Updated on 2024-08-15 GMT+08:00

Granting Other Accounts the Read/Write Permission for a Bucket

Scenario

This topic describes how to grant other Huawei Cloud accounts (excluding the IAM users under them) the read/write permission for OBS buckets. For details about how to grant permissions to an IAM user, see Granting IAM Users Under an Account the Access to a Bucket and the Resources in It.

Recommended Configuration

You are advised to use bucket policies to grant permissions to other accounts.

Configuration Precautions

In this case, the preset template Bucket Read/Write allows other accounts to perform all actions excluding the following ones on a bucket and the objects in it:

  • DeleteBucket (to delete a bucket)
  • PutBucketPolicy (to configure a bucket policy)
  • PutBucketAcl (to configure a bucket ACL)

After the configuration is complete, the authorized account can perform read and write operations (upload, download, or delete all objects in a bucket) by using APIs or SDKs or by adding external buckets through OBS Browser+. Currently, access to buckets of other accounts is not allowed on OBS Console.

When you use OBS Browser+ to access the added external bucket, a message may still be displayed indicating that you do not have required permissions.

Error cause: The loading on the OBS Browser+ bucket details page invokes some other OBS APIs. However, such operations are not allowed by the read and write permissions. Therefore, a message "Access denied. Check the response permission" or "This operation is not allowed on the requested resource" is displayed, however, existing permissions are not affected.

Procedure

  1. In the navigation pane of OBS Console, choose Buckets.
  2. In the bucket list, click the bucket name you want to go to the Objects page.
  3. In the navigation pane, choose Permissions > Bucket Policies.
  4. On the Bucket Policies page, click Create.
  5. Choose a policy configuration method you like. Visual Editor is used here.
  6. Configure parameters for a bucket policy.

    Figure 1 Configuring bucket policy parameters
    Table 1 Parameters for configuring a bucket policy

    Parameter

    Description

    Policy Name

    Enter a policy name.

    Policy content

    Effect

    Select Allow.

    Principals

    • Select Other accounts.
      NOTE:

      You can obtain the account ID and IAM user ID from the My Credentials page.

      Accounts should be configured in the Domain ID/IAM user ID format, with each one on a separate line.

      Account ID/* indicates that permission is granted to all IAM users under the account.

    Resources

    • Select Entire bucket (including the objects in it).

    Actions

    • Choose Use a template.
    • Select Bucket Read/Write.

    Advanced Settings > Exclude (Optional)

    • Specified actions (selected by default)

  7. Ensure all the configurations are correct and click Create.