Back
Object Storage
CDNetworks Documentation Object Storage Tutorials Access Restriction via IAM

Access Restriction via IAM

Last update:2025-05-19 10:34:39

This guide outlines how to configure access restrictions for specific accounts, ensuring they can only access storage bucket content from approved IP addresses. Access attempts from non-approved IP addresses are denied, protecting your content from unauthorized use.

Prerequisites

  • You must use IAM (Identity and Access Management) to control access from different accounts, which requires an available pair of AccessKey and AccessKey Secret.
  • Before using IAM, ensure the account you intend to restrict has at least one set of these credentials.
  • IAM authorizations impact only direct access to your storage bucket. CDN back-to-origin requests are not affected.

For further details on IAM operations, please refer to the IAM documentation.

Example Scenario

Restrict Access for a Sub-Account by IP Address

Suppose you need to restrict the sub-account “alvin” so it can access Object Storage only through the IP address “27.148.104.22”. Follow these steps:

  1. Sign in to the CDNetworks console. Go to IAM > Permissions > Policies, then click Add Policy to create a new permission policy.

  2. Select Visualized, choose Object Storage (wos) under Non-CDN Product Services, and click Next.

  3. Choose Allow, All Actions, and All Resources.

  4. Set a restriction condition:

    • Select SourceIp as the keyword
    • Choose StringNotEquals as the condition
    • Enter the permitted IP address “27.148.104.22” in the provided space

  5. Name your policy and continue by clicking Next.

  6. Assign the policy to the “alvin” account and click Finish to complete the setup.

Verifying IAM Configuration

Verify Through Console Access

Log in with the sub-account “alvin.” When connecting from an unauthorized IP address (not “27.148.106.28”), there should be no buckets displayed, and a notification stating “There is no corresponding access rights” will appear if the configuration is correct.

Verify by File URL Access

Copy any accessible file URL from your storage bucket. Attempt to access it from a non-authorized IP address using the following command line:

curl -voa "http://test20240103.s3-cn-east-7.wcsapi.com/IMG_3413.jpeg?Signature=%AHYRGqm0WL%2FZc%3D&AWSAccessKeyId=Cis17pTPsW2rwYdxaUZ7RZpxype&Expires=14611"

A 403 Forbidden response confirms your IAM configuration is active and functioning correctly.

Is the content of this document helpful to you?
Yes
I have suggestion
Submitted successfully! Thank you very much for your feedback, we will continue to strive to do better!

CDNetworks Inc., © 2024. 1840 Enterprise Way, Monrovia, CA 91016 – All rights reserved.