[Yandex Cloud documentation](../../../index.md) > [Yandex Object Storage](../../index.md) > [Step-by-step guides](../index.md) > Buckets > Managing CORS configurations

# Configuring CORS

Object Storage enables managing [CORS configurations](../../concepts/cors.md) in buckets.


{% list tabs group=instructions %}

- Management console {#console}

  1. In the [management console](https://console.yandex.cloud), select a folder.
  1. Navigate to **Object Storage**.
  1. Select the bucket you want to configure CORS for.
  1. In the left-hand panel, select ![image](../../../_assets/console-icons/persons-lock.svg) **Security**.
  1. Select the **CORS** tab.
  1. Click **Configure**.
  1. Fill out the form that opens. You can add, delete, and edit configuration rules.
     
     To create a rule:
     
     1. Fill out the fields as follows:
        * **Description**: Rule description in any form.
        * **Allowed Origins**: Comma-separated list of domains. Each domain is written in a separate `AllowedOrigin` field in the CORS configuration, e.g., `http://*.example.com, http://some.another.dom`.
        * **Allowed Methods**: Comma-separated list of HTTP methods allowed in the object request. Each method is written in a separate `AllowedMethod` field in the CORS configuration, e.g., `GET, PUT, HEAD, POST, DELETE`.
        * **Allowed Headers**: Comma-separated list of headers allowed in the object request. Each header is written in a separate `AllowedHeader` field in the CORS configuration, e.g., `X-Request-Id, X-Request-With`.
        * `expose_headers`: Comma-separated list of headers that can be displayed in a JavaScript app in the browser. Each header is written in a separate `ExposeHeader` field in the CORS configuration, e.g., `X-Amz-Request-Id`.
        * **MaxAgeSeconds**: Time, in seconds, for the browser to cache the result of an object request using the `OPTIONS` method.
     1. Click **Save**.
     
     You can add multiple rules at once. To add a new rule, click **Add rule** and repeat the above steps.
  
     For a detailed description of the configuration fields, see [CORS configuration for buckets](../../s3/api-ref/cors/xml-config.md).

- Yandex Cloud CLI {#cli}

  If you do not have the Yandex Cloud CLI yet, [install and initialize it](../../../cli/quickstart.md#install).

  The folder used by default is the one specified when [creating](../../../cli/operations/profile/profile-create.md) the CLI profile. To change the default folder, use the `yc config set folder-id <folder_ID>` command. You can also specify a different folder for any command using `--folder-name` or `--folder-id`. If you access a resource by its name, the search will be limited to the default folder. If you access a resource by its ID, the search will be global, i.e., through all folders based on access permissions.

  1. See the description of the CLI command for updating a bucket:

      ```bash
      yc storage bucket update --help
      ```

  1. Get a list of buckets in the default folder:
     
     ```bash
     yc storage bucket list
     ```
     
     Result:
     
     ```text
     +------------------+----------------------+-------------+-----------------------+---------------------+
     |       NAME       |      FOLDER ID       |  MAX SIZE   | DEFAULT STORAGE CLASS |     CREATED AT      |
     +------------------+----------------------+-------------+-----------------------+---------------------+
     | first-bucket     | b1gmit33ngp6******** | 53687091200 | STANDARD              | 2022-12-16 13:58:18 |
     +------------------+----------------------+-------------+-----------------------+---------------------+
     ```
  1. Save the name (from the `NAME` column) of the bucket to configure CORS for.
  1. Run this command:

      ```bash
      yc storage bucket update \
        --name <bucket_name> \
        --cors <CORS_parameter>='[<array_of_values>]',<CORS_parameter>='[<array_of_values>]',...
      ```

      Where:
      * `--name`: Name of the bucket to configure CORS for.
      * `--cors`: CORS parameters:
        * `allowed-methods`: List of methods. The possible values are `method-get`, `method-put`, `method-post`, `method-delete`, and `method-head`. This is a required setting.
        * `allowed-origins`: List of websites allowed to send CORS requests to the bucket. This is a required setting.
        * `allowed-headers`: List of allowed headers. This is an optional setting.
        * `expose-headers`: List of headers that can be exposed to browser JavaScript apps. This is an optional setting.
        * `max-age-seconds`: Time it takes the browser to cashe the result of an object request, in seconds. This is an optional setting.

        Parameter values are specified in quotes and square brackets. List items in values are separated by commas with no spaces, e.g., `--cors allowed-methods='[method-get,method-head]',allowed-origins='[example.com]'`.

        Permissions you specify in the command will override the current CORS settings of the bucket. To get the current permissions, use the `yc storage bucket get <bucket_name> --full` command.

        Result:

        ```text
        name: first-bucket
        folder_id: b1gmit33ngp6********
        default_storage_class: STANDARD
        versioning: VERSIONING_DISABLED
        max_size: "53687091200"
        acl: {}
        created_at: "2022-11-25T11:48:42.024638Z"
        ```

  To delete the CORS configuration, run this command:

  ```bash
  yc storage bucket update \
    --name <bucket_name> \
    --remove-cors
  ```

- AWS CLI {#aws-cli}

  To upload a configuration using the [AWS CLI](../../tools/aws-cli.md):

  1. Define the CORS object configuration in JSON format. Here is an example:

     ```json
     {
       "CORSRules": [
         {
           "AllowedHeaders": ["*"],
           "AllowedMethods": ["GET", "HEAD", "PUT", "DELETE"],
           "MaxAgeSeconds": 3000,
           "AllowedOrigins": ["*"]
         }
       ]
     }
     ```

     Once the configuration is complete, save it to a file, e.g., `cors.json`.

