How do I create an access point? - Object Storage Service

Access points simplify data access management at scale for shared datasets. This topic describes how to create an access point.

Prerequisites

A virtual private cloud (VPC) is created if you want to create an access point that allows access only from a VPC. For more information, see Create and manage a VPC.
If you want to create an access point by using a RAM user, the RAM user is granted the following permissions: oss:CreateAccessPoint, oss:GetAccessPoint, oss:DeleteAccessPoint, oss:ListAccessPoints, oss:PutAccessPointPolicy, oss:GetAccessPointPolicy, oss:DeleteAccessPointPolicy, oss:PutBucketPolicy, oss:GetBucketPolicy, and oss:DeleteBucketPolicy. For more information, see Attach a custom policy to a RAM user.

Example scenario

Your company stores collected data in the examplebucket bucket in Alibaba Cloud account 137918634953xxxx for big data analytics and management. You are the account owner and want to allow 10 business units to access the examplebucket bucket:

Allow Units 1 to 3 to perform only read operations on objects in the examplebucket/dir1/ directory over the Internet.
Allow Unit 4 to perform read and write operations on directories in the bucket over the Internet.
Allow Units 5 to 10 to perform read and write operations on objects in the examplebucket/dir2/ directory only from a specific VPC.

You can configure access points to meet the preceding access control requirements.

You need to create an access point separately for Units 1 to 3, Unit 4, and Units 5 to 10 and assign permissions to the access points. Then, you provide the units with the corresponding access points. This way, the units can use the corresponding access points to access data that is intended for them.

Methods

Use the OSS console

Configure basic information about the access point.

Log on to the OSS console.
In the left-side navigation pane, click Access Points.
On the Access Points page, click Create Access Point.

In the Create Access Point panel, configure the following parameters in the Basic Information step and click Next.

Parameter	Description	Example
Access Point Name	Specify the name of the access point. The name of the access point must meet the following requirements: The name must be unique in a region of your Alibaba Cloud account. The name cannot end with -ossalias. The name can contain only lowercase letters, digits, and hyphens (-). It cannot start or end with a hyphen (-). The name must be 3 to 19 characters in length.	Units 1 to 3: ap-01 Unit 4: ap-02 Units 5 to10: ap-03
Bucket	Select the bucket for which you want to create the access point from the drop-down list. You can create up to 100 access points for a bucket.	examplebucket
Network Source	Select a network source for the access point. Internet: Data in the bucket is accessible over the Internet or an internal network. VPC: Data in the bucket is accessible only over a specific VPC. If you select this option, you must specify a VPC ID. Important When you use an access point to restrict the VPC, make sure that the region of the selected VPC matches the region of the gateway endpoint supported by OSS. Otherwise, authentication requests cannot be associated with the corresponding VPC, which leads to authentication failures. For more information, see Regions of gateway endpoints supported by OSS. If the network source of the access point is VPC, you cannot access the resources in the bucket associated with the access point by using the OSS console. To access the resources, combine the access point with the internal endpoint of the bucket by using an OSS SDK.	Units 1 to 3: Internet Unit 4: Internet Units 5 to 10: VPC

Configure an access point policy.

Important

An access point policy applies only to requests created by using the access point and does not affect other available access methods for the bucket.

Add an access policy in the GUI

In the Access Point Policy step, configure the parameters. The following table describes the parameters.

