All Products
Search
Document Center

Object Storage Service:Create an access point

Last Updated:Nov 25, 2024

Access points simplify data access management at scale for shared datasets. This topic describes how to create an access point.

Prerequisites

  • The bucket with which you want to associate an access point is located in one of the following regions: China (Hangzhou), China (Shanghai), China (Qingdao), China (Beijing), China (Zhangjiakou), China (Hohhot), China (Ulanqab), China (Shenzhen), China (Heyuan), China (Guangzhou), China (Chengdu), China (Hong Kong), US (Silicon Valley), US (Virginia), and Japan (Tokyo), South Korea (Seoul), Singapore, Malaysia (Kuala Lumpur), Indonesia (Jakarta), Philippines (Manila), Thailand (Bangkok), India (Mumbai) Closed Down, Germany (Frankfurt), and UK (London).

  • A virtual private cloud (VPC) is created if you want to create an access point that allows access only from a VPC. For more information, see Create and manage a VPC.

  • If you want to create an access point by using a RAM user, the RAM user is granted the following permissions: oss:CreateAccessPoint, oss:GetAccessPoint, oss:DeleteAccessPoint, oss:ListAccessPoints, oss:PutAccessPointPolicy, oss:GetAccessPointPolicy, oss:DeleteAccessPointPolicy, oss:PutBucketPolicy, oss:GetBucketPolicy, and oss:DeleteBucketPolicy. For more information, see Attach a custom policy to a RAM user.

Example scenario

Your company stores collected data in the examplebucket bucket in Alibaba Cloud account 137918634953xxxx for big data analytics and management. You are the account owner and want to allow 10 business units to access the examplebucket bucket:

  • Allow Units 1 to 3 to perform only read operations on objects in the examplebucket/dir1/ directory over the Internet.

  • Allow Unit 4 to perform read and write operations on directories in the bucket over the Internet.

  • Allow Units 5 to 10 to perform read and write operations on objects in the examplebucket/dir2/ directory only from a specific VPC.

You can configure access points to meet the preceding access control requirements.

You need to create an access point separately for Units 1 to 3, Unit 4, and Units 5 to 10 and assign permissions to the access points. Then, you provide the units with the corresponding access points. This way, the units can use the corresponding access points to access data that is intended for them.

Methods

Use the OSS console

  1. Configure basic information about the access point.

    1. Log on to the OSS console.

    2. In the left-side navigation pane, click Access Points.

    3. On the Access Points page, click Create Access Point.

    4. In the Create Access Point panel, configure the following parameters in the Basic Information step and click Next.

      Parameter

      Description

      Example

      Access Point Name

      Specify the name of the access point. The name of the access point must meet the following requirements:

      • The name must be unique in a region of your Alibaba Cloud account.

      • The name cannot end with -ossalias.

      • The name can contain only lowercase letters, digits, and hyphens (-). It cannot start or end with a hyphen (-).

      • The name must be 3 to 19 characters in length.

      • Units 1 to 3: ap-01

      • Unit 4: ap-02

      • Units 5 to10: ap-03

      Bucket

      Select the bucket for which you want to create the access point from the drop-down list. You can create up to 100 access points for a bucket.

      examplebucket

      Network Source

      Select a network source for the access point.

      • Internet: Data in the bucket is accessible over the Internet or an internal network.

      • VPC: Data in the bucket is accessible only over a specific VPC. If you select this option, you must specify a VPC ID.

        Important
        • When you use an access point to restrict the VPC, make sure that the region of the selected VPC matches the region of the gateway endpoint supported by OSS. Otherwise, authentication requests cannot be associated with the corresponding VPC, which leads to authentication failures. For more information, see Regions of gateway endpoints supported by OSS.

        • If the network source of the access point is VPC, you cannot access the resources in the bucket associated with the access point by using the OSS console. To access the resources, combine the access point with the internal endpoint of the bucket by using an OSS SDK.

      • Units 1 to 3: Internet

      • Unit 4: Internet

      • Units 5 to 10: VPC

  2. Configure an access point policy.

    Important

    An access point policy applies only to requests created by using the access point and does not affect other available access methods for the bucket.

    Add an access policy in the GUI

    1. In the Access Point Policy step, configure the parameters. The following table describes the parameters.

      Parameter

      Description

      Example

      Access Point Policy

      Select Add in GUI.

      N/A

      ARN of Access Point

      Specify the Alibaba Cloud Resource Name (ARN) of the access point. Format: acs:oss:region:account UID:accesspoint/accessPointName/object/*.

      acs:oss:cn-hangzhou:137918634953xxxx:accesspoint/ap-01/object/*

      Applied To

      Select the resources to which you want to apply the access point policy.

      • Whole Bucket: The access point policy applies to all resources in the bucket.

      • Specific Resources: The bucket policy applies only to specific resources in the bucket. You can configure multiple access point policies for specific resources in the bucket.

