Common Policies
OBS Full-Control Policy
A full-control policy allows sub-users to perform any operations on OBS.
{
"Version": "1.1",
"Statement": [
{
"Effect": "Allow",
"Action": [
"OBS:*:*"
]
}
]
}
Read-only Policy for Any Directory
This policy allows sub-users to list and download all objects in bucket my-company.
{
"Version": "1.1",
"Statement": [
{
"Effect": "Allow",
"Action": [
"obs:object:GetObject",
"obs:bucket:ListBucket"
],
"Resource": [
"OBS:*:*:object:my-company/*",
"OBS:*:*:bucket:my-company"
]
}
]
}
Read-only Policy for a Specific Directory
This policy allows sub-users to only download all objects in the my-project/ directory of bucket my-company. Objects in other directories can be listed but cannot be downloaded.
{
"Version": "1.1",
"Statement": [
{
"Effect": "Allow",
"Action": [
"obs:object:GetObject",
"obs:bucket:ListBucket"
],
"Resource": [
"OBS:*:*:object:my-company/my-project/*",
"OBS:*:*:bucket:my-company"
]
}
]
}
Read-Write Policy for a Specific Directory
This policy allows sub-users to list, download, upload, and delete all objects in the my-project directory of bucket my-company.
{
"Version": "1.1",
"Statement": [
{
"Effect": "Allow",
"Action": [
"obs:object:GetObject",
"obs:object:ListMultipartUploadParts",
"obs:bucket:ListBucket",
"obs:object:DeleteObject",
"obs:object:PutObject"
],
"Resource": [
"OBS:*:*:object:my-company/my-project/*",
"OBS:*:*:bucket:my-compay"
]
}
]
}
Full-Control Policy for a Specific Bucket
This policy indicates that an IAM user always has full management permission on a specific bucket.
{
"Version": "1.1",
"Statement": [
{
"Action": [
"obs:object:*",
"obs:bucket:*"
],
"Resource": [
"OBS:*:*:bucket:my-company",
"OBS:*:*:object:my-company/*"
],
"Effect": "Allow"
}
]
}
OBS Console Full-Control Policy
This policy indicates that all operations can be performed on buckets on OBS Console. Assign the OBS full-control policy to sub-users, and then configure the Tenant Guest policy for global services and regions.
{
"Version": "1.1",
"Statement": [
{
"Effect": "Allow",
"Action": [
"OBS:*:*"
]
}
]
}
- When a user logs in to OBS Console, the user accesses resources of other services, such as audit information in CTS, acceleration domain names in CDN, and keys in KMS. Therefore, in addition to the OBS permissions, you need to configure the permissions for other services.
- In the example, Tenant Guest is configured for the global service and the CN North-Beijing1 region respectively. CDN is a global service, so you need to add permissions to the global service. Cloud Eye, KMS, and SMN are regional services, so you need to add the Tenant Guest permission to the corresponding regions.
Last Article: Introduction to IAM Policy
Next Article: Examples About Permission Control
Did this article solve your problem?
Thank you for your score!Your feedback would help us improve the website.