Contact UsTry it for free
© 2026 Direct Cursus Technology L.L.C.

Configuring CORS

Written by
Improved by
Updated at May 6, 2026

Object Storage enables managing CORS configurations in buckets.

  1. In the management console, select any folder.

  2. Navigate to Object Storage.

  3. Select the bucket you want to configure CORS for.

  4. In the left-hand panel, select Security.

  5. Select the CORS tab.

  6. Click Configure.

  7. Fill out the form that opens. You can add, delete, and edit configuration rules.

    To create a rule:

    1. Fill out the fields as follows:
      • Description: Rule description in any form.
      • Allowed Origins: Comma-separated list of domains. Each domain is written in a separate AllowedOrigin field in the CORS configuration, e.g., http://*.example.com, http://some.another.dom.
      • Allowed Methods: Comma-separated list of HTTP methods allowed in the object request. Each method is written in a separate AllowedMethod field in the CORS configuration, e.g., GET, PUT, HEAD, POST, DELETE.
      • Allowed Headers: Comma-separated list of headers allowed in the object request. Each header is written in a separate AllowedHeader field in the CORS configuration, e.g., X-Request-Id, X-Request-With.
      • expose_headers: Comma-separated list of headers that can be displayed in a JavaScript app in the browser. Each header is written in a separate ExposeHeader field in the CORS configuration, e.g., X-Amz-Request-Id.
      • MaxAgeSeconds: Time, in seconds, for the browser to cache the result of an object request using the OPTIONS method.
    2. Click Save.

    You can add multiple rules at once. To add a new rule, click Add rule and repeat the above steps.

    For a detailed description of the configuration fields, see CORS configuration for buckets.

If you do not have the Yandex Cloud CLI yet, install and initialize it.

The folder used by default is the one specified when creating the CLI profile. To change the default folder, use the yc config set folder-id <folder_ID> command. You can also specify a different folder for any command using --folder-name or --folder-id. If you access a resource by its name, the search will be limited to the default folder. If you access a resource by its ID, the search will be global, i.e., through all folders based on access permissions.

  1. See the description of the CLI command for updating a bucket:

    yc storage bucket update --help

  2. Get a list of buckets in the default folder:

    yc storage bucket list

    Result:

    +------------------+----------------------+-------------+-----------------------+---------------------+
|       NAME       |      FOLDER ID       |  MAX SIZE   | DEFAULT STORAGE CLASS |     CREATED AT      |
+------------------+----------------------+-------------+-----------------------+---------------------+
| first-bucket     | b1gmit33ngp6******** | 53687091200 | STANDARD              | 2022-12-16 13:58:18 |
+------------------+----------------------+-------------+-----------------------+---------------------+

  3. Save the name (from the NAME column) of the bucket to configure CORS for.

  4. Run this command:

    yc storage bucket update \
  --name <bucket_name> \
  --cors <CORS_parameter>='[<array_of_values>]',<CORS_parameter>='[<array_of_values>]',...

    Where:

    • --name: Name of the bucket to configure CORS for.

    • --cors: CORS parameters:

      • allowed-methods: List of methods. The possible values are method-get, method-put, method-post, method-delete, and method-head. This is a required setting.
      • allowed-origins: List of websites allowed to send CORS requests to the bucket. This is a required setting.
      • allowed-headers: List of allowed headers. This is an optional setting.
      • expose-headers: List of headers that can be exposed to browser JavaScript apps. This is an optional setting.
      • max-age-seconds: Time it takes the browser to cashe the result of an object request, in seconds. This is an optional setting.

      Parameter values are specified in quotes and square brackets. List items in values are separated by commas with no spaces, e.g., --cors allowed-methods='[method-get,method-head]',allowed-origins='[example.com]'.

      Permissions you specify in the command will override the current CORS settings of the bucket. To get the current permissions, use the yc storage bucket get <bucket_name> --full command.