      • Units 1 to 3: Specific Resources

      • Unit 4: Whole Bucket

      • Units 5 to 10: Specific Resources

      Resource Paths

      • If you set Applied To to Whole Bucket, you do not need to specify Resource Paths because the value of Resource Paths is automatically populated in the accesspoint/accessPointName/* format.

      • If you set Applied To to Specific Resources, specify the Resource Paths parameter based on the following requirements:

        • Directory-level authorization

          To allow access to all subdirectories and objects in a directory, add an asterisk (*) to the directory name. For example, to allow access to all subdirectories and objects in a directory named abc, enter abc/*.

        • Object-level authorization

          To allow access to a specific object, enter the full path of the object excluding the bucket name. For example, to allow access to an object named myphoto.png in the abc directory, enter abc/myphoto.png.

      • Units 1 to 3: accesspoint/ap-01/object/dir1/*

      • Unit 4: accesspoint/ap-02/*

      • Units 5 to 10: accesspoint/ap-03/object/dir2/*

      Authorized User

      Select the type of accounts to which you want to grant the permissions. Only the RAM users of the current Alibaba Cloud account can be authorized to access specific resources.

      Select RAM User and then select a RAM user from the drop-down list. If you want to grant the permissions to multiple RAM users, we recommend that you enter the keywords of the RAM usernames in the search box to perform fuzzy match.

        Important

        Before you select RAM User, make sure that you log on to the OSS console with an Alibaba Cloud account or as a RAM user who has the permissions to manage the bucket and the ListUsers permission in the RAM console. Otherwise, you cannot view the RAM users of the current Alibaba Cloud account. For more information about how to grant the ListUsers permission to a RAM user, see Grant permissions to a RAM user.

      • Units 1 to 3: RAM User (UID: 26571698800555xxxx)

      • Unit 4: RAM User (UID: 25770968794578xxxx)

      • Units 5 to 10: RAM User (UID: 26806658794579xxxx)

      Authorized Operation

      You can use one of the following methods to specify authorized operations: Basic Settings and Advanced Settings.

      • Basic Settings

        If you select this option, configure the following permissions based on your business requirements. You can move the pointer over the mark icon to the right of each permission to view the actions that correspond to the permission.

        • Read-Only (excluding ListObject): allows authorized users to view and download the resources.

        • Read-Only (including ListObject): allows authorized users to view, list, and download the resources.

        • Read/Write: allows authorized users to perform read and write operations on the resources.

        • Full Access: allows authorized users to perform all operations on the resources.

        • Deny Access: forbids authorized users from performing operations on the resources.

        Important

        If multiple bucket policies are configured for a user, the user has all the permissions configured in the policies. However, if a bucket policy in which the Authorized Operation parameter is set to Deny Access is created, this bucket policy takes precedence. For example, if you configure a first bucket policy in which Authorized Operation is set to Read-Only and configure a second bucket policy in which Authorized Operation is set to Read/Write, the Read/Write permissions are granted to the user. If you configure a third bucket policy in which Authorized Operation is set to Deny Access, the user is denied access to the resources.

        The authorization effect for Read-Only (excluding ListObject), Read-Only (including ListObject), Read/Write, and Full Access is Allow, and the authorization effect for Deny Access is Reject.

      • Advanced Settings

        If you select this option, you must configure the following parameters:

      • Units 1 to 3: Read-Only (including ListObject)

      • Unit 4: Read/Write

      • Units 5 to 10: Read/Write

    2. Click Submit.

      • OSS requires approximately 10 minutes to create an access point.

      • OSS automatically creates an alias for an access point. You can view the alias of an access point on the Access Points page.

      • You cannot modify, delete, or disable access point aliases.

    Add an access point policy by specifying policy statements

    1. In the Access Point Policy step, select Add by Syntax for Access Point Policy.

    2. In the code editor, enter the following policy:

      Access point policy for Units 1 to 3

      {
          "Version": "1",
          "Statement": [{
              "Effect": "Allow",
              "Action": [    
                  "oss:GetObject",    
                  "oss:GetObjectAcl",
                  "oss:ListObjects",
                  "oss:RestoreObject",
                  "oss:ListObjectVersions",
                  "oss:GetObjectVersion",
                  "oss:GetObjectVersionAcl",
                  "oss:RestoreObjectVersion"    
              ],    
              "Principal": [    
                  "26571698800555xxxx"    
              ],    
              "Resource": [    
                  "acs:oss:cn-hangzhou:137918634953xxxx:accesspoint/ap-01/object/dir1/*"    
              ]    
          },{     
              "Effect": "Allow",    
              "Action": [    
                  "oss:ListObjects",
                  "oss:GetObject"    
              ],    
              "Principal": [    
                  "26571698800555xxxx"    
              ],    
              "Resource": [    
                  "acs:oss:cn-hangzhou:137918634953xxxx:accesspoint/ap-01"    
          ],
              "Condition": {    
                  "StringLike": {    
                      "oss:Prefix": [            
                          "dir1/*"    
                      ]    
                  }    
              }    
            }    
          ]    
      }

