Access points simplify data access control at scale for shared datasets. This topic describes how to create an access point.
Prerequisites
The bucket with which you want to associate an access point is located in one of the following regions: China (Hangzhou), China (Shanghai), China (Qingdao), China (Beijing), China (Zhangjiakou), China (Hohhot), China (Ulanqab), China (Shenzhen), China (Heyuan), China (Guangzhou), China (Chengdu), China (Hong Kong), US (Silicon Valley), US (Virginia), and Japan (Tokyo), South Korea (Seoul), Singapore, Australia (Sydney), Malaysia (Kuala Lumpur), Indonesia (Jakarta), Philippines (Manila), Thailand (Bangkok), India (Mumbai), Germany (Frankfurt), and UK (London).
A virtual private cloud (VPC) is created if you want to create an access point that allows access only from a VPC. For more information, see Create and manage a VPC.
If you want to create an access point by using a RAM user, the RAM user is granted the following permissions:
oss:CreateAccessPoint
,oss:GetAccessPoint
,oss:DeleteAccessPoint
,oss:ListAccessPoints
,oss:PutAccessPointPolicy
,oss:GetAccessPointPolicy
,oss:DeleteAccessPointPolicy
,oss:PutBucketPolicy
,oss:GetBucketPolicy
, andoss:DeleteBucketPolicy
. For more information, see Attach a custom policy to a RAM user.
Example scenario
Your company stores collected data in the examplebucket bucket in Alibaba Cloud account 137918634953**** for big data analytics and management. You are the account owner and want to allow 10 business units to access the examplebucket bucket:
Allow Units 1 to 3 read-only access to objects in the examplebucket/dir1/ directory over the Internet.
Allow Unit 4 read and write access to directories in the bucket over the Internet.
Allow Units 5 to 10 read and write access to objects in the examplebucket/dir2/ directory only from a specified VPC.
You can configure access points to implement the preceding access control requirements.
You need to create an access point separately for Units 1 to 3, Unit 4, and Units 5 to 10 and assign permissions to the access points. Then, you provide the units with the corresponding access points. The units can use the access points to access data that is intended for them.
Procedure
Use the OSS console
Use the OSS API
What to do next
After you create an access point, you can use the alias of the access point to access the related data. For more information, see Use an access point.
FAQ
Can I configure a whitelist for allowed IP addresses when I configure an access point policy for an access point?
Yes. You can configure an access point policy by specifying policy statements and then add "IpAddress": {"acs:SourceIp": ["xxx"]}
to the access point policy.