How do I create an access point? - Object Storage Service

Access points simplify data access control at scale for shared datasets. This topic describes how to create an access point.

Prerequisites

The bucket with which you want to associate an access point is located in one of the following regions: China (Hangzhou), China (Shanghai), China (Qingdao), China (Beijing), China (Zhangjiakou), China (Hohhot), China (Ulanqab), China (Shenzhen), China (Heyuan), China (Guangzhou), China (Chengdu), China (Hong Kong), US (Silicon Valley), US (Virginia), and Japan (Tokyo), South Korea (Seoul), Singapore, Australia (Sydney), Malaysia (Kuala Lumpur), Indonesia (Jakarta), Philippines (Manila), Thailand (Bangkok), India (Mumbai), Germany (Frankfurt), and UK (London).
A virtual private cloud (VPC) is created if you want to create an access point that allows access only from a VPC. For more information, see Create and manage a VPC.
If you want to create an access point by using a RAM user, the RAM user is granted the following permissions: oss:CreateAccessPoint, oss:GetAccessPoint, oss:DeleteAccessPoint, oss:ListAccessPoints, oss:PutAccessPointPolicy, oss:GetAccessPointPolicy, oss:DeleteAccessPointPolicy, oss:PutBucketPolicy, oss:GetBucketPolicy, and oss:DeleteBucketPolicy. For more information, see Attach a custom policy to a RAM user.

Example scenario

Your company stores collected data in the examplebucket bucket in Alibaba Cloud account 137918634953**** for big data analytics and management. You are the account owner and want to allow 10 business units to access the examplebucket bucket:

Allow Units 1 to 3 read-only access to objects in the examplebucket/dir1/ directory over the Internet.
Allow Unit 4 read and write access to directories in the bucket over the Internet.
Allow Units 5 to 10 read and write access to objects in the examplebucket/dir2/ directory only from a specified VPC.

You can configure access points to implement the preceding access control requirements.

You need to create an access point separately for Units 1 to 3, Unit 4, and Units 5 to 10 and assign permissions to the access points. Then, you provide the units with the corresponding access points. The units can use the access points to access data that is intended for them.

Procedure

Use the OSS console

Configure basic information about the access point.

Log on to the Object Storage Service (OSS) console.
In the left-side navigation pane, click Access Points.
On the Access Points page, click Create Access Point.

In the Create Access Point panel, configure the following parameters in the Basic Information step and click Next.

Parameter	Description	Example
Access Point Name	Specify the name of the access point. The name of an access point must meet the following requirements: The name must be unique within an Alibaba Cloud account and region. The name cannot end with -ossalias. The name can contain only lowercase letters, digits, and hyphens (-). It cannot start or end with a hyphen (-). The name must be 3 to 19 characters in length.	Units 1 to 3: ap-01 Unit 4: ap-02 Units 5 to10: ap-03
Bucket	Select the bucket for which you want to create the access point from the drop-down list. You can create up to 100 access points for a bucket.	examplebucket
Network Source	Select a network source for the access point. Internet: Data in the bucket is accessible over the Internet or an internal network. VPC: Data in the bucket is accessible only over a specific VPC. If you select this option, you must specify a VPC ID. Important If the network source of the access point is VPC, you cannot access the resources in the bucket associated with the access point by using the OSS console. To access the resources, combine the access point with the internal endpoint of the bucket by using an OSS SDK.	Units 1 to 3: Internet Unit 4: Internet Units 5 to 10: VPC

Configure an access point policy.

Important

An access point policy applies only to requests made by using the access point and does not affect other available access methods for the bucket.

Add an access policy in GUI

In the Access Point Policy step, configure the parameters. The following table describes the parameters.

