Contact UsGet started
© 2025 Direct Cursus Technology L.L.C.

Configuring CORS

Written by
Improved by
Updated at May 5, 2025

Object Storage enables managing CORS configurations in buckets.

  1. In the management console, select Object Storage from the list of services and go to the bucket you want to configure CORS for.

  2. In the left-hand panel, select Security.

  3. Select the CORS tab.

  4. Click Configure.

  5. Fill out the form that opens. You can add, delete, and edit configuration rules.

    To create a rule:

    1. Fill in the fields as follows:
      • Description: Rule description in any form.
      • Allowed Origins: Comma-separated list of domains. Each domain is written in a separate AllowedOrigin field in the CORS configuration, e.g., http://*.example.com, http://some.another.dom.
      • Allowed Methods: Comma-separated list of HTTP methods allowed in the object request. Each method is written in a separate AllowedMethod field in the CORS configuration, e.g., GET, PUT, HEAD, POST, DELETE.
      • Allowed Headers: Comma-separated list of headers allowed in the object request. Each header is written in a separate AllowedHeader field in the CORS configuration, e.g., X-Request-Id, X-Request-With.
      • expose_headers: Comma-separated list of headers that can be displayed in a JavaScript app in the browser. Each header is written in a separate ExposeHeader field in the CORS configuration, e.g., X-Amz-Request-Id.
      • MaxAgeSeconds: Time, in seconds, for the browser to cache the result of an object request using the OPTIONS method.
    2. Click Save.

    You can add multiple rules at once. To add a new rule, click Add rule and repeat the above steps.

    For a detailed description of the configuration fields, see CORS configuration for buckets.

If you do not have the Yandex Cloud CLI yet, install and initialize it.

The folder specified when creating the CLI profile is used by default. To change the default folder, use the yc config set folder-id <folder_ID> command. You can specify a different folder using the --folder-name or --folder-id parameter.

  1. See the description of the CLI command for updating a bucket:

    yc storage bucket update --help

  2. Get a list of buckets in the default folder:

    yc storage bucket list

    Result:

    +------------------+----------------------+-------------+-----------------------+---------------------+
|       NAME       |      FOLDER ID       |  MAX SIZE   | DEFAULT STORAGE CLASS |     CREATED AT      |
+------------------+----------------------+-------------+-----------------------+---------------------+
| first-bucket     | b1gmit33ngp6******** | 53687091200 | STANDARD              | 2022-12-16 13:58:18 |
+------------------+----------------------+-------------+-----------------------+---------------------+

  3. Save the name (from the NAME column) of the bucket to configure CORS for.

  4. Run this command:

    yc storage bucket update \
  --name <bucket_name> \
  --cors <CORS_parameter>='[<array_of_values>]',<CORS_parameter>='[<array_of_values>]',...

    Where:

    • --name: Name of the bucket to configure CORS for.

    • --cors: CORS parameters:

      • allowed-methods: List of methods. The possible values are method-get, method-put, method-post, method-delete, and method-head. This is a required parameter.
      • allowed-origins: List of websites allowed to send CORS requests to the bucket. This is a required parameter.
      • allowed-headers: List of allowed headers. This is an optional parameter.
      • expose-headers: List of headers that can be exposed to browser JavaScript apps. This is an optional parameter.
      • max-age-seconds: Time for which the browser caches object request results, in seconds. This is an optional parameter.

      Parameter values are specified in quotes and square brackets. List items in values are separated by commas with no spaces, e.g., --cors allowed-methods='[method-get,method-head]',allowed-origins='[example.com]'.

      Permissions you specify in the command will override the current CORS settings of the bucket. To get the current permissions, use the yc storage bucket get <bucket_name> --full command.

