| copyright | lastupdated | keywords | subcollection | ||
|---|---|---|---|---|---|
|
2024-02-20 |
public, cdn, anonymous, files |
cloud-object-storage |
{{site.data.keyword.attribute-definition-list}}
{: #iam-public-access}
Sometimes data is meant to be shared. Buckets might hold open data sets for academic and private research or image repositories that are used by web applications and content delivery networks. Make these buckets accessible using the Public Access group. {: shortdesc}
There are three IAM roles that can be used for public access to a bucket: Administrator, ContentReader, and ObjectReader. The difference between them is that the Administrator and ContentReader can list the objects in a bucket, which is useful for applications that require ease of listing (for example, a web UI) in addition to reading objects. For more information, see the IAM reference documentation.
{: tip}
{: #iam-public-access-console}
First, make sure that you have a bucket. If not, follow the getting started tutorial to become familiar with the console.
{: #public-access-console-enable}
- From the {{site.data.keyword.cloud_notm}} console dashboard, select Storage to view your resource list.
- Next, select the service instance with your bucket from within the Storage menu. This takes you to the {{site.data.keyword.cos_short}} Console.
- Choose the bucket that you want to be publicly accessible. Keep in mind this policy makes all objects in a bucket available to download for anyone with the appropriate URL.
- Select Access policies from the navigation menu.
- Select the Public access tab.
- Click Create access policy. After you read the warning, choose Enable.
- Now all objects in this bucket are publicly accessible!
{: #public-access-console-disable}
- From anywhere in the {{site.data.keyword.cloud_notm}} console, select the Manage menu, and the Access (IAM).
- Select Access groups from the navigation menu.
- Select Public Access to see a list of all public access policies currently in use.
- Find the policy that corresponds to the bucket you want to return to enforced access control.
- From the list of actions on the far right of the policy entry, choose Remove.
- Confirm the dialog box, and the policy is now removed from the bucket.
{: #public-access-object}
To make an object publicly accessible through the REST API, an x-amz-acl: public-read header can be included in the request. Setting this header bypasses any IAM policy checks and allow for unauthenticated HEAD and GET requests. For more information about endpoints, see Endpoints and storage locations.
Additionally, HMAC credentials make it possible to allow temporary public access that uses pre-signed URLs.
{: #public-access-object-upload}
curl -X "PUT" "https://{endpoint}/{bucket-name}/{object-name}" \
-H "x-amz-acl: public-read" \
-H "Authorization: Bearer {token}" \
-H "Content-Type: text/plain; charset=utf-8" \
-d "{object-contents}"{: codeblock}
{: #public-access-object-existing}
Using the query parameter ?acl without a payload and the x-amz-acl: public-read header allows public access to the object without needing to overwrite the data.
curl -X "PUT" "https://{endpoint}/{bucket-name}/{object-name}?acl" \
-H "x-amz-acl: public-read" \
-H "Authorization: Bearer {token}"{: codeblock}
{: #public-access-object-private}
Using the query parameter ?acl without a payload and an empty x-amz-acl: header revokes public access to the object without needing to overwrite the data.
curl -X "PUT" "https://{endpoint}/{bucket-name}/{object-name}?acl" \
-H "Authorization: Bearer {token}" \
-H "x-amz-acl:"{: codeblock}
{: #public-access-static-website}
While {{site.data.keyword.cos_full_notm}} doesn't support automatic static website hosting, it's possible to manually configure a web server and use it to serve publicly accessible content hosted in a bucket. For more information, see the overview of static website options.