Granting Other Accounts the Specified Permissions for a Bucket

Scenario

This topic describes how to grant other Huawei Cloud accounts (excluding the IAM users under them) specific permissions for OBS buckets. For details about how to grant permissions to an IAM user, see Granting IAM Users Under an Account the Access to a Bucket and the Resources in It.

The following example explains how to grant the permissions to configure a bucket ACL and obtain the bucket ACL configuration information. To grant other permissions, select required actions from Action Name in the bucket policy. For details about the actions supported by OBS, see Action/NotAction.

Recommended Configuration

Use bucket policies to grant permissions to other accounts.

Precautions

After configuration, the authorized account can configure and obtain a bucket ACL by using APIs or SDKs or by adding external buckets through OBS Browser+. To do this by adding external buckets, the ListBucket permission is also required. Currently, access to buckets of other accounts is not allowed on OBS Console.

Procedure

1. In the navigation pane of OBS Console, choose Buckets.
2. In the bucket list, click the bucket name you want to go to the Objects page.
3. In the navigation pane, choose Permissions > Bucket Policies.
4. On the Bucket Policies page, click Create.
5. Configure a bucket policy.
   Figure 1 Configuring a bucket policy
   

   Table 1 Parameters for configuring a bucket policy

   Parameter	Description
   Policy view	Select Visual Editor or JSON based on your own habits. Visual Editor is used here.
   Policy Name	Enter a policy name.
   Effect	Select Allow.
   Principal	Select Other accounts. Enter the account ID and IAM user ID in the format of Account ID/IAM user ID. To specify multiple IAM users, enter each one on a separate line. An asterisk (*) indicates all accounts or IAM users. NOTE: The account ID and IAM user ID can be obtained on the My Credentials page. The following describes different authorization scenarios: Granting permissions to all accounts and IAM users: Enter */*. Granting permissions to an account and all IAM users under the account: Enter Account ID/*. Granting permissions to a specific IAM user under an account: Enter Account ID/IAM user ID. Delegated accounts: Enter the ID of a delegating account and an agency name. NOTE: The format is Account ID/Agency name. To specify multiple agencies, enter each one on a separate line. You can specify one or more common accounts or delegated accounts. Either of the two types of accounts must be specified.
   Resources	Select Current bucket.
   Actions	Choose Customize. Select actions: PutBucketAcl (to configure a bucket ACL) GetBucketAcl (to obtain the bucket ACL information) (Optional) ListBucket (to list objects in the bucket and obtain the bucket metadata) NOTE: After the ListBucket permission is granted, the authorized account can access the bucket from OBS Browser+ by adding an external bucket. To grant other permissions, select required actions based on actions supported by OBS.

6. Confirm and click Create.

Verification

In cross-account authorization scenarios, authorized users can access the buckets and objects via APIs or SDKs, or by adding external buckets through OBS Browser+.