Updated on 2024-05-31 GMT+08:00

Granting an IAM User the Read Permission for Specific Objects

Scenario

This topic describes how to grant an IAM user the read permission for an object or a set of objects in an OBS bucket.

Recommended Configuration

You are advised to use bucket policies to grant resource-level permissions to an IAM user.

Configuration Precautions

In this case, the preset template Directory read-only allows specified IAM users to perform the following actions on specified objects in a bucket:

  • ListBucket (to list objects in the bucket and obtain the bucket metadata)
  • HeadBucket (to check whether the bucket exists)
  • GetBucketLocation (to get the bucket location)
  • ListBucketVersions (to list object versions in the bucket)
  • GetObject (to obtain object content and metadata)
  • RestoreObject (to restore objects from Archive storage)
  • GetObjectAcl (to obtain the object ACL)
  • GetObjectVersion (to obtain the content and metadata of a specified object version)
  • GetObjectVersionAcl (to obtain the ACL of a specified object version)

After the configuration is complete, you can read (download) specific objects using APIs or SDKs. However, if you download an object from OBS Console or OBS Browser+, an error is reported indicating that you do not have required permissions.

This is because when you log in to OBS Console or OBS Browser+, the ListAllMyBuckets API is called to load the bucket list and some other APIs will also be called on other pages, but your permissions do not cover those APIs. In such case, your access is denied or your operation is not allowed.

If you want an IAM user to perform read operations on OBS Console or OBS Browser+, configure custom IAM policies by referring to Follow-up Procedure.

Procedure

  1. In the navigation pane of OBS Console, choose Object Storage.
  2. In the bucket list, click the bucket name you want to go to the Objects page.
  3. In the navigation pane, choose Permissions > Bucket Policy.
  4. On the Bucket Policies page, click Create.
  5. Locate the row containing Directory read-only and click Use Policy Template.
  6. Configure parameters for a bucket policy.

    Figure 1 Configuring bucket policy parameters
    Table 1 Parameter description

    Parameter

    Description

    Policy View

    Set this parameter based on your own habits. Visual editor is used here.

    Policy Name

    Enter a policy name.

    Policy Content

    • Select Allow.
    • Parameters under Principal:
      • Principal: Select Current account.
      • Sub-user: Select one or more IAM users to whom you want to grant permissions.
      • User Policy: Select Include specified users.
    • Parameters under Resources:
      • Resource: Select both Current bucket and Object in bucket.
      • Object in bucket: Select Specified objects.

        For one object, enter object name.

        For a set of objects, enter object name prefix + *, * + object name suffix, or *.

      • Resource Policy: Select Include specified resources.
    • Parameters under Actions:
      • Use the default nine actions in the template.

      To configure other permissions, select the corresponding actions. For details about the actions supported by OBS, see Action/NotAction.

      • Operation Strategy: Select Include selected.

  7. After configuring the required parameters, click Next.
  8. Ensure all the configurations are correct and click Create.

Follow-up Procedure

To perform read operations on OBS Console or OBS Browser+, you must add the obs:bucket:ListAllMyBuckets (for listing buckets) and obs:bucket:ListBucket (for listing objects in a bucket) permissions to the custom IAM policy.

obs:bucket:ListAllMyBuckets applies to all resources, while obs:bucket:ListBucket applies to the authorized bucket only. Therefore, you need to add two permissions to the policy.

  1. Log in to Huawei Cloud and click Console in the upper right corner.
  2. On the top menu bar, choose Service List > Management & Deployment > Identity and Access Management. The IAM console is displayed.
  3. In the navigation pane, choose Policies.
  4. Click Create Custom Policy in the upper right corner.
  5. Configure parameters for a custom policy.

    Table 2 Parameters for configuring a custom policy

    Parameter

    Description

    Policy Name

    Enter a policy name.

    Policy View

    Set this parameter based on your own habits. Visual editor is used here.

    Policy Content

    [Permission 1]

    • Select Allow.
    • Select Object Storage Service (OBS).
    • Select obs:bucket:ListAllMyBuckets from the actions.
    • Select All for resources.

    [Permission 2]

    • Select Allow.
    • Select Object Storage Service (OBS).
    • Select obs:bucket:ListBucket from the actions.
    • For Resources, select Specific, and for bucket, select Specify resource path, and click Add Resource Path. Enter the bucket name in the Path text box, indicating that the policy takes effect only for this bucket.

    Scope

    The default value is Global services.

  6. Click OK. The custom policy is created.
  7. Create a user group and assign permissions.

    Add the created custom policy to the user group by following the instructions in the IAM document.

  8. Add the IAM user you want to authorize to the created user group by referring to Adding Users to or Removing Users from a User Group.

    Due to data caching, it takes about 10 to 15 minutes for a custom policy to take effect after the authorization.