Linode Object Storage as origin and restrict access to the bucket to ONLY Akamai

akamai object-storage acl restrict-access

linode-ssn 11 months, 3 weeks ago

I would like to use Linode Object Storage as origin and restrict access to the bucket to ONLY Akamai.

Anybody know how this could be done?

5 Replies

hdiep 11 months, 3 weeks ago Linode Staff

I'm not too familiar with the type of setup you're attempting to achieve, but when I searched online using Object Storage as an origin, I came across an article that mentions that it is used for streaming purposes. If that's the case, then it's possible to set that up using our Object Storages. I was able to find this video that discusses what you'll need to get started:

OpenStack: Use Case Object Storage with Streaming Video - YouTube

restrict access to the bucket to ONLY Akamai.

You may want to utilize CORS policies to set this up. CORS defines how clients and servers from different domains may share resources. Generally, CORS policies restrict access to resources to requests from the same domain. By managing your CORS policies, you can open up services to requests from specified origin domains, or from any domain whatsoever. I've provided a guide below that explains what CORS is and how to manage your policies:

Working with CORS Policies on Linode Object Storage | Linode Docs

You could also achieve granular control over your buckets by using bucket policies. Bucket policies are a mechanism for managing permissions and access to Object Storage and offer more g granular permissions beyond the read and write access you can grant to a user. You can learn more about this in the following guides:

I hope these resources point you in the right direction, and I wish you the best of luck!

linode-ssn 11 months, 2 weeks ago

hdiep,

Thank you for the information.

I tried using both a bucket policy and a cors policy without success.

Even with both applied (and verified via s3cmd info ), I could still access files from the bucket:
https://ssn-linode.us-east-1.linodeobjects.com/test.txt

When they should only be able to be access from Akamai:
http://linode-ssn.akamaized.net/test.txt

CORS policy applied:

<corsconfiguration>
<corsrule>
<allowedheader>Authorization</allowedheader></corsrule></corsconfiguration>

<AllowedMethod>GET</AllowedMethod>
<AllowedMethod>HEAD</AllowedMethod>

<AllowedOrigin>http://akamaized.net</AllowedOrigin>
<AllowedOrigin>http://*.akamaized.net</AllowedOrigin>
<AllowedOrigin>https://akamaized.net</AllowedOrigin>
<AllowedOrigin>https://*.akamaized.net</AllowedOrigin>

<ExposeHeader>Access-Control-Allow-Origin</ExposeHeader>

<MaxAgeSeconds>3000</MaxAgeSeconds>

<corsrule>
<allowedheader>Authorization</allowedheader>
<allowedheader>Origin</allowedheader>
<allowedheader>Content-*</allowedheader></corsrule>

<AllowedMethod>PUT</AllowedMethod>
<AllowedMethod>POST</AllowedMethod>
<AllowedMethod>DELETE</AllowedMethod>

<AllowedOrigin>http://akamaized.net</AllowedOrigin>
<AllowedOrigin>http://*.akamaized.net</AllowedOrigin>
<AllowedOrigin>https://akamaized.net</AllowedOrigin>
<AllowedOrigin>https://*.akamaized.net</AllowedOrigin>

<ExposeHeader>ETag</ExposeHeader>

<MaxAgeSeconds>3000</MaxAgeSeconds>

Bucket Policy Applied:

{
"Version": "2012-10-17",
"Id": "S3PolicyId1",
"Statement": [
{
"Sid": "IPAllow",
"Effect": "Allow",
"Principal": "", "Action": [ "s3:GetObject" ], "Resource": "arn:aws:s3:::ssn-linode/.*",
"Condition": {
"IpAddress": {
"aws:SourceIp": [
"23.32.0.0/11",
"23.192.0.0/11",
"2.16.0.0/13",
"104.64.0.0/10",
"184.24.0.0/13",
"23.0.0.0/12",
"95.100.0.0/15",
"92.122.0.0/15",
"172.224.0.0/13",
"184.50.0.0/15",
"88.221.0.0/16",
"23.64.0.0/14",
"72.246.0.0/15",
"96.16.0.0/15",
"96.6.0.0/15",
"69.192.0.0/16",
"23.72.0.0/13",
"173.222.0.0/15",
"118.214.0.0/16",
"184.84.0.0/14",
"2a02:26f0::/32",
"2600:1400::/24",
"2405:9600::/32"
]
}
}
}
]
}

Tushar900 11 months, 2 weeks ago

<corsconfiguration>
<corsrule>
<allowedheader>Authorization</allowedheader></corsrule></corsconfiguration>

<AllowedMethod>GET</AllowedMethod>
<AllowedMethod>HEAD</AllowedMethod>

<AllowedOrigin>http://akamaized.net</AllowedOrigin>
<AllowedOrigin>http://*.akamaized.net</AllowedOrigin>
<AllowedOrigin>https://akamaized.net</AllowedOrigin>
<AllowedOrigin>https://*.akamaized.net</AllowedOrigin>

<ExposeHeader>Access-Control-Allow-Origin</ExposeHeader>

<MaxAgeSeconds>3000</MaxAgeSeconds>

<corsrule>
<allowedmethod>PUT</allowedmethod>
<allowedmethod>POST</allowedmethod>
<allowedmethod>DELETE</allowedmethod></corsrule>

<AllowedOrigin>http://akamaized.net</AllowedOrigin>
<AllowedOrigin>http://*.akamaized.net</AllowedOrigin>
<AllowedOrigin>https://akamaized.net</AllowedOrigin>
<AllowedOrigin>https://*.akamaized.net</AllowedOrigin>

<ExposeHeader>ETag</ExposeHeader>

<MaxAgeSeconds>3000</MaxAgeSeconds>

Tushar900 11 months, 2 weeks ago

Can you try the above policy

Nanda 10 months, 1 week ago

Why don't you check NirvaShare https://www.linode.com/marketplace/apps/nirvashare/nirvashare/

Reply

Description

Please enter an answer

Tips:

You can mention users to notify them: @username

You can use Markdown to format your question. For more examples see the Markdown Cheatsheet.

> I’m a blockquote.

I’m a blockquote.

[I'm a link] (https://www.google.com)

I'm a link

**I am bold** I am bold

*I am italicized* I am italicized

Compute

Storage

Databases

Networking

Developer Tools

Delivery

Security

Services

Industries

Pricing

Community

Engage With Us

Linode Object Storage as origin and restrict access to the bucket to ONLY Akamai

5 Replies

Reply

Tips: