Help Center> Object Storage Service> User Guide (Paris Region) > OBS Console Operation Guide> Permissions Control> Application Cases> Granting an IAM User Permissions to Operate a Specific Bucket
Updated on 2024-03-04 GMT+08:00
View PDF

Granting an IAM User Permissions to Operate a Specific Bucket

Create an IAM user under in an account. The IAM user has no permission to any resource before it is added to any user group. The bucket owner (root account) or other accounts and IAM users, who have the permission to set bucket policies, can configure bucket policies to grant the bucket operation permissions to IAM users.

The following is an example about how to grant an IAM user the bucket access and object upload permissions.

Procedure

  1. In the bucket list, click the bucket you want to operate. The Overview page is displayed.
  2. In the navigation pane, choose Permissions.
  3. Choose Bucket Policies > Custom Bucket Policies.
  4. Click Create Bucket Policy. The Create Bucket Policy dialog box is displayed.
  5. Configure parameters listed in the table below to grant an IAM user the permission to access the bucket (to list objects in the bucket).

    Table 1 Parameters for granting permission to access a bucket

    Parameter

    Value

    Policy Mode

    Customized

    Effect

    Allow

    Principal
    • Include
    • Select Current account and select the IAM user to be authorized.

    Resources
    • Include
    • Leave it blank.

    Actions
    • Include
    • ListBucket

  6. Click OK.
  7. Click Create Bucket Policy. The Create Bucket Policy dialog box is displayed.
  8. Configure parameters in the table below to grant an IAM user the permission to upload objects to a bucket.

    Before granting this permission to a user, ensure that the user has the permission to access the bucket.

    Table 2 Parameters for granting permission to upload objects

    Parameter

    Value

    Policy Mode

    Customized

    Effect

    Allow

    Principal
    • Include
    • Select Current account and select the IAM user to be authorized.

    Resources
    • Include
    • Resource name: *

    Actions
    • Include
    • PutObject
    NOTE:

    In this example, only the permission to upload objects is granted. You can also select other object actions to grant corresponding permissions if needed. The asterisk (*) indicates all actions.

    For details about the supported actions, see Actions.

  9. Click OK.

Verification

Verify the preceding permissions on OBS Browser.

  1. Obtain the AK and SK for the authorized IAM user from OBS Console.
  2. Open OBS Browser, enter the obtained AK and SK, and set the Access Path to the name of the authorized bucket.

    Figure 1 Adding a new account - OBS

  3. Access requests from unauthorized users are denied.
  4. After being granted the permission to access the bucket, the user can access the bucket on OBS Browser, with objects in the bucket properly displayed.
  5. Upload an object to the bucket. The upload fails. Click in the upper right corner of the page. On the task management page displayed, you can see the task status is Failed and the failure reason is Access denied.
  6. After being granted the permission to upload objects, the user can upload objects to the bucket on OBS Browser, with the uploaded objects properly displayed in the object list.
Parent topic: Application Cases