Updated on 2024-08-15 GMT+08:00

Granting IAM User Groups the Specified Permissions for Certain OBS Resources

Scenario

This topic describes how to grant specified operation permissions for certain OBS resources (can be a bucket or an object) to multiple IAM users or user groups.

Recommended Configuration

IAM custom policies

Configuration Precautions

After the configuration is complete, you can perform allowed operations using APIs or SDKs. However, if you log in to OBS Console or OBS Browser+ to perform those operations, an error is reported indicating that you do not have required permissions.

This is because when you log in to OBS Console or OBS Browser+, APIs (such as ListAllMyBuckets and ListBucket) are called to load the bucket list and object list and some other APIs will also be called on other pages, but your permissions do not cover those APIs. In such case, your access to OBS Console or OBS Browser+ is denied or your operation is not allowed.

To allow IAM users to operate buckets and objects on OBS Console or OBS Browser+, add at least the obs:bucket:ListAllMyBuckets and obs:bucket:ListBucket permissions to the custom policy.

obs:bucket:ListAllMyBuckets applies to all resources. You need to select all resources.

obs:bucket:ListBucket applies only to the authorized bucket. You can select all resources or a specified bucket as needed.

Procedure

  1. Log in to Huawei Cloud and click Console in the upper right corner.
  2. On the console, hover your cursor over the username in the upper right corner, and choose Identity and Access Management from the drop-down list.
  3. In the navigation pane, choose Permissions > Policies/Roles > Create Custom Policy.
  4. Configure parameters for a custom policy.

    Figure 1 Configuring a custom policy
    Table 1 Parameters for configuring a custom policy

    Parameter

    Description

    Policy Name

    Enter a policy name.

    Policy View

    Set this parameter based on your own habits. Visual editor is used here.

    Policy Content

    [Permission 1] It is mandatory when an authorized user needs to perform operations on OBS Console or OBS Browser+.

    • Select Allow.
    • Select Object Storage Service (OBS).
    • Select obs:bucket:ListAllMyBuckets from the actions.
    • Select All for resources.

    [Permission 2]

    • Select Allow.
    • Select Object Storage Service (OBS).
    • Select the actions to be authorized.

      For details about operations and permissions supported by OBS, see Bucket-Related Actions and Object-Related Actions.

    • Choose Specific resources > Bucket to specify bucket resources.

      [Format]

      obs:*:*:bucket:bucket name

      [Note]

      For bucket resources, IAM automatically generates the prefix of the resource path: obs:*:*:bucket:.

      For the path of a specific bucket, add the bucket name to the end. You can also add a wildcard character (*) to indicate any bucket. Examples are given as follows:

      • obs:*:*:bucket:* (indicating any OBS bucket)
      • obs:*:*:bucket:examplebucket (indicating that the policy applies to bucket examplebucket)

      To perform operations on OBS Console or OBS Browser+, grant the obs:bucket:ListBucket permission to a specified bucket.

    • Choose Specific resources > Object to specify an object resource.

      [Format]

      Objects in a specified directory: obs:*:*:object:Bucket name/Prefix/*

      Specified object: obs:*:*:object:Bucket name/Object name

      [Note]

      For object resources, IAM automatically generates the prefix of the resource path: obs:*:*:object:

      For the path of a specific object, add the bucket name/object name to the end. You can also add a wildcard character (*) to indicate any object in a bucket. Examples are given as follows:

      • obs:*:*:object:my-bucket/my-object/* (indicating any object in the my-object directory of bucket my-bucket)
      • obs:*:*:object:my-bucket/exampleobject (indicating object exampleobject in bucket my-bucket)

    Scope

    The default value is Global services.

  5. Click OK. The custom policy is created.
  6. Create a user group and assign permissions.

    Add the created custom policy to the user group by following the instructions in the IAM document.

  7. Add the IAM user you want to authorize to the created user group by referring to Adding Users to or Removing Users from a User Group.

    Due to data caching, it takes about 10 to 15 minutes for a custom policy to take effect after the authorization.