Updated on 2023-10-27 GMT+08:00

Granting IAM User Groups Basic Permissions for All OBS Resources

Scenario

This topic describes how to use the OBS-related system roles and policies preset in IAM to grant basic operation permissions for all OBS resources to multiple IAM users or user groups. The following table lists the permissions supported by preset system roles and policies.

Table 1 OBS system permissions

Role/Policy Name

Description

Type

Tenant Administrator

Users with this permission can perform all operations on all services except IAM.

System-defined role

Tenant Guest

Users with this permission can perform read-only operations on all services except IAM.

System-defined role

OBS Administrator

Users with this permission are OBS administrators and can perform any operations on all OBS resources under the account.

System-defined policy

OBS Buckets Viewer

Users with this permission can list buckets, obtain basic bucket information, and obtain bucket metadata.

System-defined role

OBS ReadOnlyAccess

Users with this permission can list buckets, obtain basic bucket information, obtain bucket metadata, and list objects (not the objects that have been versioned).

NOTE:

If a user with this permission fails to list objects on OBS Console, there may be multiple versions of objects in the bucket. In this case, you need to grant the user the obs:bucket:ListBucketVersions permission so that the user can view different versions of objects on OBS Console.

System-defined policy

OBS OperateAccess

Users with this permission can perform all OBS ReadOnlyAccess operations and perform basic object operations, such as uploading objects, downloading objects, deleting objects, and obtaining object ACLs.

NOTE:

If a user with this permission fails to list objects on OBS Console, there may be multiple versions of objects in the bucket. In this case, you need to grant the user the obs:bucket:ListBucketVersions permission so that the user can view different versions of objects on OBS Console.

System-defined policy

Recommended Configuration

IAM system roles and policies

Configuration Precautions

After a system role or policy is configured according to this case, if you log in to the system using OBS Console or OBS Browser+, a message may be displayed indicating that you do not have the permission.

Authorized permissions are valid, though operations on the console or client are restricted. You can call the APIs directly or through SDKs.

With OBS OperateAccess configured, you can upload or download objects on OBS Console or OBS Browser+.

Procedure

  1. Log in to Huawei Cloud and click Console in the upper right corner.
  2. On the console, hover your cursor over the username in the upper right corner, and choose Identity and Access Management from the drop-down list.
  3. Create a user group and assign permissions.

    Add system roles or policies that meet the service scenario requirements to the user group by following the instructions provided in the IAM document.

  4. Add the IAM user you want to authorize to the created user group by referring to Adding Users to or Removing Users from a User Group.

    Due to data caching, it takes about 10 to 15 minutes for the configured permissions to take effect.