Allowing IAM Users to View Only Authorized Buckets

Scenario

This topic explains how to use the Enterprise Project Management Service (EPS) to authorize an IAM user under an account to operate specific buckets, so that the user can view only the specified buckets and perform authorized operations on OBS Console. In this way, bucket permissions can be isolated.

In this case, the IAM user test-user is authorized to view only bucket example on OBS Console and has only the upload permission (obs:object:PutObject), object listing permission (obs:bucket:ListBucket), and bucket listing permission (obs:bucket:ListAllMyBuckets). With these permissions, user test-user can upload objects.

Recommended Configuration

Use EPS to isolate permissions.

Configuration Precautions

• If an IAM user is authorized for an action through both IAM and EPS, the authorization result is subject to IAM configuration.

  Examples:

  1. If the bucket listing permission (obs:bucket:ListAllMyBuckets) is authorized through both IAM and EPS, the final permission authorization is subject to the IAM configuration. As a result, this authorization allows the user to list all buckets including those that do not belong to the enterprise project.

  2. For the upload permission (obs:object:PutObject), if Allow is configured in IAM and Deny is configured in the enterprise project, Allow takes effect, that is, objects can be uploaded.

• If the OBS Viewer permission is configured for an IAM user in IAM and this user's group is added to the enterprise project, the IAM user cannot list buckets after logging in to OBS.
• After the configuration is complete, it is normal if the system still displays a message indicating that you do not have required permissions, because OBS Console also calls other APIs for advanced settings, but you can still perform the allowed read/write operations.

Procedure

1. Log in to the console and choose Enterprise > Project Management on the top navigation bar. Then, create an enterprise project named test-project using the authorized account by referring to Creating an Enterprise Project.
2. Add bucket example-001 to test-project, the project created in 1. For details, see Adding Resources to an Enterprise Project. For more information, see Figure 1.
   

   If you need the permissions on multiple buckets, migrate all the buckets to the enterprise project.

   Figure 1 Adding buckets to an enterprise project
   

3. Click the Permissions tab and then Authorize User, as shown in Figure 2.
   Figure 2 Authorizing permissions to an enterprise user
   

4. Go to the IAM console and find user test-user.
   Figure 3 Finding user test-user
   

5. Click Authorize in the Operation column to go to the authorization page. Then select Select permissions for Authorization Method.
   Figure 4 Authorization method of selecting permissions
   

6. Attach policies to test-user, so that the user has the permissions defined in the policies in the test-project enterprise project.
   1. Choose available policies or create a custom policy. You can filter policies by choosing Custom policy from the drop-down list or click Create Policy on the right to create custom policies.
      • For details about how to create custom policies, see Creating a Custom Policy. Figure 5 shows the custom permissions configured in this example, including obs:object:PutObject (for uploading objects), obs:bucket:ListBucket (for listing objects in a bucket), and obs:bucket:ListAllMyBuckets (for listing buckets).
      • For details about OBS system-defined permissions, see Table 1.
        Figure 5 Configuring a custom policy
        
        

        The policy you attach here must be different from that added to the user group in IAM. Otherwise, the permission authorization is subject to the settings in IAM.

   2. Select the desired policies, as shown in Figure 6.
   Figure 6 Adding a custom policy
   

7. Click Next and add user test-user (not in any user group) to the enterprise project.
   Figure 7 Adding a user to an enterprise project
   

8. Click OK. The added permissions are displayed in the list in the enterprise project view on the Permissions > Authorization page.
   Figure 8 Successful permission add
   
   

   After finishing the configuration in EPS, you do not need to configure the IAM custom or system policies.

Verification

1. Log in to OBS Console as user test-user.
2. Find the only bucket example-001 in the bucket list, as shown in Figure 9.
   Figure 9 Verifying the permission configuration
   

3. Click bucket example-001 to go to the overview page and choose Objects in the navigation pane. Other objects in the bucket are displayed.
   Figure 10 Viewing objects in bucket example-001
   
   

   After the configuration is complete, it is normal if the system still displays a message indicating that you do not have required permissions, because OBS Console also calls other APIs for advanced settings, but you can still perform the allowed read/write operations.

4. Upload file 111.txt to bucket example-001. The file upload succeeds, indicating that the permission configuration is successful.
   Figure 11 Uploading a file
   
   

   If some other permissions, such as downloading or deleting an object, are required, hover your cursor over the username and choose Identity and Access Management > Permissions > Policies/Roles, and then configure permissions in the custom policy.