Access points simplify data access management at scale for shared datasets. This topic describes how to create an access point.
Prerequisites
The bucket with which you want to associate an access point is located in one of the following regions: China (Hangzhou), China (Shanghai), China (Qingdao), China (Beijing), China (Zhangjiakou), China (Hohhot), China (Ulanqab), China (Shenzhen), China (Heyuan), China (Guangzhou), China (Chengdu), China (Hong Kong), US (Silicon Valley), US (Virginia), and Japan (Tokyo), South Korea (Seoul), Singapore, Malaysia (Kuala Lumpur), Indonesia (Jakarta), Philippines (Manila), Thailand (Bangkok), India (Mumbai) Closed Down, Germany (Frankfurt), and UK (London).
A virtual private cloud (VPC) is created if you want to create an access point that allows access only from a VPC. For more information, see Create and manage a VPC.
If you want to create an access point by using a RAM user, the RAM user is granted the following permissions:
oss:CreateAccessPoint
,oss:GetAccessPoint
,oss:DeleteAccessPoint
,oss:ListAccessPoints
,oss:PutAccessPointPolicy
,oss:GetAccessPointPolicy
,oss:DeleteAccessPointPolicy
,oss:PutBucketPolicy
,oss:GetBucketPolicy
, andoss:DeleteBucketPolicy
. For more information, see Attach a custom policy to a RAM user.
Example scenario
Your company stores collected data in the examplebucket bucket in Alibaba Cloud account 137918634953xxxx for big data analytics and management. You are the account owner and want to allow 10 business units to access the examplebucket bucket:
Allow Units 1 to 3 to perform only read operations on objects in the examplebucket/dir1/ directory over the Internet.
Allow Unit 4 to perform read and write operations on directories in the bucket over the Internet.
Allow Units 5 to 10 to perform read and write operations on objects in the examplebucket/dir2/ directory only from a specific VPC.
You can configure access points to meet the preceding access control requirements.
You need to create an access point separately for Units 1 to 3, Unit 4, and Units 5 to 10 and assign permissions to the access points. Then, you provide the units with the corresponding access points. This way, the units can use the corresponding access points to access data that is intended for them.
Methods
Use the OSS console
Use the OSS API
What to do next
After you create an access point, you can use the alias of the access point to access the related data. For more information, see Use an access point.
FAQ
Can I configure an IP address whitelist when I configure an access point policy for an access point?
Yes. You can configure an access point policy by specifying policy statements and then add "IpAddress": {"acs:SourceIp": ["xxx"]}
to the access point policy.