Configuring CORS
Object Storage allows you to manage CORS configurations in the bucket.
-
In the management console
, select Object Storage from the list of services and go to the bucket you want to configure CORS for. -
In the left-hand panel, select
Security. -
Select the CORS tab.
-
Click Configure.
-
Fill out the form that opens. You can add, delete, and edit configuration rules.
To create a rule:
- Fill in the fields as follows:
- Description: Rule description in any form.
- Allowed Origins: Comma-separated list of domains. Each domain is written in a separate
AllowedOrigin
field in the CORS configuration. Example:http://*.example.com, http://some.another.dom
. - Allowed Methods: Comma-separated list of HTTP methods allowed in the object request. Each method is written in a separate
AllowedMethod
field in the CORS configuration. Example:GET, PUT, HEAD, POST, DELETE
. - Allowed Methods: Comma-separated list of headers in the object request. Each header is written in a separate
AllowedHeader
field in the CORS configuration. Example:X-Request-Id, X-Request-With
. expose_headers
: Comma-separated list of headers that can be displayed in a JavaScript app in the browser. Each header is written in a separateExposeHeader
field in the CORS configuration. Example:X-Amz-Request-Id
.- MaxAgeSeconds: Time, in seconds, for the browser to cache the result of an object request using the
OPTIONS
method.
- Click Save.
You can add multiple rules at once. To add a new rule, click Add rule and repeat the above steps.
For a detailed description of the configuration fields, see CORS configuration of buckets.
- Fill in the fields as follows:
If you do not have the Yandex Cloud command line interface yet, install and initialize it.
The folder specified in the CLI profile is used by default. You can specify a different folder using the --folder-name
or --folder-id
parameter.
-
See the description of the CLI command to update a bucket:
yc storage bucket update --help
-
Get a list of buckets in the default folder:
yc storage bucket list
Result:
+------------------+----------------------+-------------+-----------------------+---------------------+ | NAME | FOLDER ID | MAX SIZE | DEFAULT STORAGE CLASS | CREATED AT | +------------------+----------------------+-------------+-----------------------+---------------------+ | first-bucket | b1gmit33ngp6******** | 53687091200 | STANDARD | 2022-12-16 13:58:18 | +------------------+----------------------+-------------+-----------------------+---------------------+
-
Using the
NAME
column, save the name of the bucket to set up the CORS configuration in. -
Run this command:
yc storage bucket update \ --name <bucket_name> \ --cors <CORS_parameter>='[<set_of_values>]',<CORS_parameter>='[<set_of_values>]',...
Where:
-
--name
: Name of the bucket to set up the CORS configuration in. -
--cors
: CORS parameters:allowed-methods
: List of methods. Possible values:method-get
,method-put
,method-post
,method-delete
, andmethod-head
. This is a required parameter.allowed-origins
: List of websites that allow sending cross-domain requests to a bucket. This is a required parameter.allowed-headers
: List of allowed headers. This is an optional parameter.expose-headers
: List of headers that can be displayed in a JavaScript app in the browser. This is an optional parameter.max-age-seconds
: Time in seconds during which the browser caches the results of requests to an object. This is an optional parameter.
Parameter values are specified in quotes and square brackets. List items in values are separated by commas with no spaces. For example,
--cors allowed-methods='[method-get,method-head]',allowed-origins='[example.com]'
.Permissions specified in the command override the current CORS settings of the bucket. You can retrieve the current permissions using the
yc storage bucket get <bucket_name> --full
command.Result:
name: first-bucket folder_id: b1gmit33ngp6******** default_storage_class: STANDARD versioning: VERSIONING_DISABLED max_size: "53687091200" acl: {} created_at: "2022-11-25T11:48:42.024638Z"
-
To remove the CORS configuration, run this command:
yc storage bucket update \
--name <bucket_name> \
--remove-cors
To upload a configuration via the AWS CLI:
-
Describe the CORS object configurations in JSON format. For example:
{ "CORSRules": [ { "AllowedHeaders": ["*"], "AllowedMethods": ["GET", "HEAD", "PUT", "DELETE"], "MaxAgeSeconds": 3000, "AllowedOrigins": ["*"] } ] }
When ready, you can save your configuration into a file, e.g.,
cors.json
. -
Upload the configuration to the bucket, e.g.,
shared-bucket
:aws s3api put-bucket-cors \ --bucket shared-bucket \ --cors-configuration file://cors.json \ --endpoint-url=https://storage.yandexcloud.net
Note
Terraform uses a service account to interact with Object Storage. Assign to the service account the required role, e.g., storage.admin
, for the folder where you are going to create resources.
If you don't have Terraform, install it and configure the Yandex Cloud provider.
Retrieve static access keys: a static key and a key ID used to authenticate in Object Storage.
-
In the configuration file, describe the parameters of the resources you want to create:
provider "yandex" { cloud_id = "<cloud_ID>" folder_id = "<folder_ID>" zone = "<availability_zone>" token = "<OAuth_token>" } resource "yandex_iam_service_account" "sa" { name = "<service_account_name>" } // Assigning a role to a service account resource "yandex_resourcemanager_folder_iam_member" "sa-admin" { folder_id = "<folder_ID>" role = "storage.admin" member = "serviceAccount:${yandex_iam_service_account.sa.id}" } // Creating a static access key resource "yandex_iam_service_account_static_access_key" "sa-static-key" { service_account_id = yandex_iam_service_account.sa.id description = "static access key for object storage" } resource "yandex_storage_bucket" "b" { bucket = "s3-website-test.hashicorp.com" acl = "public-read" access_key = yandex_iam_service_account_static_access_key.sa-static-key.access_key secret_key = yandex_iam_service_account_static_access_key.sa-static-key.secret_key cors_rule { allowed_headers = ["*"] allowed_methods = ["PUT", "POST"] allowed_origins = ["https://s3-website-test.hashicorp.com"] expose_headers = ["ETag"] max_age_seconds = 3000 } }
Where:
access_key
: Static access key ID.secret_key
: Secret access key value.bucket
: Bucket name. This is a required parameter.acl
: Applied ACL policy. This is an optional parameter.
CORS
parameters:allowed_headers
: Allowed headers. This is an optional parameter.allowed_methods
: Allowed methods. The possible values areGET
,PUT
,POST
,DELETE
orHEAD
. This is a required parameter.allowed_origins
: Website that allows sending cross-domain requests to a bucket. This is a required parameter.expose_headers
: Header that can be displayed in a JavaScript app in the browser. This is an optional parameter.max_age_seconds
: Time in seconds during which the browser caches the results of requests to an object. This is an optional parameter.server_side_encryption_configuration
: Bucket encryption settings on the server side. This is an optional parameter.
For more information about the resources you can create with Terraform, see the provider documentation
. -
Make sure the configuration files are correct.
-
In the command line, go to the folder where you created the configuration file.
-
Run a check using this command:
terraform plan
If the configuration is described correctly, the terminal will display a list of created resources and their parameters. If the configuration contains any errors, Terraform will point them out.
-
-
Deploy cloud resources.
-
If the configuration does not contain any errors, run this command:
terraform apply
-
Confirm that you want to create the resources.
All the resources you need will then be created in the specified folder. You can check the new resources and their settings using the management console
. -
To manage CORS configurations for buckets, use the update REST API method for the Bucket resource, the BucketService/Update gRPC API call, or the upload S3 API method.