Help Center> Object Storage Service> Developer Guide> Permission Control> IAM User Policy (IAM Policy)> Introduction to IAM Policy
View PDF

Introduction to IAM Policy

Identity and Access Management (IAM) provides permissions management to secure access to your HUAWEI CLOUD services and resources. IAM Policy is a user-specific authorization policy. With IAM Policy, you can manage user accounts (such as employee, system, and application accounts), and assign resource operation permissions to these accounts. For example, you can restrict your users to have only the read permission on a specific OBS bucket.

There are fine-grained policies and Role-Based Access Control (RBAC policies).

  • An RBAC policy consists of permissions for an entire service. Users in a group with such a policy attached are granted all of the permissions required for accessing and managing resources of that service. RBAC policies do not support operation-specific permissions control.
  • A fine-grained policy consists of API-based permissions for operations on specific resource types. Fine-grained policies, as the name suggests, allow for more refined permissions control. For example: You can restrict a sub-user to access only the objects in a specific directory of an OBS bucket.

System-Defined Policies

IAM supports both system-defined and custom policies. System-defined policies contain the common permissions required to access various services. They are classified into RBAC policies and fine-grained policies. System-defined policies can be directly used to assign permissions to user groups but cannot be modified.

Table 1 RBAC policies related to OBS in system-defined policies

Name

Description

Tenant Administrator

Users with this permission can perform any operation on OBS resources.

Tenant Guest

Users with this permission can query the usage of OBS resources. Specifically, a user with this permission can only read OBS resources.

OBS Buckets Viewer

Users with this permission can list buckets, obtain basic bucket information, and obtain bucket metadata.
Table 2 Fine-grained policies related to OBS in system-defined policies

Name

Description

OBS ReadOnlyAccess

Users with this permission can list buckets, obtain basic bucket information, obtain bucket metadata, and list objects.

This policy is a system-defined policy of fine-grained authorization. Users with fine-grained authorization can use this policy and can create custom policy template based on this policy.

OBS OperateAccess

Users with this permission can perform all OBS ReadOnlyAccess operations and perform basic object operations, such as uploading objects, downloading objects, deleting objects, and obtaining object ACLs.

This policy is a system-defined policy of fine-grained authorization. Users with fine-grained authorization can use this policy and can create custom policy template based on this policy.

OBS Administrator

Users with this permission can perform any operation on OBS resources.

Administrators can set user group policies on the IAM console and add IAM users to different user groups so that users have different permissions.

After an administrator attaches a system-defined policy to a user group, sub-users in the user group have the corresponding permissions to access OBS resources. For details about operations that can be performed on OBS, see Table 3.

When an administrator attaches a policy to a user group, OBS is deployed separately from other services. Authorization must be performed in the global project.

Table 3 Permissions and the allowed operations on OBS resources

Operation

Tenant

Tenant Administrator Permissions

Tenant Guest Permissions

OBS Buckets Viewer Permission

OBS Administrator Permission

Listing buckets

Yes

Yes

Yes

Yes

Creating a bucket

Yes

No

No

Yes

Deleting a bucket

Yes

No

No

Yes

Obtaining basic bucket information

Yes

Yes

Yes

Yes

Obtaining bucket metadata

Yes

Yes

Yes

Yes

Obtaining monitoring statistics about buckets

Yes

Yes

No

Yes

Managing bucket access permissions

Yes

No

No

Yes

Managing bucket policies

Yes

No

No

Yes

Modifying bucket storage classes

Yes

No

No

Yes

Listing objects

Yes

Yes

No

Yes

Listing object versions

Yes

Yes

No

Yes

Uploading files

Yes

No

No

Yes

Creating a folder

Yes

No

No

Yes

Deleting files

Yes

No

No

Yes

Deleting folders

Yes

No

No

Yes

Downloading files

Yes

Yes

No

Yes

Deleting object versions

Yes

No

No

Yes

Downloading object versions

Yes

No

No

Yes

Modifying object storage classes

Yes

No

No

Yes

Restoring files

Yes

No

No

Yes

Undoing a file deletion

Yes

No

No

Yes

Deleting fragments

Yes

No

No

Yes

Managing object access permissions

Yes

No

No

Yes

Configuring object metadata

Yes

No

No

Yes

Managing versioning

Yes

No

No

Yes

Managing logging

Yes

No

No

Yes

Managing event notifications

Yes

No

No

Yes

Managing tags

Yes

No

No

Yes

Managing lifecycle rules

Yes

No

No

Yes

Managing static website hosting

Yes

No

No

Yes

Managing CORS rules

Yes

No

No

Yes

Managing URL validation

Yes

No

No

Yes

Managing domain names

Yes

No

No

Yes

Managing cross-region replication

Yes

No

No

Yes

Managing image processing

Yes

No

No

Yes

Custom Policies

Custom policies can be created using the actions supported by cloud services. They will be used as a supplement to system-defined policies to implement more refined access control. You can create custom policies in the visual editor or in JSON view.

