to grant the obs:bucket:PutBucketPublicAccessBlock permission. For details, see Creating a Custom Bucket Policy.

Request Syntax

PUT /?publicAccessBlock HTTP/1.1
Host: bucketname.obs.region.myhuaweicloud.com 
Date: date
Authorization: authorization
Content-Type: application/xml
Content-Length: length

<?xml version="1.0" encoding="UTF-8"?>
<PublicAccessBlockConfiguration>
	<BlockPublicAcls>boolean</BlockPublicAcls>
	<IgnorePublicAcls>boolean</IgnorePublicAcls>
	<BlockPublicPolicy>boolean</BlockPublicPolicy>
	<RestrictPublicBuckets>boolean</RestrictPublicBuckets>
</PublicAccessBlockConfiguration>

Request Parameters

This request contains no parameters.

Request Headers

This request uses common headers. For details, see Table 3.

Request Elements

This request can use additional elements. For details about additional elements, see Table 1.

Table 1 Request Elements

Element

Type

Mandatory (Yes/No)

Description

PublicAccessBlockConfiguration

XML

Yes

Definition:

Root node of the PublicAccessBlockConfiguration parameter.

Constraints:

None

Range:

None

Default value:

None

BlockPublicAcls

Boolean

No

Definition:

Whether to prohibit specifying the ACL as public access to a bucket or objects in the bucket. If the parameter is set to true, the following applies:

  • If you specify an ACL as public access when uploading an object, the object fails to be uploaded and the error "403 Access Denied" is returned.
  • If you specify an ACL as public access when modifying a bucket ACL or an object ACL, the ACL fails to be modified and the error "403 Access Denied" is returned.

Constraints:

This configuration does not affect existing buckets or objects.

Range:

  • true: This feature is enabled.
  • false: This feature is disabled.

Default value:

false

BlockPublicPolicy

Boolean

No

Definition:

Whether to prohibit the configuration of a bucket policy that allows public access to a bucket. If this parameter is set to true, such a bucket policy will fail to be configured and the error "403 Access Denied" will be returned.

Constraints:

This configuration does not affect existing buckets.

Range:

  • true: This feature is enabled.
  • false: This feature is disabled.

Default value:

false

IgnorePublicAcls

Boolean

No

Definition:

Whether to ignore the existing ACL that allows public access to the bucket or objects in the bucket. If this parameter is set to true, the public access ACL of the bucket or objects in the bucket becomes invalid.

Constraints:

This configuration does not affect existing ACLs or prohibit the configuration of new public access ACLs.

Range:

  • true: This feature is enabled.
  • false: This feature is disabled.

Default value:

false

RestrictPublicBuckets

Boolean

No

Definition:

Whether to restrict the existing public bucket policy. If this parameter is set to true, only the cloud service and bucket owner accounts are allowed to access the bucket.

Constraints:

This configuration does not affect existing bucket policies or prohibit the configuration of new public bucket policies.

Range:

  • true: This feature is enabled.
  • false: This feature is disabled.

Default value:

false

Response Syntax

HTTP/1.1 status_code
Date: date

Response Headers

This response uses common headers. For details, see Table 1.

Response Elements

This response contains no elements.

Error Responses

Table 2 describes possible special errors in this request.

Table 2 Error Responses

Error

Description

HTTP Status Code

InvalidRequest

BlockPublicAcls, BlockPublicPolicy, IgnorePublicAcls, and RestrictPublicBuckets are not specified. At least one of them must be specified.

400

MethodNotAllowed

The involved method is not allowed (the corresponding feature is disabled).

405

For other errors, see Table 2.

Sample Request: Setting All Four Parameters to true

put /?publicAccessBlock HTTP/1.1
User-Agent: curl/7.29.0
Host: examplebucket.obs.region.myhuaweicloud.com
Accept: */*
Date: Sat, 16 Nov 2024 08:59:07 GMT
Authorization: OBS H4IPJX0TQTHTHEBQQCEC:75/Y4Ng1izvzc1nTGxpMXTE6ynw=
Content-Length: 288

<?xml version="1.0" encoding="UTF-8"?>
<PublicAccessBlockConfiguration>
	<BlockPublicAcls>true</BlockPublicAcls>
	<IgnorePublicAcls>true</IgnorePublicAcls>
	<BlockPublicPolicy>true</BlockPublicPolicy>
	<RestrictPublicBuckets>true</RestrictPublicBuckets>
</PublicAccessBlockConfiguration>

Sample Response: Setting All Four Parameters to true

HTTP/1.1 200 OK
Server: OBS
x-obs-request-id: BF260000016435CE298386946AE4C482
x-obs-id-2: 32AAAQAAEAABSAAgAAEAABAAAQAAEAABCT9W2tcvLmMJ+plfdopaD62S0npbaRUz
Date: Sat, 16 Nov 2024 08:59:08 GMT
Content-Length: 0

Sample Request: Setting Only BlockPublicAcls to true

PUT /?publicAccessBlock HTTP/1.1
User-Agent: curl/7.29.0
Host: examplebucket.obs.region.myhuaweicloud.com
Accept: */*
Date: Sat, 16 Nov 2024 08:59:07 GMT
Authorization: OBS H4IPJX0TQTHTHEBQQCEC:75/Y4Ng1izvzc1nTGxpMXTE6ynw=
Content-Length: 147

<?xml version="1.0" encoding="UTF-8"?>
<PublicAccessBlockConfiguration>
	<BlockPublicAcls>true</BlockPublicAcls>
</PublicAccessBlockConfiguration>

Sample Response: Setting Only BlockPublicAcls to true

HTTP/1.1 200 OK
Server: OBS
x-obs-request-id: BF260000016435CE298386946AE4C482
x-obs-id-2: 32AAAQAAEAABSAAgAAEAABAAAQAAEAABCT9W2tcvLmMJ+plfdopaD62S0npbaRUz
Date: Sat, 16 Nov 2024 08:59:08 GMT
Content-Length: 0
Parent Topic: Advanced Bucket Settings