Help Center> Object Storage Service> Console Operation Guide> Related Operations> Creating an IAM Agency
View PDF

Creating an IAM Agency

To use some OBS features, such as cross-region replicationlogging, you need to use IAM agencies to grant required permissions to OBS for processing your data.

Creating an Agency for Cross-Region Replication

  1. In the Create Cross-Region Replication Rule dialog box on OBS Console, click View IAM agencies to jump to the Agencies page on the Identity and Access Management console.
  2. Click Create Agency to create an agency.
  3. Enter an agency name.
  4. Select Cloud service for the Agency Type.
  5. Select Object Storage Service (OBS) as the cloud service.
  6. Set a validity period.
  7. Click Next.
  8. In the Scope area, select Global service project.
  9. In the Permissions area, search for and select OBS Administrator and click OK.
  10. (Optional) If Replicate KMS encrypted objects is selected, the IAM agency also needs the KMS Administrator permissions in the regions where the source and destination buckets reside.

    1. Go to the Agencies page on the Identity and Access Management console and click the name of the agency created in the previous step.
    2. On the Agency Permissions tab page, click Assign Permissions.
    3. In the Scope area, select Region-specific projects and select the projects in the regions where the source and destination buckets reside.
    4. In the Permissions area, search for and select KMS Administrator, and click OK.

Creating an Agency for Uploading Logs

  1. In the Logging dialog box, click Create Agency to jump to the Agencies page on the Identity and Access Management console.
  2. Click Create Agency to create an agency.
  3. Enter an agency name.
  4. Select Cloud service for the Agency Type.
  5. Select Object Storage Service (OBS) as the cloud service.
  6. Set a validity period.
  7. Click Next.
  8. In the Scope area, select Global service project.
  9. In the Permissions area, search for and select the custom policy that has the permission to upload logs to the bucket, and click OK.

    If no custom policy is available, create one by referring to Creating a Custom Policy.

    When creating a custom policy, select Global services for Scope and select JSON for Policy View. The policy content is as follows.

    When coding the policy content in an actual scenario, replace mybucketlogs with the actual bucket name:

    {
    "Version": "1.1",
    "Statement": [
        {
            "Action": [
                "obs:object:PutObject"
            ],
            "Resource": [
                "OBS:*:*:object:mybucketlogs/*"
            ],
            "Effect": "Allow"
        }
    ]
}

  10. (Optional) If the default encryption is enabled for the log storing bucket, the IAM agency also requires the KMS Administrator permission in the region where the log storing bucket resides.

    1. Go to the Agencies page on the Identity and Access Management console and click the name of the agency created in the previous step.
    2. On the Agency Permissions tab page, click Assign Permissions.
    3. In the Scope area, select Region-specific projects and select the projects in the region where the log bucket resides.
    4. In the Permissions area, search for and select KMS Administrator, and click OK.

Parent topic: Related Operations