Parameter	Description	Example
Access Point Policy	Select Add in GUI.	N/A
ARN of Access Point	Specify the Alibaba Cloud Resource Name (ARN) of the access point. Format: `acs:oss:region:account UID:accesspoint/accessPointName/object/*`.	acs:oss:cn-hangzhou:137918634953xxxx:accesspoint/ap-01/object/*
Applied To	Select the resources to which you want to apply the access point policy. Whole Bucket: The access point policy applies to all resources in the bucket. Specific Resources: The bucket policy applies only to specific resources in the bucket. You can configure multiple access point policies for specific resources in the bucket.	Units 1 to 3: Specific Resources Unit 4: Whole Bucket Units 5 to 10: Specific Resources
Resource Paths	If you set Applied To to Whole Bucket, you do not need to specify Resource Paths because the value of Resource Paths is automatically populated in the `accesspoint/accessPointName/` format. If you set Applied To* to Specific Resources, specify the Resource Paths parameter based on the following requirements: Directory-level authorization To allow access to all subdirectories and objects in a directory, add an asterisk () to the directory name. For example, to allow access to all subdirectories and objects in a directory named abc, enter abc/. Object-level authorization To allow access to a specific object, enter the full path of the object excluding the bucket name. For example, to allow access to an object named myphoto.png in the abc directory, enter abc/myphoto.png.	Units 1 to 3: accesspoint/ap-01/object/dir1/* Unit 4: accesspoint/ap-02/* Units 5 to 10: accesspoint/ap-03/object/dir2/*
Authorized User	Select the type of accounts to which you want to grant the permissions. Only the RAM users of the current Alibaba Cloud account can be authorized to access specific resources. Select RAM User and then select a RAM user from the drop-down list. If you want to grant the permissions to multiple RAM users, we recommend that you enter the keywords of the RAM usernames in the search box to perform fuzzy match. Important Before you select RAM User, make sure that you log on to the OSS console with an Alibaba Cloud account or as a RAM user who has the permissions to manage the bucket and the ListUsers permission in the RAM console. Otherwise, you cannot view the RAM users of the current Alibaba Cloud account. For more information about how to grant the ListUsers permission to a RAM user, see Grant permissions to a RAM user.	Units 1 to 3: RAM User (UID: 26571698800555xxxx) Unit 4: RAM User (UID: 25770968794578xxxx) Units 5 to 10: RAM User (UID: 26806658794579xxxx)
Authorized Operation	You can use one of the following methods to specify authorized operations: Basic Settings and Advanced Settings. Basic Settings If you select this option, configure the following permissions based on your business requirements. You can move the pointer over the icon to the right of each permission to view the actions that correspond to the permission. Read-Only (excluding ListObject): allows authorized users to view and download the resources. Read-Only (including ListObject): allows authorized users to view, list, and download the resources. Read/Write: allows authorized users to perform read and write operations on the resources. Full Access: allows authorized users to perform all operations on the resources. Deny Access: forbids authorized users from performing operations on the resources. Important If multiple bucket policies are configured for a user, the user has all the permissions configured in the policies. However, if a bucket policy in which the Authorized Operation parameter is set to Deny Access is created, this bucket policy takes precedence. For example, if you configure a first bucket policy in which Authorized Operation is set to Read-Only and configure a second bucket policy in which Authorized Operation is set to Read/Write, the Read/Write permissions are granted to the user. If you configure a third bucket policy in which Authorized Operation is set to Deny Access, the user is denied access to the resources. The authorization effect for Read-Only (excluding ListObject), Read-Only (including ListObject), Read/Write, and Full Access is Allow, and the authorization effect for Deny Access is Reject. Advanced Settings If you select this option, you must configure the following parameters: Effect: Select Allow or Reject. Actions: Specify the actions that you want to allow or deny. For more information about the Action category, see Action element in RAM policies for OSS.	Units 1 to 3: Read-Only (including ListObject) Unit 4: Read/Write Units 5 to 10: Read/Write

Click Submit.
- OSS requires approximately 10 minutes to create an access point.
- OSS automatically creates an alias for an access point. You can view the alias of an access point on the Access Points page.
- You cannot modify, delete, or disable access point aliases.

Add an access point policy by specifying policy statements

In the Access Point Policy step, select Add by Syntax for Access Point Policy.

In the code editor, enter the following policy:

Access point policy for Units 1 to 3

{
    "Version": "1",
    "Statement": [{
        "Effect": "Allow",
        "Action": [    
            "oss:GetObject",    
            "oss:GetObjectAcl",
            "oss:ListObjects",
            "oss:RestoreObject",
            "oss:ListObjectVersions",
            "oss:GetObjectVersion",
            "oss:GetObjectVersionAcl",
            "oss:RestoreObjectVersion"    
        ],    
        "Principal": [    
            "26571698800555xxxx"    
        ],    
        "Resource": [    
            "acs:oss:cn-hangzhou:137918634953xxxx:accesspoint/ap-01/object/dir1/*"    
        ]    
    },{     
        "Effect": "Allow",    
        "Action": [    
            "oss:ListObjects",
            "oss:GetObject"    
        ],    
        "Principal": [    
            "26571698800555xxxx"    
        ],    
        "Resource": [    
            "acs:oss:cn-hangzhou:137918634953xxxx:accesspoint/ap-01"    
    ],
        "Condition": {    
            "StringLike": {    
                "oss:Prefix": [            
                    "dir1/*"    
                ]    
            }    
        }    
      }    
    ]    
}

Access point policy for Unit 4

{
    "Version": "1",
    "Statement": [{
        "Effect": "Allow",
        "Action": [    
            "oss:GetObject",
            "oss:PutObject",    
            "oss:GetObjectAcl",
            "oss:PutObjectAcl",
            "oss:ListObjects",
            "oss:AbortMultipartUpload",
            "oss:ListParts",
            "oss:RestoreObject",
            "oss:ListObjectVersions",
            "oss:GetObjectVersion",
            "oss:GetObjectVersionAcl",
            "oss:RestoreObjectVersion"    
        ],    
        "Principal": [    
            "25770968794578xxxx"    
        ],    
        "Resource": [    
            "acs:oss:cn-hangzhou:137918634953xxxx:accesspoint/ap-02/object/*"    
        ]    
    },{     
        "Effect": "Allow",    
        "Action": [    
            "oss:ListObjects",
            "oss:GetObject"    
        ],    
        "Principal": [    
            "25770968794578xxxx"    
        ],    
        "Resource": [    
            "acs:oss:cn-hangzhou:137918634953xxxx:accesspoint/ap-02"    
    ],
        "Condition": {    
            "StringLike": {    
                "oss:Prefix": [            
                    "*"    
                ]    
            }    
        }    
      }    
    ]    
}

