NavigationContentFooter
Jump toSuggest an edit

Setting CORS rules on Object Storage buckets

Reviewed on 17 June 2024Published on 19 May 2021

The CORS standard describes new HTTP headers that provide browsers a way to request remote URLs only when they have permission. Although some validation and authorization can be performed by the server, it is generally the browser’s responsibility to support these headers and honor the restrictions they impose.

Before CORS became standardized, it was not possible to call an API endpoint or other content under different domains for security reasons. This was (and to some degree still is) blocked by the Same-Origin Policy introduced with Netscape Navigator 2.0 in 1995.

An example of a cross-origin request: The frontend JavaScript code for a web application served from http://webapplication.com uses XMLHttpRequest to make a request for http://customerapi.io/data.json. Another example might be JavaScript that calls files in an Object Storage bucket, like web fonts, downloads, etc. It is possible to configure CORS for each bucket with the AWS CLI.

Before you start

To complete the actions presented below, you must have:

  • A Scaleway account logged into the console
  • Owner status or IAM permissions allowing you to perform actions in the intended Organization
  • Installed the AWS CLI
  • An Object Storage bucket

Setting CORS on an Object Storage bucket

  1. Enter the Object Storage section in the left menu of the console.

  2. Select the bucket you want to configure.

  3. The CORS configuration must be provided in a JSON file. Create a new file called cors.json locally, open it in a text editor and copy the content below into the file before saving it.

    {
      "CORSRules": [
        {
          "AllowedOrigins": ["http://MY_DOMAIN_NAME", "http://www.MY_DOMAIN_NAME"],
          "AllowedHeaders": ["*"],
          "AllowedMethods": ["GET", "HEAD", "POST", "PUT", "DELETE"],
          "MaxAgeSeconds": 3000,
          "ExposeHeaders": ["Etag"]
        }
      ]
    }
    Note

    Replace http://MY_DOMAIN_NAME with the domain name to authorize for CORS. You can specify multiple domain names, or put an asterisk (*) to allow all domains.

  4. Run the command below to set the CORS configuration of the bucket with AWS CLI. Do not forget to replace BUCKETNAME with the name of the bucket.

    aws s3api put-bucket-cors --bucket BUCKETNAME --cors-configuration file://cors.json

Getting the CORS configuration of a bucket

To retrieve the CORS rules of a bucket, use the AWS CLI:

aws s3api get-bucket-cors --bucket BUCKETNAME

If CORS rules are set for the bucket, the API returns a JSON list like this example:

{
  "CORSRules": [
      {
          "AllowedHeaders": [
              "*"
          ],
          "AllowedMethods": [
              "GET",
              "HEAD",
              "POST",
              "PUT",
              "DELETE"
          ],
          "AllowedOrigins": [
              "http://MY_DOMAIN_NAME",
              "http://www.MY_DOMAIN_NAME"
          ],
          "ExposeHeaders": [
              "Etag"
          ],
          "MaxAgeSeconds": 3000
      }
  ]
}

If there are no CORS rules set for the bucket, an error message appears:

An error occurred (NoSuchCORSConfiguration) when calling the GetBucketCors operation: The CORS configuration does not exist

Verifying the CORS configuration of a bucket

To verify the CORS rules of a bucket, use curl with the desired methods (GET, POST, etc.), for example:

curl -X OPTIONS -H 'Origin: http://MY_DOMAIN_NAME' http://BUCKETNAME.s3.nl-ams.scw.cloud/index.html -H "Access-Control-Request-Method: GET"

Deleting the CORS configuration of a bucket

To delete the CORS rules of a bucket, use the AWS CLI:

aws s3api delete-bucket-cors --bucket BUCKETNAME

If the operation is successful, no output is returned.

API DocsScaleway consoleDedibox consoleScaleway LearningScaleway.comPricingBlogCareers
© 2023-2024 – Scaleway