Updated on 2024-05-31 GMT+08:00

Granting Other Accounts the Read Permission for Certain Objects

Scenario

This case describes how to grant other accounts (excluding IAM users under the account) the read permission for an object or a type of objects in an OBS bucket. For details about how to grant permissions to an IAM user, see Granting IAM Users Under an Account the Access to a Bucket and the Resources in It.

Recommended Configuration

You are advised to use bucket policies to grant permissions to other accounts.

Configuration Precautions

In this case, the preset template Directory read-only allows specified IAM users to perform the following actions on specified objects in a bucket:

  • ListBucket (to list objects in the bucket and obtain the bucket metadata)
  • HeadBucket (to check whether the bucket exists)
  • GetBucketLocation (to get the bucket location)
  • ListBucketVersions (to list object versions in the bucket)
  • GetObject (to obtain object content and metadata)
  • RestoreObject (to restore objects from Archive storage)
  • GetObjectAcl (to obtain the object ACL)
  • GetObjectVersion (to obtain the content and metadata of a specified object version)
  • GetObjectVersionAcl (to obtain the ACL of a specified object version)

After the configuration is complete, you can read (download) specific objects using APIs or SDKs. However, if you download an object from OBS Console or OBS Browser+, an error is reported indicating that you do not have required permissions.

This is because when you log in to OBS Console or OBS Browser+, the ListAllMyBuckets APi is called to load the bucket list and some other APIs will also be called on other pages, but your permissions do not cover those APIs. In such case, your access is denied or your operation is not allowed.

Procedure

  1. In the navigation pane of OBS Console, choose Object Storage.
  2. In the bucket list, click the bucket name you want to go to the Objects page.
  3. In the navigation pane, choose Permissions > Bucket Policy.
  4. On the Bucket Policies page, click Create.
  5. Locate the row containing Directory read-only and click Use Policy Template.
  6. Configure parameters for a bucket policy.

    Figure 1 Configuring bucket policy parameters
    Table 1 Parameter description

    Parameter

    Description

    Policy View

    Set this parameter based on your own habits. Visual editor is used here.

    Policy Name

    Enter a policy name.

    Policy Content

    • Select Allow.
    • Set Principal to Other account.
      • Account ID: Enter the ID of the account which you want to grant permissions to. You can obtain it from the My Credentials page of the account.
      • IAM User ID: Enter the account ID. You can obtain it from the My Credentials page of the account.
      • User Policy: Select Include specified users.
    • Parameters under Resources:
      • Resource: Select Object in bucket.
      • Object in bucket: Select Specified objects.

        For one object, enter object name.

        For a set of objects, enter object name prefix + *, * + object name suffix, or *.

      • Resource Policy: Select Include specified resources.

  7. After configuring the required parameters, click Next.
  8. Ensure all the configurations are correct and click Create.