Access point policy for Units 5 to 10

{
    "Version": "1",
    "Statement": [{
        "Effect": "Allow",
        "Action": [    
            "oss:GetObject",
            "oss:PutObject",    
            "oss:GetObjectAcl",
            "oss:PutObjectAcl",
            "oss:ListObjects",
            "oss:AbortMultipartUpload",
            "oss:ListParts",
            "oss:RestoreObject",
            "oss:ListObjectVersions",
            "oss:GetObjectVersion",
            "oss:GetObjectVersionAcl",
            "oss:RestoreObjectVersion"    
        ],    
        "Principal": [    
            "26806658794579xxxx"    
        ],    
        "Resource": [    
            "acs:oss:cn-hangzhou:137918634953xxxx:accesspoint/ap-03/object/dir2/*"    
        ]    
    },{     
        "Effect": "Allow",    
        "Action": [    
            "oss:ListObjects",
            "oss:GetObject"    
        ],    
        "Principal": [    
            "26806658794579xxxx"    
        ],    
        "Resource": [    
            "acs:oss:cn-hangzhou:137918634953xxxx:accesspoint/ap-03"    
    ],
        "Condition": {    
            "StringLike": {    
                "oss:Prefix": [            
                    "dir2/*"    
                ]    
            }    
        }    
      }    
    ]    
}

Click Submit.
- OSS requires approximately 10 minutes to create an access point.
- OSS automatically creates an alias for an access point. You can view the alias of an access point on the Access Points page.
- You cannot modify, delete, or disable access point aliases.

Use a bucket policy to delegate access control to an access point.

On the Access Points page, click the name of the access point that you created.
On the Configuration Management tab, click Delegate Access Control to Access Point.

In the Delegate Access Control to Access Point panel, configure a bucket policy to delegate access control permissions to the access point.

Delegation Type	Description	Example
oss:DataAccessPointArn	Delegates access control permissions to the specified access point. After the delegation, only the specified access point takes effect.	oss:DataAccessPointAccount
oss:AccessPointNetworkOrigin	Delegates access control permissions to access points whose network source is Internet or VPC. After the delegation, only access points whose network source is Internet or VPC take effect. Note If you select Internet, access control permissions are delegated to access points that are accessible over the Internet and VPCs.
oss:DataAccessPointAccount	Delegates access control permissions to all access points owned by the current Alibaba Cloud account. After the delegation, all access points owned by the Alibaba Cloud account take effect.

Click Generate Policy.

Use ossutil

You can use ossutil to create access points and configure access point policies. For information about its installation, see Install ossutil.

Below is a code example for creating an access point named 'ap-01' associated with examplebucket.

ossutil api create-access-point --bucket examplebucket --create-access-point-configuration  "{\"AccessPointName\":\"ap-01\",\"NetworkOrigin\":\"internet\"}"

For details of this command, see create-access-point.

Below is a code example for configuring an access point policy for 'ap-01' associated with examplebucket.

ossutil api put-access-point-policy --bucket examplebucket --access-point-name ap-01 --body "{\"Version\":\"1\",\"Statement\":[{\"Action\":[\"oss:PutObject\",\"oss:GetObject\"],\"Effect\":\"Deny\",\"Principal\":[\"27737962156157xxxx\"],\"Resource\":[\"acs:oss:cn-hangzhou:111933544165xxxx:accesspoint/$ap-01\",\"acs:oss:cn-hangzhou:111933544165xxxx:accesspoint/ap-01/object/*\"]}]}"

For details of this command, see put-access-point-policy.

Related API operation

The methods described above are fundamentally implemented based on the RESTful API, which you can directly call if your business requires a high level of customization. To directly call an API, you must include the signature calculation in your code.

For more information about the API operation for creating access points, see CreateAccessPoint.
For more information about the API operation for configuring access point policies, see PutAccessPointPolicy.
For more information about the API operation for delegating permissions to an access point by using a bucket policy, see PutBucketPolicy.

What to do next

After you create an access point, you can use the alias of the access point to access the related data. For more information, see Use an access point.

FAQ

Can I configure an IP address whitelist when I configure an access point policy for an access point?

Yes. You can configure an access point policy by specifying policy statements and then add "IpAddress": {"acs:SourceIp": ["xxx"]} to the access point policy.