Granting Other Accounts the Read/Write Permission for a Bucket
Scenario
This topic describes how to grant other Huawei Cloud accounts (excluding the IAM users under them) the read/write permission for OBS buckets. For details about how to grant permissions to an IAM user, see Granting IAM Users Under an Account the Access to a Bucket and the Resources in It.
Recommended Configuration
You are advised to use bucket policies to grant permissions to other accounts.
Configuration Precautions
In this case, the preset template Bucket Read/Write allows other accounts to perform all actions excluding the following ones on a bucket and the objects in it:
- DeleteBucket (to delete a bucket)
- PutBucketPolicy (to configure a bucket policy)
- PutBucketAcl (to configure a bucket ACL)
After the configuration is complete, the authorized account can perform read and write operations (upload, download, or delete all objects in a bucket) by using APIs or SDKs or by adding external buckets through OBS Browser+. Currently, access to buckets of other accounts is not allowed on OBS Console.
When you use OBS Browser+ to access the added external bucket, a message may still be displayed indicating that you do not have required permissions.
Error cause: The loading on the OBS Browser+ bucket details page invokes some other OBS APIs. However, such operations are not allowed by the read and write permissions. Therefore, a message "Access denied. Check the response permission" or "This operation is not allowed on the requested resource" is displayed, however, existing permissions are not affected.
Procedure
- In the navigation pane of OBS Console, choose Object Storage.
- In the bucket list, click the bucket name you want to go to the Objects page.
- In the navigation pane, choose Permissions > Bucket Policy.
- On the Bucket Policies page, click Create.
- Locate the row containing Bucket read and write and click Use Policy Template.
- Configure parameters for a bucket policy.
Figure 1 Configuring bucket policy parameters
Table 1 Parameter description Parameter
Description
Policy View
Set this parameter based on your own habits. Visual editor is used here.
Policy Name
Enter a policy name.
Policy Content
- Select Allow.
- Set Principal to Other account.
- Account ID: Enter the ID of the account which you want to grant permissions to. You can obtain it from the My Credentials page of the account.
- IAM User ID: Enter the account ID. You can obtain it from the My Credentials page of the account.
- User Policy: Select Include specified users.
- Parameters under Resources:
- Resource: Select both Current bucket and Object in bucket.
- Resource Policy: Select Include specified resources.
- After configuring the required parameters, click Next.
- Ensure all the configurations are correct and click Create.
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.