Help Center> Object Storage Service> Permissions Configuration Guide> Configuration Cases in Typical Permission Control Scenarios> Granting Permissions to All Accounts> Granting All Accounts the Read Permission for a Directory
Updated on 2023-10-27 GMT+08:00
View PDF

Granting All Accounts the Read Permission for a Directory

Scenario

If all objects in a folder need to be accessible to all accounts, you can configure a bucket policy to grant all accounts the permission to access the folder.

Configuration Precautions

In this case, the preset template Directory Read-Only allows all accounts to perform the following actions on specified directories:

  • GetObject (to obtain object content and metadata)
  • GetObjectVersion (to obtain the content and metadata of a specified object version)
  • GetObjectVersionAcl (to obtain the ACL of a specified object version)
  • GetObjectAcl (to obtain the object ACL)
  • RestoreObject (to restore objects from Archive storage)
  • HeadBucket (to check whether the bucket exists and obtain the bucket metadata)
  • GetBucketLocation (to get the bucket location)

Some bucket-related permissions (HeadBucket and GetBucketLocation) are needed in this configuration. Take care when granting such permissions. To narrow down the permission scope, see Granting All Accounts the Read Permission for Certain Objects.

Procedure

  1. In the navigation pane of OBS Console, choose Buckets.
  2. In the bucket list, click the bucket name you want to go to the Objects page.
  3. In the navigation pane, choose Permissions > Bucket Policies.
  4. On the Bucket Policies page, click Create.
  5. Choose a policy configuration method you like. Visual Editor is used here.
  6. Configure parameters for a bucket policy.

    Figure 1 Configuring a bucket policy
    Table 1 Parameters for configuring a bucket policy

    Parameter

    Description

    Policy Name

    Enter a policy name.

    Policy content

    Effect

    Select Allow.

    Principals
    • Select All accounts.

    Resources
    • Select Current bucket and Specified objects.
    • Set the resource path to folder-001/* (as an example), indicating all objects in the folder-001 folder.
      NOTE:

      You can click Add to specify multiple resource paths.

    Actions
    • Choose Use a template.
    • Select Directory Read-Only.

  7. Ensure all the configurations are correct and click Create.

Verification

After the permission is set, click an object in the folder. Its URL is displayed under Link. Share the URL over the Internet, so that all users can access or download the object through the Internet.