      Result:

      name: first-bucket
folder_id: b1gmit33ngp6********
default_storage_class: STANDARD
versioning: VERSIONING_DISABLED
max_size: "53687091200"
acl: {}
created_at: "2022-11-25T11:48:42.024638Z"

To delete the CORS configuration, run this command:

yc storage bucket update \
  --name <bucket_name> \
  --remove-cors

To upload a configuration using the AWS CLI:

  1. Define the CORS object configuration in JSON format. Here is an example:

    {
  "CORSRules": [
    {
      "AllowedHeaders": ["*"],
      "AllowedMethods": ["GET", "HEAD", "PUT", "DELETE"],
      "MaxAgeSeconds": 3000,
      "AllowedOrigins": ["*"]
    }
  ]
}

    Once the configuration is complete, save it to a file, e.g., cors.json.

  2. Upload the configuration to a bucket, e.g., shared-bucket:

    aws s3api put-bucket-cors \
  --bucket shared-bucket \
  --cors-configuration file://cors.json \
  --endpoint-url=https://storage.yandexcloud.net

Note

If you access Object Storage via Terraform under a service account, assign to the service account the relevant role, e.g., storage.admin, for the folder you are going to create the resources in.

If you do not have Terraform yet, install it and configure the Yandex Cloud provider.

Retrieve static access keys: a secret key and key ID used for Object Storage authentication.

Note

In addition to static access keys, you can use an IAM token for authentication in Object Storage. For more details, see Creating a bucket and the relevant provider documentation.

  1. In the configuration file, describe the resources you want to create:

    provider "yandex" {
  cloud_id  = "<cloud_ID>"
  folder_id = "<folder_ID>"
  zone      = "<availability_zone>"
  token     = "<OAuth_token>"
  }

resource "yandex_iam_service_account" "sa" {
  name = "<service_account_name>"
}

// Assigning a role to a service account
resource "yandex_resourcemanager_folder_iam_member" "sa-admin" {
  folder_id = "<folder_ID>"
  role      = "storage.admin"
  member    = "serviceAccount:${yandex_iam_service_account.sa.id}"
}

// Creating a static access key
resource "yandex_iam_service_account_static_access_key" "sa-static-key" {
  service_account_id = yandex_iam_service_account.sa.id
  description        = "static access key for object storage"
}

resource "yandex_storage_bucket" "b" {
  bucket = "s3-website-test.hashicorp.com"
  acl    = "public-read"

  access_key = yandex_iam_service_account_static_access_key.sa-static-key.access_key
  secret_key = yandex_iam_service_account_static_access_key.sa-static-key.secret_key

  cors_rule {
    allowed_headers = ["*"]
    allowed_methods = ["PUT", "POST"]
    allowed_origins = ["https://s3-website-test.hashicorp.com"]
    expose_headers  = ["ETag"]
    max_age_seconds = 3000
  }
}

    Where:

    • access_key: Static access key ID.
    • secret_key: Secret access key value.
    • bucket: Bucket name. This is a required setting.
    • acl: ACL policy to apply. This is an optional setting.

    CORS parameters:

    • allowed_headers: Allowed headers. This is an optional setting.
    • allowed_methods: Allowed methods. The possible values are GET, PUT, POST, DELETE or HEAD. This is a required setting.
    • allowed_origins: Website allowed to send CORS requests to the bucket. This is a required setting.
    • expose_headers: Header that can be exposed to browser JavaScript apps. This is an optional setting.
    • max_age_seconds: Time it takes the browser to cashe the result of an object request, in seconds. This is an optional setting.
    • server_side_encryption_configuration: Bucket's server-side encryption configuration. This is an optional setting.

    For more information about the yandex_storage_bucket properties in Terraform, see this provider guide.

  2. Apply the changes:

    1. In the terminal, navigate to the configuration file directory.

    2. Make sure the configuration is correct using this command:

      terraform validate

      If the configuration is valid, you will get this message:

      Success! The configuration is valid.

    3. Run this command:

      terraform plan

      You will see a list of resources and their properties. No changes will be made at this step. Terraform will show any errors in the configuration.

    4. Apply the configuration changes:

      terraform apply

    5. Type yes and press Enter to confirm the changes.

    You can check the update using the management console.

To manage CORS configurations for buckets, use the update REST API method for the Bucket resource, the BucketService/Update gRPC API call, or the upload S3 API method.

Previous
Managing object lifecycles
Next
Configuring access permissions using IAM