在一个VPC网络中,由于特殊需求,我们需要针对VPC网内某一台或多台机器实现COS的限制访问或允许访问,对于该问题我们如何实现呢?
下面就带大家来实际操作一下。
首先,创建同一VPC下的两台CVM主机
CVM1:10.5.0.6(内网IP)
CVM2:10.5.0.12(内网IP)
然后创建一个bucket,并进入权限管理
添加描述
复制策略,我们这里要禁用CVM1内网IP为10.5.0.6主机的访问GetBucket
{
"Statement": [
{
"Action": [
"name/cos:GetBucket"
],
"Effect": "Deny",
"Principal": {
"qcs": [
"qcs::cam::anyone:anyone"
]
},
"Resource": [
"qcs::cos:ap-beijing:uid/1251956900:sunweitest-1251956900/*"
],
"Condition": {
"ip_equal": {
"qcs:ip": [
"10.5.0.6"
]
}
}
}
],
"version": "2.0"
}
接下来我们尝试在10.5.0.6主机内发起访问
在10.5.0.12主机内发起访问
访问成功
测试正常,说明getbucket被成功按IP进行拦截了
但这里有个问题,内网IP是不唯一的,也就是说其他VPC内的相同内网IP的主机如果发起请求,也可以导致相同的效果。所以,我们要加上VPC的实例限制。
加入VPC实例限制,策略如下
{
"Principal": {
"qcs": [
"qcs::cam::anyone:anyone"
]
},
"Effect": "Allow",
"Action": [
"name/cos:GetBucket"
],
"Resource": [
"qcs::cos:ap-beijing:uid/1251956900:sunweitest-1251956900/*"
],
"Condition": {
"string_equal_if_exist": {
"vpc:vpc": [
"vpc-31qrmn1e"
],
"vpc:accepter_vpc": [
"vpc-31qrmn1e"
],
"vpc:requester_vpc": [
"vpc-31qrmn1e"
]
}
}
}
我们尝试在10.5.0.6主机内再次发起访问
在10.5.0.12主机内再次发起访问
测试OK
完整的策略如下
{
"Statement": [
{
"Action": [
"name/cos:GetBucket"
],
"Effect": "Deny",
"Principal": {
"qcs": [
"qcs::cam::anyone:anyone"
]
},
"Resource": [
"qcs::cos:ap-beijing:uid/1251956900:sunweitest-1251956900/*"
],
"Condition": {
"ip_equal": {
"qcs:ip": [
"10.5.0.6"
]
}
}
},
{
"Principal": {
"qcs": [
"qcs::cam::anyone:anyone"
]
},
"Effect": "Allow",
"Action": [
"name/cos:GetBucket"
],
"Resource": [
"qcs::cos:ap-beijing:uid/1251956900:sunweitest-1251956900/*"
],
"Condition": {
"string_equal_if_exist": {
"vpc:vpc": [
"vpc-31qrmn1e"
],
"vpc:accepter_vpc": [
"vpc-31qrmn1e"
],
"vpc:requester_vpc": [
"vpc-31qrmn1e"
]
}
}
}
],
"version": "2.0"
}
注意:目前上海园区暂不支持该方法,需要提交工单申请白名单实现