      Result:

      name: first-bucket
folder_id: b1gmit33ngp6********
default_storage_class: STANDARD
versioning: VERSIONING_DISABLED
max_size: "53687091200"
acl: {}
created_at: "2022-11-25T11:48:42.024638Z"

To delete the CORS configuration, run this command:

yc storage bucket update \
  --name <bucket_name> \
  --remove-cors

To upload a configuration using the AWS CLI:

  1. Define the CORS object configuration in JSON format. Here is an example:

    {
  "CORSRules": [
    {
      "AllowedHeaders": ["*"],
      "AllowedMethods": ["GET", "HEAD", "PUT", "DELETE"],
      "MaxAgeSeconds": 3000,
      "AllowedOrigins": ["*"]
    }
  ]
}

    Once the configuration is complete, save it to a file, e.g., cors.json.

  2. Upload the configuration to a bucket, e.g., shared-bucket:

    aws s3api put-bucket-cors \
  --bucket shared-bucket \
  --cors-configuration file://cors.json \
  --endpoint-url=https://storage.yandexcloud.net

Note

Terraform uses a service account to interact with Object Storage. Assign to the service account the required role, e.g., storage.admin, for the folder where you are going to create resources.

If you do not have Terraform yet, install it and configure its Yandex Cloud provider.

Retrieve static access keys: a secret key and key ID used for Object Storage authentication.

Note

In addition to static access keys, you can use an IAM token for authentication in Object Storage. For more details, see Creating a bucket and the relevant provider documentation.

  1. In the configuration file, define the parameters of the resources you want to create:

    provider "yandex" {
  cloud_id  = "<cloud_ID>"
  folder_id = "<folder_ID>"
  zone      = "<availability_zone>"
  token     = "<OAuth_token>"
  }

resource "yandex_iam_service_account" "sa" {
  name = "<service_account_name>"
}

// Assigning a role to a service account
resource "yandex_resourcemanager_folder_iam_member" "sa-admin" {
  folder_id = "<folder_ID>"
  role      = "storage.admin"
  member    = "serviceAccount:${yandex_iam_service_account.sa.id}"
}

// Creating a static access key
resource "yandex_iam_service_account_static_access_key" "sa-static-key" {
  service_account_id = yandex_iam_service_account.sa.id
  description        = "static access key for object storage"
}

resource "yandex_storage_bucket" "b" {
  bucket = "s3-website-test.hashicorp.com"
  acl    = "public-read"

  access_key = yandex_iam_service_account_static_access_key.sa-static-key.access_key
  secret_key = yandex_iam_service_account_static_access_key.sa-static-key.secret_key

  cors_rule {
    allowed_headers = ["*"]
    allowed_methods = ["PUT", "POST"]
    allowed_origins = ["https://s3-website-test.hashicorp.com"]
    expose_headers  = ["ETag"]
    max_age_seconds = 3000
  }
}

    Where:

    • access_key: Static access key ID.
    • secret_key: Secret access key value.
    • bucket: Bucket name. This is a required parameter.
    • acl: ACL policy to apply. This is an optional parameter.

    CORS parameters:

    • allowed_headers: Allowed headers. This is an optional parameter.
    • allowed_methods: Allowed methods. The possible values are GET, PUT, POST, DELETE or HEAD. This is a required parameter.
    • allowed_origins: Website allowed to send CORS requests to the bucket. This is a required parameter.
    • expose_headers: Header that can be exposed to browser JavaScript apps. This is an optional parameter.
    • max_age_seconds: Time for which the browser caches object request results, in seconds. This is an optional parameter.
    • server_side_encryption_configuration: Bucket's server-side encryption configuration. This is an optional parameter.

    For more information about the resources you can create with Terraform, see this provider reference.

  2. Make sure the configuration files are correct.

    1. In the command line, go to the directory where you created the configuration file.

    2. Run a check using this command:

      terraform plan

    If you described the configuration correctly, the terminal will display a list of the resources being created and their parameters. If the configuration contains any errors, Terraform will point them out.

  3. Deploy the cloud resources.

    1. If the configuration does not contain any errors, run this command:

      terraform apply

    2. Confirm creating the resources.

    This will create all the resources you need in the specified folder. You can check the new resources and their settings using the management console.

To manage CORS configurations for buckets, use the update REST API method for the Bucket resource, the BucketService/Update gRPC API call, or the upload S3 API method.

Previous
Managing object lifecycles
Next
Configuring access permissions using IAM