Help Center> Object Storage Service> Console Operation Guide> Related Operations> Creating an IAM Agency
Updated on 2024-04-01 GMT+08:00
View PDF

Creating an IAM Agency

To use some OBS features, you need to use IAM agencies to grant required permissions to OBS for processing your data.

Creating an Agency for Cross-Region Replication

  1. In the Create Cross-Region Replication Rule dialog box on OBS Console, click View IAM agencies to jump to the Agencies page on the IAM console.
  2. Click Create Agency.
  3. Enter an agency name.
  4. Select Cloud service for the Agency Type.
  5. Select Object Storage Service (OBS) for Cloud Service.
  6. Set a validity period.
  7. Click Next.

    The console for creating an agency has the new and old editions. Here describes how to create an agency on the console of the new edition.

  8. On the Select Policy/Role page, search for and select OBS Administrator and click Next.
  9. On the Select Scope page, select Global services for Scope and click OK.
  10. (Optional) If Replicate KMS encrypted objects is selected, the IAM agency also needs the KMS Administrator permissions in the regions where the source and destination buckets are located.

    1. Go to the Agencies page of the IAM console and click the name of the agency created in the previous step.
    2. Choose the Permissions tab and click Authorize.
    3. On the Select Policy/Role page, search for and select KMS Administrator. Then, click Next.
    4. On the Select Scope page, select Region-specific projects for Scope. Then, select the projects in the regions where the source and destination buckets are located.

Creating an Agency for Uploading Logs

  1. In the Logging dialog box, click Create Agency to jump to the Agencies page on the Identity and Access Management console.
  2. Click Create Agency.
  3. Enter an agency name.
  4. Select Cloud service for the Agency Type.
  5. Select Object Storage Service (OBS) for Cloud Service.
  6. Set a validity period.
  7. Click Next.
  8. On the Select Policy/Role page, select a custom policy that has the permission to upload data to the log storage bucket and click Next.

    If no custom policy is available, create one by referring to Creating a Custom Policy.

    Select Global services for Scope. Select JSON for Policy View. The policy content is as follows.

    When coding the policy content in an actual scenario, replace mybucketlogs with the actual bucket name:

    {
    "Version": "1.1",
    "Statement": [
        {
            "Action": [
                "obs:object:PutObject"
            ],
            "Resource": [
                "OBS:*:*:object:mybucketlogs/*"
            ],
            "Effect": "Allow"
        }
    ]
}

  9. On the Select Scope page, select Global services for Scope and click OK.
  10. (Optional) If the default encryption is enabled for the log storing bucket, the IAM agency also requires the KMS Administrator permission in the region where the log storing bucket resides.

    1. Go to the Agencies page on the Identity and Access Management console and click the name of the agency created in the previous step.
    2. Choose the Permissions tab and click Authorize.
    3. On the Select Policy/Role page, search for and select KMS Administrator. Then, click Next.
    4. On the Select Scope page, select Region-specific projects for Scope. Then, select the project in the region where the log storage bucket is located.

Parent topic: Related Operations