Help Center> Object Storage Service> Console Operation Guide> Permission Control> Application Cases> Granting an IAM User with the Operation Permissions for a Specified Bucket
View PDF

Granting an IAM User with the Operation Permissions for a Specified Bucket

Create an IAM user under in an account. The IAM user has no permission to any resource before it is added to any user group. The bucket owner (root account) or other accounts and IAM users, who have the permission to set bucket policies, can configure bucket policies to grant the bucket operation permissions to IAM users.

The following is an example about how to authorize an IAM user with the bucket access and object upload permissions.

Notes

In this example, the authorized IAM user can access the authorized bucket and upload objects to the bucket through Browser+, APIs, or SDKs, but cannot access the bucket and objects on OBS Console. To allow an IAM user to access OBS Console, you need to create a custom policy to add the IAM user to the user group that has the obs:bucket:ListAllMyBuckets permission for all OBS resources. In this way, the IAM user can view the authorized bucket on OBS Console.

Procedure

  1. In the navigation pane on the left of OBS Console, choose Object Storage.
  2. In the bucket list, click a bucket name, and then the Overview page of the bucket is displayed.
  3. In the navigation pane on the left, choose Permissions > Bucket Policy.
  4. Click Create.
  5. In the first row of the template list, click Create Custom Policy on the right.
  6. Set the following parameters to authorize the IAM user with the permission to access the bucket (listing objects in the bucket) and upload objects to the bucket.

    Table 1 Parameters for authorizing the permission to access a bucket and upload objects to the bucket

    Parameter

    Description

    Policy View

    Visual editor

    Policy Name

    Enter a custom name.

    Policy Content

    Effect

    Allow

    Principal
    • Current account
    • Sub-user: Specify IAM users under the current account.
    • User Policy: Include specified users.

    Resources
    • Select the Current bucket and Object in bucket, and then select All objects.
    • Resource Policy: Include specified resources.

    Actions
    • Select ListBucket and PutObject actions.
    • Operation Strategy: Include selected actions.
    NOTE:

    In this example, only the object upload action is selected among the object-related actions. You can also select multiple actions and granting other operation permissions to the IAM user The asterisk (*) indicates all actions.

    For details about the supported actions, see Actions.

  7. Click Next in the lower right corner to confirm the policy configuration.
  8. Click Create in the lower right corner of the page to create the bucket policy.

Verification

Verify the preceding permissions on OBS Browser+.

  1. Create access keys (AK and SK) of the authorized user on OBS Console.
  2. Open OBS Browser+, enter the obtained AK and SK, and set the Access Path to the name of the authorized bucket.
  3. Access requests from unauthorized users are denied.
  4. After the user is authorized with the permission to access the bucket, the user can access the bucket through OBS Browser+, and objects in the bucket are displayed.
  5. Upload an object to the bucket. The upload fails.
  6. After the user is authorized with the permission to upload objects, the user can upload objects to the bucket through OBS Browser+, and the uploaded objects are displayed in the object list.
Parent topic: Application Cases