      Access point policy for Unit 4

      {
          "Version": "1",
          "Statement": [{
              "Effect": "Allow",
              "Action": [    
                  "oss:GetObject",
                  "oss:PutObject",    
                  "oss:GetObjectAcl",
                  "oss:PutObjectAcl",
                  "oss:ListObjects",
                  "oss:AbortMultipartUpload",
                  "oss:ListParts",
                  "oss:RestoreObject",
                  "oss:ListObjectVersions",
                  "oss:GetObjectVersion",
                  "oss:GetObjectVersionAcl",
                  "oss:RestoreObjectVersion"    
              ],    
              "Principal": [    
                  "25770968794578xxxx"    
              ],    
              "Resource": [    
                  "acs:oss:cn-hangzhou:137918634953xxxx:accesspoint/ap-02/object/*"    
              ]    
          },{     
              "Effect": "Allow",    
              "Action": [    
                  "oss:ListObjects",
                  "oss:GetObject"    
              ],    
              "Principal": [    
                  "25770968794578xxxx"    
              ],    
              "Resource": [    
                  "acs:oss:cn-hangzhou:137918634953xxxx:accesspoint/ap-02"    
          ],
              "Condition": {    
                  "StringLike": {    
                      "oss:Prefix": [            
                          "*"    
                      ]    
                  }    
              }    
            }    
          ]    
      }

      Access point policy for Units 5 to 10

      {
          "Version": "1",
          "Statement": [{
              "Effect": "Allow",
              "Action": [    
                  "oss:GetObject",
                  "oss:PutObject",    
                  "oss:GetObjectAcl",
                  "oss:PutObjectAcl",
                  "oss:ListObjects",
                  "oss:AbortMultipartUpload",
                  "oss:ListParts",
                  "oss:RestoreObject",
                  "oss:ListObjectVersions",
                  "oss:GetObjectVersion",
                  "oss:GetObjectVersionAcl",
                  "oss:RestoreObjectVersion"    
              ],    
              "Principal": [    
                  "26806658794579xxxx"    
              ],    
              "Resource": [    
                  "acs:oss:cn-hangzhou:137918634953xxxx:accesspoint/ap-03/object/dir2/*"    
              ]    
          },{     
              "Effect": "Allow",    
              "Action": [    
                  "oss:ListObjects",
                  "oss:GetObject"    
              ],    
              "Principal": [    
                  "26806658794579xxxx"    
              ],    
              "Resource": [    
                  "acs:oss:cn-hangzhou:137918634953xxxx:accesspoint/ap-03"    
          ],
              "Condition": {    
                  "StringLike": {    
                      "oss:Prefix": [            
                          "dir2/*"    
                      ]    
                  }    
              }    
            }    
          ]    
      }
    3. Click Submit.

      • OSS requires approximately 10 minutes to create an access point.

      • OSS automatically creates an alias for an access point. You can view the alias of an access point on the Access Points page.

      • You cannot modify, delete, or disable access point aliases.

  3. Use a bucket policy to delegate access control to an access point.

    1. On the Access Points page, click the name of the access point that you created.

    2. On the Configuration Management tab, click Delegate Access Control to Access Point.

    3. In the Delegate Access Control to Access Point panel, configure a bucket policy to delegate access control permissions to the access point.

      Delegation Type

      Description

      Example

      oss:DataAccessPointArn

      Delegates access control permissions to the specified access point. After the delegation, only the specified access point takes effect.

      oss:DataAccessPointAccount

      oss:AccessPointNetworkOrigin

      Delegates access control permissions to access points whose network source is Internet or VPC. After the delegation, only access points whose network source is Internet or VPC take effect.

      Note

      If you select Internet, access control permissions are delegated to access points that are accessible over the Internet and VPCs.

      oss:DataAccessPointAccount

      Delegates access control permissions to all access points owned by the current Alibaba Cloud account. After the delegation, all access points owned by the Alibaba Cloud account take effect.

    4. Click Generate Policy.

Use the OSS API

If your business requires a high level of customization, you can directly call RESTful APIs. To directly call an API, you must include the signature calculation in your code.

  • For more information about the API operation that you can call to create an access point, see CreateAccessPoint.

  • For more information about the API operation that you can call to configure an access point policy, see PutAccessPointPolicy.

  • For more information about the API operation that you can call to delegate permissions to an access point by using a bucket policy, see PutBucketPolicy.

What to do next

After you create an access point, you can use the alias of the access point to access the related data. For more information, see Use an access point.

FAQ

Can I configure an IP address whitelist when I configure an access point policy for an access point?

Yes. You can configure an access point policy by specifying policy statements and then add "IpAddress": {"acs:SourceIp": ["xxx"]} to the access point policy.