Granting Other HUAWEI CLOUD Accounts with the Operation Permissions for a Specified Bucket
The bucket owner (root account) or other accounts and IAM users, who have the permission to set bucket policies, can configure bucket policies to grant the bucket operation permissions to other accounts or IAM users under other accounts.
The following is an example about how to authorize other accounts with the bucket access and object upload permissions.
To grant permissions to IAM users under other accounts, you need to configure a bucket policy and also IAM permissions.
- Configure a bucket policy to allow IAM users to access the bucket.
- Configure IAM permissions for the account to which the authorized IAM user belongs, to allow the IAM user to access the bucket.
Only permissions that are allowed by both the bucket policy and IAM permissions can take effect.
Procedure
- In the navigation pane on the left of OBS Console, choose Object Storage.
- In the bucket list, click a bucket name, and then the Overview page of the bucket is displayed.
- In the navigation pane on the left, choose Permissions > Bucket Policy.
- Click Create.
- In the first row of the template list, click Create Custom Policy on the right.
- Set the following parameters to authorize other accounts with the permission to access the bucket (listing objects in the bucket) and upload objects to the bucket.
Table 1 Parameters for authorizing the permission to access a bucket and upload objects to the bucket Parameter
Description
Policy View
Visual editor
Policy Name
Enter a custom name.
Policy Content
Effect
Allow
Principal
- Other account
- Enter the account ID and IAM user ID. NOTE:
The account ID and IAM user ID can be obtained on the My Credentials page of the account or user to be authorized. The following describes different authorization scenarios:
- Authorize permissions to all other accounts and their IAM users: Set the account ID and IAM user ID to *.
- Authorize permissions to another account: Enter the account ID and user ID that you want to authorize.
- Authorize permissions to an account and all IAM users under the account: Enter the account ID that you want to authorize, and set the IAM user ID to *, indicating that all IAM users under the account.
- Authorize permissions to specified IAM users under an account: Enter the account ID and IAM users IDs that you want to authorize. You can add multiple IAM users.
- User Policy: Include specified users.
Resources
- Select the Current bucket and Object in bucket, and then select All objects.
- Resource Policy: Include specified resources.
Actions
- Select ListBucket and PutObject actions.
- Operation Strategy: Include selected actions.
NOTE:In this example, only the object upload action is selected among the object-related actions. You can also select multiple actions and granting other operation permissions to the IAM user The asterisk (*) indicates all actions.
For details about the supported actions, see Actions.
- Click Next in the lower right corner to confirm the policy configuration.
- Click Create in the lower right corner of the page to create the bucket policy.
Verification
Verify the preceding permissions on OBS Browser+.
- Create access keys (AK and SK) of the authorized user on OBS Console.
- Open OBS Browser+, enter the obtained AK and SK, and set the Access Path to the name of the authorized bucket.
- Access requests from unauthorized users are denied.
- After the user is authorized with the permission to access the bucket, the user can access the bucket through OBS Browser+, and objects in the bucket are displayed.
- Upload an object to the bucket. The upload fails.
- After the user is authorized with the permission to upload objects, the user can upload objects to the bucket through OBS Browser+, and the uploaded objects are displayed in the object list.
Did this article solve your problem?
Thank you for your score!Your feedback would help us improve the website.