Create public buckets on R2

​​ Overview

Public Bucket is a feature that allows users to expose the contents of their R2 buckets directly to the Internet. By default, buckets are never publicly accessible and will always require explicit user permission to enable.

Public buckets can be set up in either one of two ways:

1. The first exposes your bucket as a custom domain under your control.
2. The second exposes your bucket as a Cloudflare-managed subdomain under https://r2.dev.

To configure firewall rules, caching, access controls, or bot management for your bucket, you must do so through a custom domain. Using a custom domain does not require enabling r2.dev.

​​ Custom domains

​​ Caching

Domain access through a custom domain allows you to use Cloudflare Cache to accelerate access to your R2 bucket.

​​ Access control

To restrict access to your custom domain’s bucket, use Cloudflare’s existing security products:

• Cloudflare Zero Trust Access: Protect buckets that should only be accessible by your teammates.
• Cloudflare WAF Token Authentication Open external link : Restrict access to documents, files, and media to selected users by providing them with an access token.

​​ Custom domains configuration

​​ Connect your bucket to a custom domain

To connect a custom domain to your bucket:

1. Go to R2 and select your bucket.
2. Go to Settings.
3. Go to Domain Access.

4. Select Connect Domain.

5. Enter the domain name you want to connect to and select Continue.

6. Review the new record that will be added to the DNS table and select Connect Domain.

Your domain is now connected. It takes a few minutes for the status to change from Initializing to Active. Refresh to review the status update. If the status has not changed, select the … next to your bucket and select Retry connection.

To view the added DNS record, select … next to the connected domain and select Manage DNS.

​​ Disable domain access

Disabling a domain will turn off public access to your bucket through that domain. Access through other domains or the managed r2.dev subdomain are unaffected. The specified domain will also remain connected to R2 until you remove it or delete the bucket.

To disable a domain:

1. In R2, select the bucket for which you want to disable custom domain access.
2. Go to Settings.
3. Scroll down to Domain Access.
4. Next to the domain you want to disable, select … and select Disable domain.

5. The badge under Access to Bucket will update to Not allowed.

​​ Remove domain

Removing a domain will remove custom domain configuration that you have set up on the dashboard. Your bucket will still be publicly accessible.

To remove a domain:

1. In R2, select the bucket for which you want to remove domain access.
2. Go to Settings.
3. Scroll down to Domain Access.
4. Select … next to the domain to disable and select Remove domain.

5. Select ‘Remove domain’ in the confirmation window. The CNAME record pointing to the domain will also be removed as part of this step. You can always add the domain again.

The domain is no longer connected to your bucket and will no longer appear in the connected domains list.

​​ Managed public buckets through r2.dev

​​ Enable managed public access for your bucket

Enabling managed public access for your bucket will make the content of your bucket available to the Internet through a Cloudflare-managed r2.dev subdomain. To enable access through r2.dev for your buckets:

1. Log in to the Cloudflare dashboard Open external link > select your account > R2.

2. In. R2, select the bucket you want to enable public access for.

3. Go to Settings.

4. In Settings, go to Bucket Access.

5. Under Bucket Access, select Allow Access.

6. You will be prompted to confirm your choice. In the confirmation dialog, type ‘allow’ to confirm and select Allow.
7. You can now access the bucket and its objects using the Public Bucket URL.

You can review if your bucket is publicly accessible by going to your bucket and checking that Public URL Access states Allowed.

​​ Disable managed public access for your bucket

Your bucket will not be exposed to the Internet as an r2.dev subdomain after you disable public access. If you have connected other domains, the bucket will remain accessible on those domains.

To disable public access for your bucket:

1. In R2, select the bucket for which you want to turn off public access.

2. Go to Settings.

3. Scroll down to Public Access.

3. Select Disallow Access.

4. In the confirmation dialog, type ‘disallow’ to confirm and select Disallow.

Your bucket and its objects can no longer be accessed using the Public Bucket URL.

​​ Configure CORS for your bucket

Currently, you have to use the S3 API PutBucketCors to configure CORS for your bucket.