Users with the fine-grained authorization permission can customize user policies based on the OBS ReadOnlyAccess or OBS OperateAccess policy to implement refined user permission management. For details, see Custom Policies.

A policy consists of a Version and a Statement. Each policy can have multiple statements.

Figure 1 Policy structure

Policy Content

The following uses a custom policy as an example to describe the syntax of a fine-grained policy.

{
	"Version": "1.1",
	"Statement": [{
			"Effect": "Allow",
			"Action": [
				"obs:bucket:HeadBucket",
				"obs:bucket:ListBucket",
				"obs:bucket:GetBucketLocation"
			],
			"Condition": {
				"StringEndWithIfExsits": {
					"g:UserName": ["specialCharactor"]
				},
				"Bool": {
					"g:MFAPresent": ["true"]
				}
			},
			"Resource": ["obs:*:*:bucket:*"]
		},
		{
			"Effect": "Allow",
			"Action": ["obs:bucket:ListAllMybuckets"],
			"Resource": ["*"]
		}
	]
}
Table 4 IAM policy parameters

Parameter

Description

Value

Version

Policy version
  • 1.0: RBAC policy
  • 1.1: Fine-grained policy

Statement

Permissions defined by a policy

Action

Operations to be performed on OBS

Format: Service name:Resource type:Operation.

OBS has two resource types: bucket and object. The wildcard character (*) is supported, which indicates either resource.

For lists of actions supported by OBS, see Bucket-Related Actions and Object-Related Actions

Examples:

obs:bucket:ListAllMybuckets: Permissions for listing all OBS buckets

NOTE:

Action obs:bucket:ListAllMybuckets is for all OBS buckets. Therefore, the Resource is * in the example. During visualized configuration, an independent permission needs to be configured for this action, and all resources need to be selected.

Effect

Determines whether to allow or deny the operation defined in an action.
  • Allow
  • Deny
NOTE:

If the policies contain both Allow and Deny effects for the same action, the Deny effect takes the priority.

Resource

Resources on which the policy takes effect

Format: Service name:Region:Domain ID:Resource type:Resource path

The wildcard character (*) is supported, which indicates any options.

Examples:

  • obs:*:*:bucket:*: Any OBS buckets
  • obs:*:*:object:my-bucket/my-object/*: Any objects in the my-object directory of the my-bucket bucket
NOTE:
  • The value of Resource supports uppercase (A to Z), lowercase (a to z) letters, digits (0 to 9), and the following characters: -_*./\. If the value contains invalid characters, use the wildcard character (*).
  • OBS is a global service. Set Region to *.

Condition

Conditions for the policy to take effect

Format: Condition operator:{Condition key:[Value 1, Value 2]}

The condition includes the global service condition name and cloud service condition name. The condition names supported by OBS are the same as those in the bucket policy. When configuring in IAM, add obs:. For details, see Policy Format.

Examples:

  • StringEndWithIfExists":{"g:UserName":["specialCharactor"]}: The statement is valid for users whose names end with specialCharactor.
  • "StringLike":{"obs:prefix":["private/"]}: When listing objects in a bucket, you need to set prefix to private/ or include private/.
NOTE:

The value of Condition can contain only uppercase (A to Z), lowercase (a to z) letters, digits (0 to 9), and the following characters: -,./_@#$%&. If the value contains unsupported characters, consider using the condition operator for fuzzy match, such as StringLike, StringStartWith.
  • Fine-grained permission control at the resource level will be deployed in regions one after another. Before using this feature, ensure that the region where your bucket resides supports the feature.
  • To use the fine-grained permission control at the Resource level, submit a service ticket to OBS.

Using custom policies in enterprise projects

Users who have enabled enterprise projects and fine-grained authorization can manage the permissions of each enterprise project on its management console page. For details, see Enterprise Project Permissions.

  • You can only set fine-grained policies on the Enterprise Management console. If an RBAC policy is also set for a user group on the IAM console, the result of listing all buckets is determined by the policy configured on the Enterprise Management console.
  • When you set a policy for a user group on the IAM console, the policy takes effect for all enterprise projects.
  • When you set a policy in Enterprise Project Management and Personnel Management on the Enterprise Management console, the policy takes effect only for the associated enterprise project.