Updated on 2023-10-27 GMT+08:00

Granting IAM User Groups the Specified Permissions for All OBS Resources

Scenario

This topic describes how to grant multiple IAM users or user groups specified permissions for all OBS resources.

Recommended Configuration

IAM custom policies

Configuration Precautions

After the configuration is complete, you can perform allowed operations using APIs or SDKs. However, if you log in to OBS Console or OBS Browser+ to perform those operations, an error is reported indicating that you do not have required permissions.

This is because when you log in to OBS Console or OBS Browser+, APIs (such as ListAllMyBuckets and ListBucket) are called to load the bucket list and object list and some other APIs will also be called on other pages, but your permissions do not cover those APIs. In such case, your access to OBS Console or OBS Browser+ is denied or your operation is not allowed.

To allow IAM users to operate buckets and objects on OBS Console or OBS Browser+, add at least the obs:bucket:ListAllMyBuckets and obs:bucket:ListBucket permissions to the custom policy.

Procedure

  1. Log in to Huawei Cloud and click Console in the upper right corner.
  2. On the console, hover your cursor over the username in the upper right corner, and choose Identity and Access Management from the drop-down list.
  3. In the navigation pane, choose Permissions > Policies/Roles > Create Custom Policy.
  4. Configure parameters for a custom policy.

    Figure 1 Configuring a custom policy
    Table 1 Parameters for configuring a custom policy

    Parameter

    Description

    Policy Name

    Name of the custom policy

    Policy View

    Set this parameter based on your own habits. Visual editor is used here.

    Policy Content

    • Select Allow.
    • Select Object Storage Service (OBS).
    • Select the actions to be authorized.

      For details about operations and permissions supported by OBS, see Bucket-Related Actions and Object-Related Actions.

    • Select All for resources.

    Scope

    The default value is Global services.

  5. Click OK. The custom policy is created.
  6. Create a user group and assign permissions.

    Add the created custom policy to the user group by following the instructions in the IAM document.

  7. Add the IAM user you want to authorize to the created user group by referring to Adding Users to or Removing Users from a User Group.

    Due to data caching, it takes about 10 to 15 minutes for a custom policy to take effect after the authorization.