Linode Object Storage as origin and restrict access to the bucket to ONLY Akamai

I would like to use Linode Object Storage as origin and restrict access to the bucket to ONLY Akamai.

Anybody know how this could be done?

5 Replies

Linode Staff

I'm not too familiar with the type of setup you're attempting to achieve, but when I searched online using Object Storage as an origin, I came across an article that mentions that it is used for streaming purposes. If that's the case, then it's possible to set that up using our Object Storages. I was able to find this video that discusses what you'll need to get started:

restrict access to the bucket to ONLY Akamai.

You may want to utilize CORS policies to set this up. CORS defines how clients and servers from different domains may share resources. Generally, CORS policies restrict access to resources to requests from the same domain. By managing your CORS policies, you can open up services to requests from specified origin domains, or from any domain whatsoever. I've provided a guide below that explains what CORS is and how to manage your policies:

You could also achieve granular control over your buckets by using bucket policies. Bucket policies are a mechanism for managing permissions and access to Object Storage and offer more g granular permissions beyond the read and write access you can grant to a user. You can learn more about this in the following guides:

I hope these resources point you in the right direction, and I wish you the best of luck!

hdiep,

Thank you for the information.

I tried using both a bucket policy and a cors policy without success.

Even with both applied (and verified via s3cmd info ), I could still access files from the bucket:
https://ssn-linode.us-east-1.linodeobjects.com/test.txt

When they should only be able to be access from Akamai:
http://linode-ssn.akamaized.net/test.txt

CORS policy applied:

<corsconfiguration>
<corsrule>
<allowedheader>Authorization</allowedheader></corsrule></corsconfiguration>

<AllowedMethod>GET</AllowedMethod>
<AllowedMethod>HEAD</AllowedMethod>

<AllowedOrigin>http://akamaized.net</AllowedOrigin>
<AllowedOrigin>http://*.akamaized.net</AllowedOrigin>
<AllowedOrigin>https://akamaized.net</AllowedOrigin>
<AllowedOrigin>https://*.akamaized.net</AllowedOrigin>

<ExposeHeader>Access-Control-Allow-Origin</ExposeHeader>

<MaxAgeSeconds>3000</MaxAgeSeconds>


<corsrule>
<allowedheader>Authorization</allowedheader>
<allowedheader>Origin</allowedheader>
<allowedheader>Content-*</allowedheader></corsrule>

<AllowedMethod>PUT</AllowedMethod>
<AllowedMethod>POST</AllowedMethod>
<AllowedMethod>DELETE</AllowedMethod>

<AllowedOrigin>http://akamaized.net</AllowedOrigin>
<AllowedOrigin>http://*.akamaized.net</AllowedOrigin>
<AllowedOrigin>https://akamaized.net</AllowedOrigin>
<AllowedOrigin>https://*.akamaized.net</AllowedOrigin>

<ExposeHeader>ETag</ExposeHeader>

<MaxAgeSeconds>3000</MaxAgeSeconds>


Bucket Policy Applied:

{
"Version": "2012-10-17",
"Id": "S3PolicyId1",
"Statement": [
{
"Sid": "IPAllow",
"Effect": "Allow",
"Principal": "", "Action": [ "s3:GetObject" ], "Resource": "arn:aws:s3:::ssn-linode/.*",
"Condition": {
"IpAddress": {
"aws:SourceIp": [
"23.32.0.0/11",
"23.192.0.0/11",
"2.16.0.0/13",
"104.64.0.0/10",
"184.24.0.0/13",
"23.0.0.0/12",
"95.100.0.0/15",
"92.122.0.0/15",
"172.224.0.0/13",
"184.50.0.0/15",
"88.221.0.0/16",
"23.64.0.0/14",
"72.246.0.0/15",
"96.16.0.0/15",
"96.6.0.0/15",
"69.192.0.0/16",
"23.72.0.0/13",
"173.222.0.0/15",
"118.214.0.0/16",
"184.84.0.0/14",
"2a02:26f0::/32",
"2600:1400::/24",
"2405:9600::/32"
]
}
}
}
]
}

<corsconfiguration>
<corsrule>
<allowedheader>Authorization</allowedheader></corsrule></corsconfiguration>

<AllowedMethod>GET</AllowedMethod>
<AllowedMethod>HEAD</AllowedMethod>

<AllowedOrigin>http://akamaized.net</AllowedOrigin>
<AllowedOrigin>http://*.akamaized.net</AllowedOrigin>
<AllowedOrigin>https://akamaized.net</AllowedOrigin>
<AllowedOrigin>https://*.akamaized.net</AllowedOrigin>

<ExposeHeader>Access-Control-Allow-Origin</ExposeHeader>

<MaxAgeSeconds>3000</MaxAgeSeconds>


<corsrule>
<allowedmethod>PUT</allowedmethod>
<allowedmethod>POST</allowedmethod>
<allowedmethod>DELETE</allowedmethod></corsrule>

<AllowedOrigin>http://akamaized.net</AllowedOrigin>
<AllowedOrigin>http://*.akamaized.net</AllowedOrigin>
<AllowedOrigin>https://akamaized.net</AllowedOrigin>
<AllowedOrigin>https://*.akamaized.net</AllowedOrigin>

<ExposeHeader>ETag</ExposeHeader>

<MaxAgeSeconds>3000</MaxAgeSeconds>


Can you try the above policy

Reply

Please enter an answer
Tips:

You can mention users to notify them: @username

You can use Markdown to format your question. For more examples see the Markdown Cheatsheet.

> I’m a blockquote.

I’m a blockquote.

[I'm a link] (https://www.google.com)

I'm a link

**I am bold** I am bold

*I am italicized* I am italicized

Community Code of Conduct