Help Center/ Object Storage Service/ API Reference/ APIs/ Advanced Bucket Settings/ Configuring Public Access Block for a Bucket
Updated on 2025-08-22 GMT+08:00

Configuring Public Access Block for a Bucket

Functions

This API creates or modifies the public access block configuration of an OBS bucket by enabling or disabling the feature.

To perform this operation, you must have the PutBucketPublicAccessBlock permission. The bucket owner can perform this operation by default and can grant this permission to others by using a bucket policy or a user policy.

If public access block is enabled, existing public access permissions are ignored and new public access permissions cannot be configured. If public access block is disabled, existing public access permissions continue to apply and new public access permissions can be configured.

Request Syntax

PUT /?publicAccessBlock HTTP/1.1
Host: bucketname.obs.region.myhuaweicloud.com 
Date: date
Authorization: authorization
Content-Type: application/xml
Content-Length: length

<?xml version="1.0" encoding="UTF-8"?>
<PublicAccessBlockConfiguration>
	<BlockPublicAcls>boolean</BlockPublicAcls>
	<IgnorePublicAcls>boolean</IgnorePublicAcls>
	<BlockPublicPolicy>boolean</BlockPublicPolicy>
	<RestrictPublicBuckets>boolean</RestrictPublicBuckets>
</PublicAccessBlockConfiguration>

Request Parameters

This request contains no parameters.

Request Headers

This request uses common headers. For details, see Table 3.

Request Elements

This request can use additional elements. For details about additional elements, see Table 1.

Table 1 Request Elements

Element

Type

Mandatory (Yes/No)

Description

PublicAccessBlockConfiguration

XML

Yes

Definition:

Root node of the PublicAccessBlockConfiguration parameter.

Constraints:

None

Range:

None

Default value:

None

BlockPublicAcls

Boolean

No

Definition:

Whether to prohibit specifying the ACL as public access to a bucket or objects in the bucket. If the parameter is set to true, the following applies:

  • If you specify an ACL as public access when uploading an object, the object fails to be uploaded and the error "403 Access Denied" is returned.
  • If you specify an ACL as public access when modifying a bucket ACL or an object ACL, the ACL fails to be modified and the error "403 Access Denied" is returned.

Constraints:

This configuration does not affect existing buckets or objects.

Range:

  • true: This feature is enabled.
  • false: This feature is disabled.

Default value:

false

BlockPublicPolicy

Boolean

No

Definition:

Whether to prohibit the configuration of a bucket policy that allows public access to a bucket. If this parameter is set to true, such a bucket policy will fail to be configured and the error "403 Access Denied" will be returned.

Constraints:

This configuration does not affect existing buckets.

Range:

  • true: This feature is enabled.
  • false: This feature is disabled.

Default value:

false

IgnorePublicAcls

Boolean

No

Definition:

Whether to ignore the existing ACL that allows public access to the bucket or objects in the bucket. If this parameter is set to true, the public access ACL of the bucket or objects in the bucket becomes invalid.

Constraints:

This configuration does not affect existing ACLs or prohibit the configuration of new public access ACLs.

Range:

  • true: This feature is enabled.
  • false: This feature is disabled.

Default value:

false

RestrictPublicBuckets

Boolean

No

Definition:

Whether to restrict the existing public bucket policy. If this parameter is set to true, only the cloud service and bucket owner accounts are allowed to access the bucket.

Constraints:

This configuration does not affect existing bucket policies or prohibit the configuration of new public bucket policies.

Range:

  • true: This feature is enabled.
  • false: This feature is disabled.

Default value:

false

Response Syntax

HTTP/1.1 status_code
Date: date

Response Headers

This response uses common headers. For details, see Table 1.

Response Elements

This response contains no elements.

Error Responses

Table 2 describes possible special errors in this request.

Table 2 Error Responses

Error

Description

HTTP Status Code

InvalidRequest

BlockPublicAcls, BlockPublicPolicy, IgnorePublicAcls, and RestrictPublicBuckets are not specified. At least one of them must be specified.

400

MethodNotAllowed

The involved method is not allowed (the corresponding feature is disabled).

405

For other errors, see Table 2.

Sample Request: Setting All Four Parameters to true

put /?publicAccessBlock HTTP/1.1
User-Agent: curl/7.29.0
Host: examplebucket.obs.region.myhuaweicloud.com
Accept: */*
Date: Sat, 16 Nov 2024 08:59:07 GMT
Authorization: OBS H4IPJX0TQTHTHEBQQCEC:75/Y4Ng1izvzc1nTGxpMXTE6ynw=
Content-Length: 288

<?xml version="1.0" encoding="UTF-8"?>
<PublicAccessBlockConfiguration>
	<BlockPublicAcls>true</BlockPublicAcls>
	<IgnorePublicAcls>true</IgnorePublicAcls>
	<BlockPublicPolicy>true</BlockPublicPolicy>
	<RestrictPublicBuckets>true</RestrictPublicBuckets>
</PublicAccessBlockConfiguration>

Sample Response: Setting All Four Parameters to true

HTTP/1.1 200 OK
Server: OBS
x-obs-request-id: BF260000016435CE298386946AE4C482
x-obs-id-2: 32AAAQAAEAABSAAgAAEAABAAAQAAEAABCT9W2tcvLmMJ+plfdopaD62S0npbaRUz
Date: Sat, 16 Nov 2024 08:59:08 GMT
Content-Length: 0

Sample Request: Setting Only BlockPublicAcls to true

PUT /?publicAccessBlock HTTP/1.1
User-Agent: curl/7.29.0
Host: examplebucket.obs.region.myhuaweicloud.com
Accept: */*
Date: Sat, 16 Nov 2024 08:59:07 GMT
Authorization: OBS H4IPJX0TQTHTHEBQQCEC:75/Y4Ng1izvzc1nTGxpMXTE6ynw=
Content-Length: 147

<?xml version="1.0" encoding="UTF-8"?>
<PublicAccessBlockConfiguration>
	<BlockPublicAcls>true</BlockPublicAcls>
</PublicAccessBlockConfiguration>

Sample Response: Setting Only BlockPublicAcls to true

HTTP/1.1 200 OK
Server: OBS
x-obs-request-id: BF260000016435CE298386946AE4C482
x-obs-id-2: 32AAAQAAEAABSAAgAAEAABAAAQAAEAABCT9W2tcvLmMJ+plfdopaD62S0npbaRUz
Date: Sat, 16 Nov 2024 08:59:08 GMT
Content-Length: 0