Updated on 2024-08-27 GMT+08:00

Creating an IAM Agency

To use some OBS features, you need to use IAM agencies to grant required permissions to OBS for processing your data.

Creating an Agency for Cross-Region Replication

  1. In the Create Cross-Region Replication Rule dialog box on OBS Console, click View IAM agencies to jump to the Agencies page on the IAM console.
  2. Click Create Agency.
  3. Enter an agency name.
  4. Select Cloud service for the Agency Type.
  5. Select Object Storage Service (OBS) for Cloud Service.
  6. Select a validity period.
  7. Click Next.

    The console for creating an agency has the new and old editions. Here describes how to create an agency on the console of the new edition.

  8. On the Select Policy/Role page, search for and select OBS Administrator and click Next.
  9. On the Select Scope page, select Global services for Scope and click OK.
  10. (Optional) If Replicate KMS encrypted objects is selected, the IAM agency also needs the KMS Administrator permission in the regions where the source and destination buckets are located.

    1. Go to the Agencies page of the IAM console and click the name of the agency created in the previous step.
    2. Choose the Permissions tab and click Authorize.
    3. On the Select Policy/Role page, search for and select KMS Administrator. Then, click Next.
    4. On the Select Scope page, select Region-specific projects for Scope. Then, select the projects in the regions where the source and destination buckets are located.

Creating an Agency for Uploading Logs

  1. In the Logging dialog box, click Create Agency to jump to the Agencies page on the Identity and Access Management console.
  2. Click Create Agency.
  3. Enter an agency name.
  4. Select Cloud service for the Agency Type.
  5. Select Object Storage Service (OBS) for Cloud Service.
  6. Set a validity period.
  7. Click Next.
  8. On the Select Policy/Role page, select a custom policy that has the permission to upload data to the log storage bucket and click Next.

    If no custom policy is available, create one by referring to Creating a Custom Policy.

    Select Global services for Scope. Select JSON for Policy View. The policy content is as follows.

    When coding the policy content in an actual scenario, replace mybucketlogs with the actual bucket name:

    {
        "Version": "1.1",
        "Statement": [
            {
                "Action": [
                    "obs:object:PutObject"
                ],
                "Resource": [
                    "OBS:*:*:object:mybucketlogs/*"
                ],
                "Effect": "Allow"
            }
        ]
    }

  9. On the Select Scope page, select Global services for Scope and click OK.
  10. (Optional) If the log storage bucket has server-side encryption enabled, the agency also requires the KMS Administrator permission for the region where the bucket is located.

    1. Go to the Agencies page of the IAM console and click the name of the agency created in the previous step.
    2. Choose the Permissions tab and click Authorize.
    3. On the Select Policy/Role page, search for and select KMS Administrator. Then, click Next.
    4. On the Select Scope page, select Region-specific projects for Scope. Then, select the project in the region where the log storage bucket is located.

Creating an Agency for Back to Source

  1. In the Create Back-to-Source Rule dialog box on OBS Console, click View Agencies to jump to the Agencies page on the IAM console.
  2. Click Create Agency.
  3. On the Create Agency page, specify an agency name, select Cloud service for Agency Type, and choose Object Storage Service (OBS) for Cloud Service.
  4. Select a validity period and enter a description.
  5. Click Done. In the displayed dialog box, click Authorize.
  6. If there is already a policy meeting your requirements, go to 9. Otherwise, click Create Policy in the upper right corner.

    Figure 1 Creating a policy

  7. Specify a policy name and choose Visual editor for Policy View.
  8. Configure Policy Content as follows:

    1. Select Allow.
    2. For the service, select Object Storage Service (OBS).
    3. For actions, under ReadOnly, select obs:object:GetObject, under Read/Write, select obs:object:PutObject and obs:object:AbortMultipartUpload, and under ListOnly, select obs:bucket:ListBucket.
    4. For resources, select All.
    5. Click Next.

  9. Select the policy and click Next. Then, set Scope to All resources and click OK.

    The All resources option means that OBS can use all resources, including those in enterprise projects, region-specific projects, and global services under the account based on assigned permissions.