Allowing public access
Sometimes data is meant to be shared. Buckets might hold open data sets for academic and private research or image repositories that are used by web applications and content delivery networks. Make these buckets accessible using the Public Access group.
There are three IAM roles that can be used for public access to a bucket: Administrator
, ContentReader
, and ObjectReader
. The difference between them is that the Administrator
and ContentReader
can list the objects in a bucket, which is useful for applications that require ease of listing (for example, a web UI) in addition to reading objects. For more information, see the IAM reference documentation.
Using the console to set public access
First, make sure that you have a bucket. If not, follow the getting started tutorial to become familiar with the console.
Enable public access
- From the IBM Cloud console dashboard, select Storage to view your resource list.
- Next, select the service instance with your bucket from within the Storage menu. This takes you to the Object Storage Console.
- Choose the bucket that you want to be publicly accessible. Keep in mind this policy makes all objects in a bucket available to download for anyone with the appropriate URL.
- Select Access policies from the navigation menu.
- Select the Public access tab.
- Click Create access policy. After you read the warning, choose Enable.
- Now all objects in this bucket are publicly accessible!
Disable public access
- From anywhere in the IBM Cloud console, select the Manage menu, and the Access (IAM).
- Select Access groups from the navigation menu.
- Select Public Access to see a list of all public access policies currently in use.
- Find the policy that corresponds to the bucket you want to return to enforced access control.
- From the list of actions on the far right of the policy entry, choose Remove.
- Confirm the dialog box, and the policy is now removed from the bucket.
Allowing public access on individual objects
To make an object publicly accessible through the REST API, an x-amz-acl: public-read
header can be included in the request. Setting this header bypasses any IAM policy checks and allow for unauthenticated HEAD
and GET
requests. For more information about endpoints, see Endpoints and storage locations.
Additionally, HMAC credentials make it possible to allow temporary public access that uses pre-signed URLs.
Upload a public object
curl -X "PUT" "https://{endpoint}/{bucket-name}/{object-name}" \
-H "x-amz-acl: public-read" \
-H "Authorization: Bearer {token}" \
-H "Content-Type: text/plain; charset=utf-8" \
-d "{object-contents}"
Allow public access to an existing object
Using the query parameter ?acl
without a payload and the x-amz-acl: public-read
header allows public access to the object without needing to overwrite the data.
curl -X "PUT" "https://{endpoint}/{bucket-name}/{object-name}?acl" \
-H "x-amz-acl: public-read" \
-H "Authorization: Bearer {token}"
Make a public object private again
Using the query parameter ?acl
without a payload and an empty x-amz-acl:
header revokes public access to the object without needing to overwrite the data.
curl -X "PUT" "https://{endpoint}/{bucket-name}/{object-name}?acl" \
-H "Authorization: Bearer {token}" \
-H "x-amz-acl:"
Static websites
While IBM Cloud Object Storage doesn't support automatic static website hosting, it's possible to manually configure a web server and use it to serve publicly accessible content hosted in a bucket. For more information, see the overview of static website options.