Configuring CORS
Object Storage enables managing CORS configurations in buckets.
-
In the management console, select Object Storage from the list of services and go to the bucket you want to configure CORS for.
-
In the left-hand panel, select Security.
-
Select the CORS tab.
-
Click Configure.
-
Fill out the form that opens. You can add, delete, and edit configuration rules.
To create a rule:
- Fill in the fields as follows:
- Description: Rule description in any form.
- Allowed Origins: Comma-separated list of domains. Each domain is written in a separate
AllowedOriginfield in the CORS configuration. Example:http://*.example.com, http://some.another.dom. - Allowed Methods: Comma-separated list of HTTP methods allowed in the object request. Each method is written in a separate
AllowedMethodfield in the CORS configuration. Example:GET, PUT, HEAD, POST, DELETE. - Allowed Methods: Comma-separated list of headers in the object request. Each header is written in a separate
AllowedHeaderfield in the CORS configuration. Example:X-Request-Id, X-Request-With. expose_headers: Comma-separated list of headers that can be displayed in a JavaScript app in the browser. Each header is written in a separateExposeHeaderfield in the CORS configuration. Example:X-Amz-Request-Id.- MaxAgeSeconds: Time, in seconds, for the browser to cache the result of an object request using the
OPTIONSmethod.
- Click Save.
You can add multiple rules at once. To add a new rule, click Add rule and repeat the above steps.
For a detailed description of the configuration fields, see CORS configuration of buckets.
- Fill in the fields as follows:
If you do not have the Yandex Cloud CLI yet, install and initialize it.
The folder specified in the CLI profile is used by default. You can specify a different folder through the --folder-name or --folder-id parameter.
-
See the description of the CLI command for updating a bucket:
yc storage bucket update --help -
Get a list of buckets in the default folder:
yc storage bucket listResult:
+------------------+----------------------+-------------+-----------------------+---------------------+ | NAME | FOLDER ID | MAX SIZE | DEFAULT STORAGE CLASS | CREATED AT | +------------------+----------------------+-------------+-----------------------+---------------------+ | first-bucket | b1gmit33ngp6******** | 53687091200 | STANDARD | 2022-12-16 13:58:18 | +------------------+----------------------+-------------+-----------------------+---------------------+ -
Save the name (from the
NAMEcolumn) of the bucket to configure CORS for. -
Run this command:
yc storage bucket update \ --name <bucket_name> \ --cors <CORS_parameter>='[<array_of_values>]',<CORS_parameter>='[<array_of_values>]',...Where:
-
--name: Name of the bucket to configure CORS for. -
--cors: CORS parameters:allowed-methods: List of methods. The possible values aremethod-get,method-put,method-post,method-delete, andmethod-head. This is a required parameter.allowed-origins: List of websites allowed to send CORS requests to the bucket. This is a required parameter.allowed-headers: List of allowed headers. This is an optional parameter.expose-headers: List of headers that can be exposed to browser JavaScript apps. This is an optional parameter.max-age-seconds: Time for which the browser caches object request results, in seconds. This is an optional parameter.
Parameter values are specified in quotes and square brackets. List items in values are separated by commas with no spaces, e.g.,
--cors allowed-methods='[method-get,method-head]',allowed-origins='[example.com]'.Permissions you specify in the command will override the current CORS settings of the bucket. To get the current permissions, use the
yc storage bucket get <bucket_name> --fullcommand.Result:
name: first-bucket folder_id: b1gmit33ngp6******** default_storage_class: STANDARD versioning: VERSIONING_DISABLED max_size: "53687091200" acl: {} created_at: "2022-11-25T11:48:42.024638Z"
-
To delete the CORS configuration, run this command:
yc storage bucket update \
--name <bucket_name> \
--remove-cors
To upload a configuration using the AWS CLI:
-
Define the CORS object configuration in JSON format. Here is an example:
{ "CORSRules": [ { "AllowedHeaders": ["*"], "AllowedMethods": ["GET", "HEAD", "PUT", "DELETE"], "MaxAgeSeconds": 3000, "AllowedOrigins": ["*"] } ] }Once the configuration is complete, save it to a file, e.g.,
cors.json. -
Upload the configuration to a bucket, e.g.,
shared-bucket:aws s3api put-bucket-cors \ --bucket shared-bucket \ --cors-configuration file://cors.json \ --endpoint-url=https://storage.yandexcloud.net
Note
Terraform uses a service account to interact with Object Storage. Assign to the service account the required role, e.g., storage.admin, for the folder where you are going to create resources.
If you don't have Terraform, install it and configure the Yandex Cloud provider.
Retrieve static access keys: a secret key and key ID used for Object Storage authentication.
-
In the configuration file, define the parameters of the resources you want to create:
provider "yandex" { cloud_id = "<cloud_ID>" folder_id = "<folder_ID>" zone = "<availability_zone>" token = "<OAuth_token>" } resource "yandex_iam_service_account" "sa" { name = "<service_account_name>" } // Assigning a role to a service account resource "yandex_resourcemanager_folder_iam_member" "sa-admin" { folder_id = "<folder_ID>" role = "storage.admin" member = "serviceAccount:${yandex_iam_service_account.sa.id}" } // Creating a static access key resource "yandex_iam_service_account_static_access_key" "sa-static-key" { service_account_id = yandex_iam_service_account.sa.id description = "static access key for object storage" } resource "yandex_storage_bucket" "b" { bucket = "s3-website-test.hashicorp.com" acl = "public-read" access_key = yandex_iam_service_account_static_access_key.sa-static-key.access_key secret_key = yandex_iam_service_account_static_access_key.sa-static-key.secret_key cors_rule { allowed_headers = ["*"] allowed_methods = ["PUT", "POST"] allowed_origins = ["https://s3-website-test.hashicorp.com"] expose_headers = ["ETag"] max_age_seconds = 3000 } }Where:
access_key: Static access key ID.secret_key: Secret access key value.bucket: Bucket name. This is a required parameter.acl: ACL policy to apply. This is an optional parameter.
CORSparameters:allowed_headers: Allowed headers. This is an optional parameter.allowed_methods: Allowed methods. The possible values areGET,PUT,POST,DELETEorHEAD. This is a required parameter.allowed_origins: Website allowed to send CORS requests to the bucket. This is a required parameter.expose_headers: Header that can be exposed to browser JavaScript apps. This is an optional parameter.max_age_seconds: Time for which the browser caches object request results, in seconds. This is an optional parameter.server_side_encryption_configuration: Bucket's server-side encryption configuration. This is an optional parameter.
For more information about the resources you can create with Terraform, see this provider reference.
-
Make sure the configuration files are correct.
-
In the command line, go to the directory where you created the configuration file.
-
Run a check using this command:
terraform plan
If you described the configuration correctly, the terminal will display a list of the resources being created and their parameters. If the configuration contains any errors, Terraform will point them out.
-
-
Deploy the cloud resources.
-
If the configuration does not contain any errors, run this command:
terraform apply -
Confirm creating the resources.
This will create all the resources you need in the specified folder. You can check the new resources and their settings using the management console.
-
To manage CORS configurations for buckets, use the update REST API method for the Bucket resource, the BucketService/Update gRPC API call, or the upload S3 API method.