Granting Other Accounts Permissions to Operate a Specific Bucket

The bucket owner (root account) or other accounts and IAM users, who have the permission to set bucket policies, can configure bucket policies to grant the bucket operation permissions to other accounts or IAM users under other accounts.

The following is an example about how to grant other accounts bucket access and object upload permissions.

To grant permissions to IAM users under other accounts, you need to configure both bucket policies and IAM policies.

Configure a bucket policy to allow IAM users to access the bucket.
Configure IAM policies for the account where authorized IAM users belong, to allow the IAM users to access the bucket.

Only permissions that are allowed by both the bucket policy and IAM policies can take effect.

Procedure

In the bucket list, click the bucket you want to operate. The Overview page is displayed.
In the navigation pane, choose Permissions.
Choose Bucket Policies > Custom Bucket Policies.
Click Create Bucket Policy. The Create Bucket Policy dialog box is displayed.

Configure the parameters listed in the table below to grant other accounts bucket access permission.

**Table 1** Parameters for granting bucket access permission
Parameter	Value
Policy Mode	Customized
Effect	Allow
Principal	Include Select Other account. Enter the account ID and user ID. NOTE: The account ID and user ID can be obtained on the My Credential page of the account or user to be authorized. If you grant the permission only to the account itself, IAM user IDs are not required. If you grant the permission to one or more IAM users under the account, configure both the account ID and IAM user IDs. Use commas (,) to separate multiple IAM user IDs.
Resources	Include Leave it blank.
Actions	Include ListBucket

Click OK.
Click Create Bucket Policy. The Create Bucket Policy dialog box is displayed.

Configure the parameters listed in the table below to grant other accounts the object upload permission:

Before granting this permission to a user, ensure that the user has the permission to access the bucket.

**Table 2** Parameters for granting permission to upload objects
Parameter	Value
Policy Mode	Customized
Effect	Allow
Principal	Include Select Other account. Enter the account ID and user ID. NOTE: The account ID and user ID can be obtained on the My Credential page of the account or user to be authorized. If you grant the permission only to the account itself, IAM user IDs are not required. If you grant the permission to one or more IAM users under the account, configure both the account ID and IAM user IDs. Use commas (,) to separate multiple IAM user IDs.
Resources	Include Resource name: *
Actions	Include PutObject

Click OK.

Verification

Verify the preceding permissions on OBS Browser.

Obtain the AK and SK for the authorized IAM user from OBS Console.
Open OBS Browser, enter the obtained AK and SK, and set the Access Path to the name of the authorized bucket.

Figure 1 Adding a new account - OBS
Access requests from unauthorized users are denied.
After being granted the permission to access the bucket, the user can access the bucket on OBS Browser, with objects in the bucket properly displayed.
Upload an object to the bucket. The upload fails. Click in the upper right corner of the page. On the task management page displayed, you can see the task status is Failed and the failure reason is Access denied.
After being granted the permission to upload objects, the user can upload objects to the bucket on OBS Browser, with the uploaded objects properly displayed in the object list.