Parameter	Description	Example
Access Point Policy	Select Add in GUI.	N/A
ARN of Access Point	Specify the Alibaba Cloud Resource Name (ARN) of the access point. Format: `acs:oss:region:account UID:accesspoint/accessPointName/object/*`.	acs:oss:cn-hangzhou:137918634953xxxx:accesspoint/ap-01/object/*
Applied To	Select the resources to which you want to apply the access point policy. Whole Bucket: The access point policy applies to all resources in the bucket. Specific Resources: The bucket policy applies only to specific resources in the bucket. You can configure multiple access point policies for specific resources in the bucket.	Units 1 to 3: Specific Resources Unit 4: Whole Bucket Units 5 to 10: Specific Resources
Resource Paths	If Applied To is set to Whole Bucket, you do not need to specify Resource Paths because the value of Resource Paths is automatically populated in the `accesspoint/accessPointName/` format. If Applied To* is set to Specific Resources, specify the Resource Paths parameter based on the following requirements: Directory-level authorization To allow access to all subdirectories and objects in a directory, add an asterisk () to the directory name. For example, to allow access to all subdirectories and objects in a directory named abc, enter abc/. Object-level authorization To allow access to a specific object, enter the full path of the object excluding the bucket name. For example, to allow access to an object named myphoto.png in the abc directory, enter abc/myphoto.png.	Units 1 to 3: accesspoint/ap-01/object/dir1/* Unit 4: accesspoint/ap-01/* Units 5 to 10: accesspoint/ap-01/object/dir2/*
Authorized User	Select the type of accounts to which you want to grant the permissions. Only the RAM users of the current Alibaba Cloud account can be authorized to access specific resources. Select RAM User and then select a RAM user from the drop-down list. If you want to grant the permissions to multiple RAM users, we recommend that you enter the keywords of the RAM usernames in the search box to perform fuzzy match. Important Before you select RAM User, make sure that you log on to the OSS console with an Alibaba Cloud account or as a RAM user who has the permissions to manage the bucket and the ListUsers permission in the RAM console. Otherwise, you cannot view the RAM users of the current Alibaba Cloud account. For more information about how to grant the ListUsers permission to a RAM user, see Grant permissions to a RAM user.	Units 1 to 3: RAM User (UID: 26571698800555xxxx) Unit 4: RAM User (UID: 25770968794578xxxx) Units 5 to 10: RAM User (UID: 26806658794579xxxx)
Authorized Operation	You can select one of the following options to specify authorized operations: Basic Settings and Advanced Settings. Basic Settings If you select this option, configure the following permissions based on your business requirements. You can move the pointer over the icon to the right of each permission to view the actions that correspond to the permission. Read-Only (excluding ListObject): allows authorized users to view and download the resources. Read-Only (including ListObject): allows authorized users to view, list, and download the resources. Read/Write: allows authorized users to read and write the resources. Full Access: allows authorized users to perform all operations on the resources. Deny Access: forbids authorized users from performing operations on the resources. Important If multiple bucket policies are configured for a user, the user has all the permissions configured in the policies. However, if a bucket policy in which the Authorized Operation parameter is set to Deny Access is created, this bucket policy takes precedence. For example, if you configure a first bucket policy in which Authorized Operation is set to Read-Only and configure a second bucket policy in which Authorized Operation is set to Read/Write, the Read/Write permissions are granted to the user. If you configure a third bucket policy in which Authorized Operation is set to Deny Access, the user is denied access to the resources. The authorization effect for Read-Only (excluding ListObject), Read-Only (including ListObject), Read/Write, and Full Access is Allow, and the authorization effect for Deny Access is Reject. Advanced Settings If you select this option, configure the following parameters: Effect: Select Allow or Reject. Actions: Specify the actions that you want to allow or deny. For more information about the types of actions, see RAM policies.	Units 1 to 3: Read-Only (including ListObject) Unit 4: Read/Write Units 5 to 10: Read/Write

Click Submit.
- OSS requires approximately 10 minutes to create an access point.
- OSS automatically creates an alias for an access point. You can view the alias of an access point on the Access Points page.
- Access point aliases cannot be modified, deleted, or disabled.

Add an access point policy by specifying policy statements

In the Access Point Policy step, select Add by Syntax for Access Point Policy.

In the code editor, enter the following policy:

Access point policy for Units 1 to 3

{
    "Version": "1",
    "Statement": [{
        "Effect": "Allow",
        "Action": [    
            "oss:GetObject",    
            "oss:GetObjectAcl",
            "oss:ListObjects",
            "oss:RestoreObject",
            "oss:ListObjectVersions",
            "oss:GetObjectVersion",
            "oss:GetObjectVersionAcl",
            "oss:RestoreObjectVersion"    
        ],    
        "Principal": [    
            "26571698800555xxxx"    
        ],    
        "Resource": [    
            "acs:oss:cn-hangzhou:137918634953xxxx:accesspoint/ap-01/object/dir1/*"    
        ]    
    },{     
        "Effect": "Allow",    
        "Action": [    
            "oss:ListObjects",
            "oss:GetObject"    
        ],    
        "Principal": [    
            "26571698800555xxxx"    
        ],    
        "Resource": [    
            "acs:oss:cn-hangzhou:137918634953xxxx:accesspoint/ap-01"    
    ],
        "Condition": {    
            "StringLike": {    
                "oss:Prefix": [            
                    "dir1/*"    
                ]    
            }    
        }    
      }    
    ]    
}

