Help Center> Object Storage Service> Permissions Configuration Guide> Configuration Cases in Typical Permission Control Scenarios> Granting Permissions to an IAM User Under the Current Account> Granting an IAM User the Read/Write Permission for a Bucket
Updated on 2023-10-27 GMT+08:00
View PDF

Granting an IAM User the Read/Write Permission for a Bucket

Scenario

This topic describes how to grant an IAM user the read/write permission for an OBS bucket.

Recommended Configuration

You are advised to use bucket policies to grant resource-level permissions to an IAM user.

Configuration Precautions

In this case, the preset template Bucket Read/Write allows specified IAM users to perform all actions excluding the following ones on a bucket and the objects in it:

  • DeleteBucket (to delete a bucket)
  • PutBucketPolicy (to configure a bucket policy)
  • PutBucketAcl (to configure a bucket ACL)

After the configuration is complete, read and write operations (uploading, downloading, and deleting all objects in the bucket) can be performed using APIs or SDKs. However, if you log in to OBS Console or OBS Browser+ to perform those operations, an error is reported indicating that you do not have required permissions. For details, see the error cause.

If you want an IAM user to perform read and write operations on OBS Console or OBS Browser+, configure custom IAM policies by referring to Follow-up Procedure.

After the configuration is complete, the system still displays a message indicating that you do not have the permission to access the bucket. This is normal because the console invokes other advanced configuration APIs, but you can still perform operations allowed in read/write mode.

Procedure

  1. In the navigation pane of OBS Console, choose Buckets.
  2. In the bucket list, click the bucket name you want to go to the Objects page.
  3. In the navigation pane, choose Permissions > Bucket Policies.
  4. Click Create.
  5. Choose a policy configuration method you like. Visual Editor is used here.
  6. Configure parameters for a bucket policy.

    Figure 1 Configuring a bucket policy
    Table 1 Parameters for configuring a bucket policy

    Parameter

    Description

    Policy Name

    Enter a policy name.

    Policy content

    Effect

    Select Allow.

    Principals
    • Select Current account.
    • IAM users: Select an IAM user whom you want to grant permissions to.

    Resources
    • Select Entire bucket (including the objects in it).

    Actions
    • Choose Use a template.
    • Select Bucket Read/Write.

  7. Ensure all the configurations are correct and click Create.

Follow-up Procedure

To perform read and write operations on OBS Console or OBS Browser+, you must add the obs:bucket:ListAllMyBuckets (for listing buckets) and obs:bucket:ListBucket (for listing objects in a bucket) permissions to the custom IAM policy.

obs:bucket:ListAllMyBuckets applies to all resources, while obs:bucket:ListBucket applies to the authorized bucket only. Therefore, you need to add two permissions to the policy.

  1. Log in to Huawei Cloud and click Console in the upper right corner.
  2. On the console, hover your cursor over the username in the upper right corner, and choose Identity and Access Management from the drop-down list.
  3. In the navigation pane, choose Permissions > Policies/Roles > Create Custom Policy.
  4. Configure parameters for a custom policy.

    Figure 2 Configuring a custom policy
    Table 2 Parameters for configuring a custom policy

    Parameter

    Description

    Policy Name

    Name of the custom policy

    Policy View

    Set this parameter based on your own habits. Visual editor is used here.

    Policy Content

    [Permission 1]

    • Select Allow.
    • Select Object Storage Service (OBS).
    • Select obs:bucket:ListAllMyBuckets from the actions.
    • Select All for resources.

    [Permission 2]

    • Select Allow.
    • Select Object Storage Service (OBS).
    • Select obs:bucket:ListBucket from the actions.
    • For Resources, select Specific, and for bucket, select Specify resource path, and click Add Resource Path. Enter the bucket name in the Path text box, indicating that the policy takes effect only for this bucket.

    Scope

    The default value is Global services.

  5. Click OK. The custom policy is created.
  6. Create a user group and assign permissions.

    Add the created custom policy to the user group by following the instructions in the IAM document.

  7. Add the IAM user you want to authorize to the created user group by referring to Adding Users to or Removing Users from a User Group.

    Due to data caching, it takes about 10 to 15 minutes for a custom policy to take effect after the authorization.