Granting Other Accounts the Read/Write Permission for a Bucket

Scenario

This topic describes how to grant other Huawei Cloud accounts (excluding the IAM users under them) the read/write permission for OBS buckets. For details about how to grant permissions to an IAM user, see Granting IAM Users Under an Account the Access to a Bucket and the Resources in It.

Recommended Configuration

Use bucket policies to grant permissions to other accounts.

Precautions

In this case, the preset template Bucket Read/Write allows other accounts to perform all actions excluding the following ones on a bucket and the objects in it:

• DeleteBucket (to delete a bucket)
• PutBucketPolicy (to configure a bucket policy)
• PutBucketAcl (to configure a bucket ACL)

After the configuration is complete, the authorized account can perform read and write operations (upload, download, or delete all objects in a bucket) by using APIs or SDKs or by adding external buckets through OBS Browser+. Currently, access to buckets of other accounts is not allowed on OBS Console.

When you use OBS Browser+ to access the added external bucket, a message may still be displayed indicating that you do not have required permissions.

Error cause: The loading on the OBS Browser+ bucket details page invokes some other OBS APIs. However, such operations are not allowed by the read and write permissions. Therefore, a message "Access denied. Check the response permission" or "This operation is not allowed on the requested resource" is displayed, however, existing permissions are not affected.

Procedure

1. In the navigation pane of OBS Console, choose Buckets.
2. In the bucket list, click the bucket name you want to go to the Objects page.
3. In the navigation pane, choose Permissions > Bucket Policies.
4. On the Bucket Policies page, click Create.
5. Configure a bucket policy.
   Figure 1 Configuring a bucket policy
   

   Table 1 Parameters for configuring a bucket policy

   Parameter	Description
   Policy view	Select Visual Editor or JSON based on your own habits. Visual Editor is used here.
   Policy Name	Enter a policy name.
   Effect	Select Allow.
   Principal	Select Other accounts. Enter the account ID and IAM user ID in the format of Account ID/IAM user ID. To specify multiple IAM users, enter each one on a separate line. An asterisk (*) indicates all accounts or IAM users. NOTE: The account ID and IAM user ID can be obtained on the My Credentials page. The following describes different authorization scenarios: Granting permissions to all accounts and IAM users: Enter */*. Granting permissions to an account and all IAM users under the account: Enter Account ID/*. Granting permissions to a specific IAM user under an account: Enter Account ID/IAM user ID. Delegated accounts: Enter the ID of a delegating account and an agency name. NOTE: The format is Account ID/Agency name. To specify multiple agencies, enter each one on a separate line. You can specify one or more common accounts or delegated accounts. Either of the two types of accounts must be specified.
   Resources	Select Entire bucket (including the objects in it).
   Actions	Choose Use a template. Select Bucket Read/Write.
   Advanced Settings > Exclude (Optional)	Specified actions (selected by default)

6. Confirm and click Create.

Verification

In cross-account authorization scenarios, authorized users can access the buckets and objects via APIs or SDKs, or by adding external buckets through OBS Browser+.