Help Center> Object Storage Service> Console Operation Guide> Related Operations> Creating an IAM Agency
Updated on 2023-05-30 GMT+08:00
View PDF

Creating an IAM Agency

To use some OBS features, such as cross-region replicationand logging, you need to use IAM agencies to grant required permissions to OBS for processing your data.

Creating an Agency for Cross-Region Replication

  1. In the Create Cross-Region Replication Rule dialog box on OBS Console, click View IAM agencies to jump to the Agencies page on the IAM console.
  2. Click Create Agency to create an agency.
  3. Enter an agency name.
  4. Select Cloud service for the Agency Type.
  5. Select Object Storage Service (OBS) for Cloud Service.
  6. Set a validity period.
  7. Click Next.

    The console for creating an agency has the new and old editions. Here describes how to create an agency on the console of the new edition.

  8. On the Select Policy/Role page, select Tenant Administrator and click Next.
  9. On the Select Scope page, select Global services for Scope and click OK.
  10. (Optional) If Replicate KMS encrypted objects is selected, the IAM agency also needs the KMS Administrator permissions in the regions where the source and destination buckets are located.

    1. Go to the Agencies page on the Identity and Access Management console and click the name of the agency created in the previous step.
    2. On the Agency Permissions tab page, click Assign Permissions.
    3. In the Scope area, select Region-specific projects and select the projects in the regions where the source and destination buckets reside.
    4. In the Permissions area, search for and select KMS Administrator, and click OK.

Creating an Agency for Uploading Logs

  1. In the Logging dialog box, click Create Agency to jump to the Agencies page on the Identity and Access Management console.
  2. In the navigation pane, choose Policy Management > Agency Policies.
  3. Click Create Agency to create an agency.
  4. Enter an agency name.
  5. Select Cloud service for the Agency Type.
  6. Select Object Storage Service (OBS) as the cloud service.
  7. Set a validity period.
  8. Click Next.
  9. On the Select Policy/Role page, select a custom policy that has the permission to upload data to the log storage bucket and click Next.

    If no custom policy is available, create one by referring to Creating a Custom Policy.

    When creating a custom policy, select Global services for Scope and select JSON for Policy View. The policy content is as follows.

    When coding the policy content in an actual scenario, replace mybucketlogs with the actual bucket name:

    {
    "Version": "1.1",
    "Statement": [
        {
            "Action": [
                "obs:object:PutObject"
            ],
            "Resource": [
                "OBS:*:*:object:mybucketlogs/*"
            ],
            "Effect": "Allow"
        }
    ]
}

  10. On the Select Scope page, select Global services for Scope and click OK.
  11. (Optional) If the default encryption is enabled for the log storing bucket, the IAM agency also requires the KMS Administrator permission in the region where the log storing bucket resides.

    1. Go to the Agencies page on the Identity and Access Management console and click the name of the agency created in the previous step.
    2. On the Agency Permissions tab page, click Assign Permissions.
    3. In the Scope area, select Region-specific projects and select the projects in the region where the log bucket resides.
    4. In the Permissions area, search for and select KMS Administrator, and click OK.

Parent topic: Related Operations