View All Products
Compute
Storage
Networking
Databases
Services
Developer Tools
Industries
Pricing
Community
Engage With Us
Community Questions Linode Object Storage as origin and restrict access to the bucket to ONLY Akamai
Log in to Ask a Question

Linode Object Storage as origin and restrict access to the bucket to ONLY Akamai

akamai object-storage acl restrict-access

I would like to use Linode Object Storage as origin and restrict access to the bucket to ONLY Akamai.

Anybody know how this could be done?

5 Replies

Linode Staff

I'm not too familiar with the type of setup you're attempting to achieve, but when I searched online using Object Storage as an origin, I came across an article that mentions that it is used for streaming purposes. If that's the case, then it's possible to set that up using our Object Storages. I was able to find this video that discusses what you'll need to get started:

restrict access to the bucket to ONLY Akamai.

You may want to utilize CORS policies to set this up. CORS defines how clients and servers from different domains may share resources. Generally, CORS policies restrict access to resources to requests from the same domain. By managing your CORS policies, you can open up services to requests from specified origin domains, or from any domain whatsoever. I've provided a guide below that explains what CORS is and how to manage your policies:

You could also achieve granular control over your buckets by using bucket policies. Bucket policies are a mechanism for managing permissions and access to Object Storage and offer more g granular permissions beyond the read and write access you can grant to a user. You can learn more about this in the following guides:

I hope these resources point you in the right direction, and I wish you the best of luck!

hdiep,

Thank you for the information.

I tried using both a bucket policy and a cors policy without success.

Even with both applied (and verified via s3cmd info ), I could still access files from the bucket:
https://ssn-linode.us-east-1.linodeobjects.com/test.txt

When they should only be able to be access from Akamai:
http://linode-ssn.akamaized.net/test.txt

CORS policy applied:

<corsconfiguration>
<corsrule>
<allowedheader>Authorization</allowedheader></corsrule></corsconfiguration>

<AllowedMethod>GET</AllowedMethod>
<AllowedMethod>HEAD</AllowedMethod>

<AllowedOrigin>http://akamaized.net</AllowedOrigin>
<AllowedOrigin>http://*.akamaized.net</AllowedOrigin>
<AllowedOrigin>https://akamaized.net</AllowedOrigin>
<AllowedOrigin>https://*.akamaized.net</AllowedOrigin>

<ExposeHeader>Access-Control-Allow-Origin</ExposeHeader>

<MaxAgeSeconds>3000</MaxAgeSeconds>


<corsrule>
<allowedheader>Authorization</allowedheader>
<allowedheader>Origin</allowedheader>
<allowedheader>Content-*</allowedheader></corsrule>

<AllowedMethod>PUT</AllowedMethod>
<AllowedMethod>POST</AllowedMethod>
<AllowedMethod>DELETE</AllowedMethod>

<AllowedOrigin>http://akamaized.net</AllowedOrigin>
<AllowedOrigin>http://*.akamaized.net</AllowedOrigin>
<AllowedOrigin>https://akamaized.net</AllowedOrigin>
<AllowedOrigin>https://*.akamaized.net</AllowedOrigin>

<ExposeHeader>ETag</ExposeHeader>

<MaxAgeSeconds>3000</MaxAgeSeconds>


Bucket Policy Applied:

{
"Version": "2012-10-17",
"Id": "S3PolicyId1",
"Statement": [
{
"Sid": "IPAllow",
"Effect": "Allow",
"Principal": "", "Action": [ "s3:GetObject" ], "Resource": "arn:aws:s3:::ssn-linode/.*",
"Condition": {
"IpAddress": {
"aws:SourceIp": [
"23.32.0.0/11",
"23.192.0.0/11",
"2.16.0.0/13",
"104.64.0.0/10",
"184.24.0.0/13",
"23.0.0.0/12",
"95.100.0.0/15",
"92.122.0.0/15",
"172.224.0.0/13",
"184.50.0.0/15",
"88.221.0.0/16",
"23.64.0.0/14",
"72.246.0.0/15",
"96.16.0.0/15",
"96.6.0.0/15",
"69.192.0.0/16",
"23.72.0.0/13",
"173.222.0.0/15",
"118.214.0.0/16",
"184.84.0.0/14",
"2a02:26f0::/32",
"2600:1400::/24",
"2405:9600::/32"
]
}
}
}
]
}

<corsconfiguration>
<corsrule>
<allowedheader>Authorization</allowedheader></corsrule></corsconfiguration>

<AllowedMethod>GET</AllowedMethod>
<AllowedMethod>HEAD</AllowedMethod>

<AllowedOrigin>http://akamaized.net</AllowedOrigin>
<AllowedOrigin>http://*.akamaized.net</AllowedOrigin>
<AllowedOrigin>https://akamaized.net</AllowedOrigin>
<AllowedOrigin>https://*.akamaized.net</AllowedOrigin>

<ExposeHeader>Access-Control-Allow-Origin</ExposeHeader>

<MaxAgeSeconds>3000</MaxAgeSeconds>


<corsrule>
<allowedmethod>PUT</allowedmethod>
<allowedmethod>POST</allowedmethod>
<allowedmethod>DELETE</allowedmethod></corsrule>

<AllowedOrigin>http://akamaized.net</AllowedOrigin>
<AllowedOrigin>http://*.akamaized.net</AllowedOrigin>
<AllowedOrigin>https://akamaized.net</AllowedOrigin>
<AllowedOrigin>https://*.akamaized.net</AllowedOrigin>

<ExposeHeader>ETag</ExposeHeader>

<MaxAgeSeconds>3000</MaxAgeSeconds>


Can you try the above policy

Why don't you check NirvaShare https://www.linode.com/marketplace/apps/nirvashare/nirvashare/

Reply

Please enter an answer
Tips:

You can mention users to notify them: @username

You can use Markdown to format your question. For more examples see the Markdown Cheatsheet.

> I’m a blockquote.

I’m a blockquote.

[I'm a link] (https://www.google.com)

I'm a link

**I am bold** I am bold

*I am italicized* I am italicized

Log in to Reply
Community Code of Conduct