  1. Upload the configuration to a bucket, e.g., `shared-bucket`:

     ```bash
     aws s3api put-bucket-cors \
       --bucket shared-bucket \
       --cors-configuration file://cors.json \
       --endpoint-url=https://storage.yandexcloud.net
     ```

- Terraform {#tf}

  {% note info %}
  
  If you access Object Storage via Terraform under a [service account](../../../iam/concepts/users/service-accounts.md), [assign](../../../iam/operations/sa/assign-role-for-sa.md) to the service account the relevant [role](../../security/index.md#roles-list), e.g., `storage.admin`, for the folder you are going to create the resources in.
  
  {% endnote %}

  If you do not have Terraform yet, [install it and configure the Yandex Cloud provider](../../../tutorials/infrastructure-management/terraform-quickstart.md#install-terraform).
  
  
  To manage infrastructure using Terraform under a service account or user accounts (a Yandex account, a federated account, or a local user), [authenticate](../../../terraform/authentication.md) using the appropriate method.

  Retrieve [static access keys](../../../iam/operations/authentication/manage-access-keys.md#create-access-key): a secret key and key ID used for Object Storage authentication.

  {% note info %}
  
  In addition to static access keys, you can use an IAM token for authentication in Object Storage. For more details, see [Creating a bucket](create.md) and the [relevant provider documentation](../../../terraform/resources/storage_object.md). 
  
  {% endnote %}


  1. In the configuration file, specify the properties of the resources you want to create:

     ```hcl
     provider "yandex" {
       cloud_id  = "<cloud_ID>"
       folder_id = "<folder_ID>"
       zone      = "<availability_zone>"
     }

     resource "yandex_iam_service_account" "sa" {
       name = "<service_account_name>"
     }

     // Assigning a role to a service account
     resource "yandex_resourcemanager_folder_iam_member" "sa-admin" {
       folder_id = "<folder_ID>"
       role      = "storage.admin"
       member    = "serviceAccount:${yandex_iam_service_account.sa.id}"
     }

     // Creating a static access key
     resource "yandex_iam_service_account_static_access_key" "sa-static-key" {
       service_account_id = yandex_iam_service_account.sa.id
       description        = "static access key for object storage"
     }

     resource "yandex_storage_bucket" "b" {
       bucket = "s3-website-test.hashicorp.com"
       acl    = "public-read"

       access_key = yandex_iam_service_account_static_access_key.sa-static-key.access_key
       secret_key = yandex_iam_service_account_static_access_key.sa-static-key.secret_key

       cors_rule {
         allowed_headers = ["*"]
         allowed_methods = ["PUT", "POST"]
         allowed_origins = ["https://s3-website-test.hashicorp.com"]
         expose_headers  = ["ETag"]
         max_age_seconds = 3000
       }
     }
     ```

     Where:

     * `access_key`: Static access key ID.
     * `secret_key`: Secret access key value.
     * `bucket`: Bucket name. This is a required setting.
     * `acl`: ACL policy to apply. This is an optional setting.

     `CORS` parameters:
     * `allowed_headers`: Allowed headers. This is an optional setting.
     * `allowed_methods`: Allowed methods. The possible values are `GET`, `PUT`, `POST`, `DELETE` or `HEAD`. This is a required setting.
     * `allowed_origins`: Website allowed to send CORS requests to the bucket. This is a required setting.
     * `expose_headers`: Header that can be exposed to browser JavaScript apps. This is an optional setting. 
     * `max_age_seconds`: Time it takes the browser to cashe the result of an object request, in seconds. This is an optional setting.
     * `server_side_encryption_configuration`: Bucket's server-side encryption configuration. This is an optional setting.

     For more information about `yandex_storage_bucket` properties in Terraform, see [this provider guide](../../../terraform/resources/storage_bucket.md).

  1. Apply the changes:

     1. In the terminal, navigate to the configuration file directory.
     1. Make sure the configuration is correct using this command:
     
        ```bash
        terraform validate
        ```
     
        If the configuration is valid, you will get this message:
     
        ```bash
        Success! The configuration is valid.
        ```
     
     1. Run this command:
     
        ```bash
        terraform plan
        ```
     
        You will see a list of resources and their properties. No changes will be made at this step. Terraform will show any errors in the configuration.
     1. Apply the configuration changes:
     
        ```bash
        terraform apply
        ```
     
     1. Type `yes` and press **Enter** to confirm the changes.

     You can check the update using the [management console](https://console.yandex.cloud).

- API {#api}

  To manage CORS configurations for buckets, use the [update](../../api-ref/Bucket/update.md) REST API method for the [Bucket](../../api-ref/Bucket/index.md) resource, the [BucketService/Update](../../api-ref/grpc/Bucket/update.md) gRPC API call, or the [upload](../../s3/api-ref/cors/upload.md) S3 API method.

{% endlist %}