Access point policy for Unit 4

{
    "Version": "1",
    "Statement": [{
        "Effect": "Allow",
        "Action": [    
            "oss:GetObject",
            "oss:PutObject",    
            "oss:GetObjectAcl",
            "oss:PutObjectAcl",
            "oss:ListObjects",
            "oss:AbortMultipartUpload",
            "oss:ListParts",
            "oss:RestoreObject",
            "oss:ListObjectVersions",
            "oss:GetObjectVersion",
            "oss:GetObjectVersionAcl",
            "oss:RestoreObjectVersion"    
        ],    
        "Principal": [    
            "25770968794578xxxx"    
        ],    
        "Resource": [    
            "acs:oss:cn-hangzhou:137918634953xxxx:accesspoint/ap-02/object/*"    
        ]    
    },{     
        "Effect": "Allow",    
        "Action": [    
            "oss:ListObjects",
            "oss:GetObject"    
        ],    
        "Principal": [    
            "25770968794578xxxx"    
        ],    
        "Resource": [    
            "acs:oss:cn-hangzhou:137918634953xxxx:accesspoint/ap-02"    
    ],
        "Condition": {    
            "StringLike": {    
                "oss:Prefix": [            
                    "*"    
                ]    
            }    
        }    
      }    
    ]    
}

Access point policy for Units 5 to 10

{
    "Version": "1",
    "Statement": [{
        "Effect": "Allow",
        "Action": [    
            "oss:GetObject",
            "oss:PutObject",    
            "oss:GetObjectAcl",
            "oss:PutObjectAcl",
            "oss:ListObjects",
            "oss:AbortMultipartUpload",
            "oss:ListParts",
            "oss:RestoreObject",
            "oss:ListObjectVersions",
            "oss:GetObjectVersion",
            "oss:GetObjectVersionAcl",
            "oss:RestoreObjectVersion"    
        ],    
        "Principal": [    
            "26806658794579xxxx"    
        ],    
        "Resource": [    
            "acs:oss:cn-hangzhou:137918634953xxxx:accesspoint/ap-03/object/dir2/*"    
        ]    
    },{     
        "Effect": "Allow",    
        "Action": [    
            "oss:ListObjects",
            "oss:GetObject"    
        ],    
        "Principal": [    
            "26806658794579xxxx"    
        ],    
        "Resource": [    
            "acs:oss:cn-hangzhou:137918634953xxxx:accesspoint/ap-03"    
    ],
        "Condition": {    
            "StringLike": {    
                "oss:Prefix": [            
                    "dir2/*"    
                ]    
            }    
        }    
      }    
    ]    
}

Click Submit.
- OSS requires approximately 10 minutes to create an access point.
- OSS automatically creates an alias for an access point. You can view the alias of an access point on the Access Points page.
- Access point aliases cannot be modified, deleted, or disabled.

Use a bucket policy to delegate access control to an access point.

On the Access Points page, click the name of the access point that you created.
On the Configuration Management tab, click Delegate Access Control to Access Point.

In the Delegate Access Control to Access Point panel, configure a bucket policy to delegate access control to the access point.

Delegation Type	Description	Example
oss:DataAccessPointArn	Delegates access control permissions to the specified access point. After the delegation, only the specified access point takes effect.	oss:DataAccessPointAccount
oss:AccessPointNetworkOrigin	Delegates access control permissions to access points that have a network source of Internet or access points that have a network source of VPC. After the delegation, only access points that have the specified network source take effect. Note If you select Internet, access control permissions are delegated to access points that are accessible over the Internet and VPCs.
oss:DataAccessPointAccount	Delegates access control permissions to all access points owned by the current Alibaba Cloud account. After the delegation, all access points owned by the Alibaba Cloud account take effect.

Click Generate Policy.

Use the OSS API

If your business requires a high level of customization, you can directly call RESTful APIs. To directly call an API, you must include the signature calculation in your code.

For more information about the API operation that you can call to create an access point, see CreateAccessPoint.
For more information about the API operation that you can call to configure an access point policy, see PutAccessPointPolicy.
For more information about the API operation that you can call to delegate permissions to an access point by using a bucket policy, see PutBucketPolicy.

What to do next

After you create an access point, you can use the alias of the access point to access the related data. For more information, see Use an access point.

FAQ

Can I configure a whitelist for allowed IP addresses when I configure an access point policy for an access point?

Yes. You can configure an access point policy by specifying policy statements and then add "IpAddress": {"acs:SourceIp": ["xxx"]} to the access point policy.