Granting an IAM User the Specified Permissions for a Bucket

Scenario

This topic describes how to grant an IAM user the permissions required to delete an OBS bucket.

If you need to configure other permissions, select the corresponding actions from the Action Name drop-down list in the bucket policy. For details, see Action/NotAction.

Recommended Configuration Method

You are advised to use bucket policies to grant resource-level permissions to an IAM user.

Configuration Precautions

After finishing the configuration, the IAM user can use APIs or SDKs to delete buckets. However, if they log in to OBS Console or OBS Browser+ to delete buckets, an error will be reported indicating that they do not have required permissions.

This is because when they log in to OBS Console or OBS Browser+, more APIs (such as ListAllMyBuckets and ListBucketVersions) will be called to load the list of buckets and versioned objects. In such case, their access or operation is not allowed.

If you want an IAM user to delete buckets on OBS Console or OBS Browser+, you need to allow the ListBucketVersions permission in the bucket policy and configure a custom IAM policy to grant the ListAllMyBuckets permission by referring to Follow-up Procedure.

Procedure

1. In the navigation pane of OBS Console, choose Buckets.
2. In the bucket list, click the bucket name you want to go to the Objects page.
3. In the navigation pane, choose Permissions > Bucket Policies.
4. On the Bucket Policies page, click Create.
5. Choose a policy configuration method you like. Visual Editor is used here.
6. Configure a bucket policy.
   Figure 1 Configuring a bucket policy
   

   Table 1 Parameters for configuring a bucket policy

   Parameter		Description
   Policy Name		Enter a policy name.
   Policy content	Effect	Select Allow.
   	Principals	Select Current account. IAM users: Select an IAM user that you want to grant permissions to.
   	Resources	Select Current bucket.
   	Actions	Choose Customize. Select the following actions: DeleteBucket (to delete a bucket) ListBucketVersions (to list object versions in the bucket) NOTE: To configure other permissions, select the corresponding actions. For details, see Action/NotAction.

7. Ensure all the configurations are correct and click Create.

Follow-up Procedure

To successfully delete buckets on OBS Console or OBS Browser+, you need to allow the obs:bucket:ListAllMyBuckets permission in the IAM policy.

1. Log in to Huawei Cloud and click Console in the upper right corner.
2. On the console, hover your cursor over the username in the upper right corner, and choose Identity and Access Management from the drop-down list.
3. In the navigation pane, choose Permissions > Policies/Roles > Create Custom Policy.
4. Configure a custom policy.
   Figure 2 Configuring a custom policy
   

   Table 2 Parameters for configuring a custom policy

   Parameter	Description
   Policy Name	Enter a policy name.
   Policy View	Set this parameter based on your own habits. Visual editor is used here.
   Policy Content	Select Allow. Select Object Storage Service (OBS). Select obs:bucket:ListAllMyBuckets from the actions. Select All for resources.
   Scope	Use the default value Global services.

5. Click OK.
6. Create a user group and assign permissions.

   Apply the created custom policy to the user group by following the instructions in the IAM document.

7. Add the IAM user you want to authorize to the created user group by referring to Adding Users to or Removing Users from a User Group.
   

   Due to data caching, it takes about 10 to 15 minutes for a custom policy to take effect.