Updated on 2022-12-21 GMT+08:00

Granting Temporary Access to OBS

Scenario

This case describes how to use temporary access keys (temporary AK/SK and security token) to access OBS in temporary authorization mode.

Assume that you want to enable an IAM user (user name: APPServer) to access the APPClient folder in bucket hi-company and apply for two different temporary access keys to distribute to APP-1 and APP-2. APP-1 can only access files in APPClient/APP-1. APP-2 can access only the files in APPClient/APP-2.

Procedure

  1. Log in to Huawei Cloud and click Console in the upper right corner.
  2. On the console, hover your cursor over the username in the upper right corner, and choose Identity and Access Management from the drop-down list.
  3. Create an IAM user APPServer. For details, see Creating an IAM User.
  4. Create a user-defined policy that allows access to the AppClient folder in bucket hi-company.

    1. In the navigation pane, choose Permissions > Policies/Roles > Create Custom Policy.
    2. Configure parameters for a custom policy.

      Before configuring an IAM policy, you need to understand what permissions are required. An IAM user only has the permissions defined by the policy. In this example, user APPServer only has full permissions on objects in the APPClient folder.

      Figure 1 Configuring a custom policy
      Table 1 Parameters for configuring a custom policy

      Parameter

      Description

      Policy Name

      Name of the custom policy

      Policy View

      Set this parameter based on your own habits. JSON is used here.

      Policy Content

      {
          "Version": "1.1",
          "Statement": [
              {
                  "Action": [
                      "obs:object:*"
                  ],
                  "Resource": [
                      "obs:*:*:object:hi-company/APPClient/*"
                  ],
                  "Effect": "Allow"
              }
          ]
      }

      Scope

      The default value is Global services.

    3. Click OK. The custom policy is created.

  5. Create a user group and assign permissions.

    Add the created custom policy to the user group by following the instructions in the IAM document.

  6. Add the IAM user (APPServer) you want to authorize to the created user group by referring to Adding Users to or Removing Users from a User Group.

    Due to data caching, it takes about 10 to 15 minutes for a custom policy to take effect after the authorization.

  7. The IAM user (APPServer) obtains temporary access keys (temporary access keys and security token) for APP-1 and APP-2.

    To obtain temporary access keys with different permissions, you need to set a temporary policy by adding the policy parameter in the request body. For details, see Obtaining a Temporary Access Key and Security Token Through a Token.

    The following is a sample request for obtaining a pair of temporary access keys. The temporary policy parameters are displayed in bold.

    A sample request for obtaining a pair of temporary access keys for the device app APP-1:

    {
        "auth": {
    	"identity": {
    	    "policy": {
    		"Version": "1.1",
    		"Statement": [
    		    {
    			"Action": [
    			    "obs:object:*"
    			],
    			"Resource": [
    			    "obs:*:*:object:hi-company/APPClient/APP-1/*"
    			],
    			"Effect": "Allow"
    		    }
    		]
    	    },
    	    "token": {
    		"duration-seconds": 900
    		
    	    },
    	    "methods": [
    		"token"
    	    ]
    	}
        }
    }

    A sample request for obtaining a pair of temporary access keys for the device app APP-2:

    {
        "auth": {
    	"identity": {
    	    "policy": {
    		"Version": "1.1",
    		"Statement": [
    		    {
    			"Action": [
    			    "obs:object:*"
    			],
    			"Resource": [
    			    "obs:*:*:object:hi-company/APPClient/APP-2/*"
    			],
    			"Effect": "Allow"
    		    }
    		]
    	    },
    	    "token": {
    		"duration-seconds": 900
    		
    	    },
    	    "methods": [
    		"token"
    	    ]
    	}
        }
    }

Verification

After APP-1 and APP-2 have the temporary access keys, they can access OBS through OBS APIs or SDKs. APP-1 can access only files in the APPClient/APP-1 folder, and APP-2 can access only files in the APPClient/APP-2 folder.