Help Center> Object Storage Service> User Guide (Kuala Lumpur Region)> OBS Console Operation Guide> Permission Control> Application Cases> Granting Other Accounts with the Operation Permissions for a Specified Bucket
Updated on 2022-08-16 GMT+08:00
View PDF

Granting Other Accounts with the Operation Permissions for a Specified Bucket

The bucket owner (root account) or other accounts and IAM users, who have the permission to set bucket policies, can configure bucket policies to grant the bucket operation permissions to other accounts or IAM users under other accounts.

The following is an example about how to authorize other accounts with the bucket access and object upload permissions.

To grant permissions to IAM users under other accounts, you need to configure a bucket policy and also IAM policies.

  1. Configure a bucket policy to allow IAM users to access the bucket.
  2. Configure IAM policies for the account to which the authorized IAM user belongs, to allow the IAM user to access the bucket.

Only permissions that are allowed by both the bucket policy and IAM policies can take effect.

Procedure

  1. In the bucket list, click the bucket you want to operate. The Overview page of the bucket is displayed.
  2. In the navigation pane on the left, click Permissions to go to the permission management page.
  3. Choose Bucket Policies > Custom Bucket Policies.
  4. Click Create Bucket Policy. The Create Bucket Policy dialog box is displayed.
  5. Set the following parameters to authorize another account with the permission to access the bucket:

    Table 1 Parameters for authorizing the permission to access a specified bucket

    Parameter

    Value

    Policy Mode

    Customized

    Effect

    Allow

    Principal
    • Include
    • Select Other account. Enter the account ID and user ID.
    NOTE:

    The account ID and user ID can be obtained on the My Credential page of the account or user to be authorized. If you authorize the permission to only an account, you do not need to enter user IDs. If you want to authorize the permission to an IAM user, you need to enter the account ID and user ID. You can authorize the permission to multiple IAM users. Use commas (,) to separate the user IDs.

    Resources
    • Include
    • Select Entire bucket.

    Actions
    • Include
    • ListBucket

  6. Click OK.
  7. Click Create Bucket Policy. The Create Bucket Policy dialog box is displayed.
  8. Set the following parameters to authorize another account with the permission to upload objects:

    Before authorizing the user with the permission to operate objects, ensure that the user has the permission to access the bucket.

    Table 2 Parameters for authorizing the permission to upload objects

    Parameter

    Value

    Policy Mode

    Customized

    Effect

    Allow

    Principal
    • Include
    • Select Other account. Enter the account ID and user ID.
    NOTE:

    The account ID and user ID can be obtained on the My Credential page of the account or user to be authorized. If you authorize the permission to only an account, you do not need to enter user IDs. If you want to authorize the permission to an IAM user, you need to enter the account ID and user ID. You can authorize the permission to multiple IAM users. Use commas (,) to separate the user IDs.

    Resources
    • Include
    • Select Specific resources.
    • Resource name: *

    Actions
    • Include
    • PutObject

  9. Click OK.
Parent topic: Application Cases