文档

ACS-OSS-PutBucketReferer

更新时间:

模板名称

ACS-OSS-PutBucketReferer 设置存储空间防盗链

立即执行

模板描述

设置存储空间防盗链

模板类型

自动化

所有者

Alibaba Cloud

输入参数

参数名称

描述

类型

是否必填

默认值

约束

bucketName

OSS bucket 名称

String

regionId

地域ID

String

{{ ACS::RegionId }}

allowEmptyReferer

指定是否允许Referer字段为空的请求访问

String

true

refererList

保存Referer访问白名单的网址

List

[]

OOSAssumeRole

OOS扮演的RAM角色

String

""

输出参数

参数名称

描述

类型

refererInfo

Json

执行此模板需要的权限策略

{
    "Version": "1",
    "Statement": [
        {
            "Action": [
                "oss:GetBucketReferer",
                "oss:PutBucketReferer"
            ],
            "Resource": "*",
            "Effect": "Allow"
        }
    ]
}

详情

ACS-OSS-PutBucketReferer详情

模板内容

FormatVersion: OOS-2019-06-01
Description:
  en: Put the bucket referer
  zh-cn: 设置存储空间防盗链
  name-en: ACS-OSS-PutBucketReferer
  name-zh-cn: 设置存储空间防盗链
  categories:
    - security
Parameters:
  regionId:
    Type: String
    Label:
      en: RegionId
      zh-cn: 地域ID
    AssociationProperty: RegionId
    Default: '{{ ACS::RegionId }}'
  bucketName:
    Label:
      en: BucketName
      zh-cn: OSS bucket 名称
    Type: String
  allowEmptyReferer:
    Description:
      en: Specify whether to allow access to requests whose Referer field is empty
      zh-cn: 指定是否允许Referer字段为空的请求访问
    Type: String
    Default: 'true'
    AllowedValues:
      - 'true'
      - 'false'
  refererList:
    Description:
      en: for example:[http://www.aliyun.com, https://www.aliyun.com]
      zh-cn: 例如:[http://www.aliyun.com, https://www.aliyun.com]
    Label:
      en: Save Referer Access Whitelist URL
      zh-cn: 保存Referer访问白名单的网址
    Type: List
    Default: []
  OOSAssumeRole:
    Label:
      en: OOSAssumeRole
      zh-cn: OOS扮演的RAM角色
    Type: String
    Default: ''
RamRole: '{{ OOSAssumeRole }}'
Tasks:
  - Name: convertXmlParameters
    Action: 'ACS::ECS::SMCConversionConstantByJqScript'
    Description:
      en: Automatically make bucket referer configuration
      zh-cn: 自动生成存储空间防盗链规则
    Properties:
      parameter: '{{ refererList }}'
      jqScript:
        - '. [] | split("[") | join("") | split("]") | join("") | split("\"") | join("") |split(",") | map(. | .="<Referer>"+.+"</Referer>") as $item| $item | join("") as $itemList | "<RefererConfiguration><AllowEmptyReferer>{{ allowEmptyReferer }}</AllowEmptyReferer><RefererList>"+$itemList+"</RefererList>" as $refererList |$refererList'
        - .
    Outputs:
      xmlValues:
        Type: String
        ValueSelector: firstValue
  - Name: putBucketReferer
    Action: 'ACS::ExecuteAPI'
    Description:
      en: 'Enable the bucket referer'
      zh-cn: 开启存储空间防盗链
    Properties:
      Service: OSS
      API: PutBucketReferer
      Method: PUT
      URI: '?referer'
      Headers:
        Content-MD5: ""
        Content-Type: application/xml
      Parameters:
        BucketName: '{{ bucketName }}'
        RegionId: '{{ regionId }}'
      Body: '<?xml version="1.0" encoding="UTF-8"?>{{ convertXmlParameters.xmlValues }}</RefererConfiguration>'
  - Name: waitBucketRefererNoRefererList
    Action: 'ACS::WaitFor'
    Description:
      en: Wait for the bucket referer modification to complete when referer is allowed to be empty
      zh-cn: 等待存储空间防盗链允许为空时修改完成
    When:
      'Fn::Equals':
        - '{{ refererList }}'
        - []
    OnSuccess: 'ACS::END'
    Properties:
      Service: OSS
      API: GetBucketReferer
      Method: GET
      URI: '?referer'
      Headers: {}
      Parameters:
        BucketName: '{{ bucketName }}'
        RegionId: '{{ regionId }}'
      DesiredValues:
        - '{{ allowEmptyReferer }}'
      PropertySelector: '.RefererConfiguration.AllowEmptyReferer'
  - Name: waitBucketReferer
    Action: 'ACS::WaitFor'
    Description:
      en: Wait for the bucket referer modification to complete
      zh-cn: 等待存储空间防盗链修改完成
    Properties:
      Service: OSS
      API: GetBucketReferer
      Method: GET
      URI: '?referer'
      Headers: {}
      Parameters:
        BucketName: '{{ bucketName }}'
        RegionId: '{{ regionId }}'
      NotDesiredValues: '{{ refererList }}'
      PropertySelector: '.RefererConfiguration.RefererList.Referer-{{ refererList }}'
Outputs:
  refererInfo:
    Type: Json
    Value:
      bucketName: '{{ bucketName }}'
      allowEmptyReferer: '{{ allowEmptyReferer }}'
      refererList: '{{ refererList }}'