Why Is the Message "Access denied" Still Appearing After OBS System Permissions Were Assigned by IAM?
Cause
System permissions such as OBS ReadOnlyAccess, OBS OperateAccess, and OBS Buckets Viewer preset in IAM only allow certain OBS operations. For example, the OBS OperateAccess permission lets you list buckets, obtain basic bucket information, obtain bucket metadata, list objects (not the objects that have been versioned), upload objects, download objects, delete objects, and obtain object ACLs. Performing each operation requires calling an OBS API.
After your account has been granted system permissions, you can call these APIs directly or through SDKs. However, when you log in to OBS Console or use OBS Browser+, more APIs are called to load the bucket list or the bucket's overview page. If your permissions do not cover those APIs, your access is denied, or you receive a message indicating that the operation is not allowed. For example, loading the bucket's overview page involves API calls to query the configuration statuses of lifecycle and CORS rules. See Figure 1. However, the preset system permissions do not cover these operations.
Solutions
Authorized permissions are valid, though operations on the console or client are restricted. You can call the APIs directly or through SDKs.
On OBS Console or OBS Browser+ (a client), the OBS OperateAccess permission allows you to upload and download objects.
If you do not want those error messages to appear, you can configure OBS custom policies on the IAM console to grant more OBS permissions to a user group, and add the user who requires the permissions to this group.
Why Can't I List Objects on OBS Console Even If I Have Been Granted the OBS OperateAccess and OBS ReadOnlyAccess Permissions?
System policies OBS OperateAccess and OBS ReadOnlyAccess contain only obs:bucket:ListBucket (used to list objects), but do not contain obs:bucket:ListBucketVersions (used to list multiple versions of objects).
If a bucket has multiple versions of objects, IAM users may fail to list objects in the bucket through OBS Console. In such case, IAM users need to be granted the obs:bucket:ListBucketVersions permission.
Access Control FAQs
- How Can I Control Access to OBS?
- What Are the Differences Between Using an IAM Permission and a Bucket Policy in Access Control?
- What Is the Relationship Between a Bucket Policy and an Object Policy?
- Why Is the Message "Access denied" Still Appearing After OBS System Permissions Were Assigned by IAM?
- Why Does Message "Access denied" Appear After I Was Granted the Read and Write Permissions for a Bucket?
- Why Can't I Access OBS (403 AccessDenied) After Being Granted with the OBS Access Permission?
- How Do I Control Access to Folders in an OBS Bucket?
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbotmore