Granting Other Accounts the Read Permission for Certain Objects
Scenario
This case describes how to grant other accounts (excluding IAM users under the account) the read permission for an object or a type of objects in an OBS bucket. For details about how to grant permissions to an IAM user, see Granting IAM Users Under an Account the Access to a Bucket and the Resources in It.
Recommended Configuration
Use bucket policies to grant permissions to other accounts.
Precautions
In this case, the preset template Object Read-Only allows other accounts to perform the following actions on specified objects in a bucket:
- GetObject (to obtain object content and metadata)
- GetObjectVersion (to obtain the content and metadata of a specified object version)
- GetObjectVersionAcl (to obtain the ACL of a specified object version)
- GetObjectAcl (to obtain the object ACL)
- RestoreObject (to restore objects from Archive storage)
After configuration, they can read (download) specific objects using APIs or SDKs. However, if they download an object from OBS Console or OBS Browser+, a message will be displayed, indicating that they do not have required permissions.
When they log in to OBS Console or OBS Browser+, the ListAllMyBuckets API is called to load the bucket list, the ListBucket API is called to load the object list, and some other APIs will also be called on other pages, but their permissions do not cover those APIs. In such case, the message is displayed.
Procedure
- In the navigation pane of OBS Console, choose Buckets.
- In the bucket list, click the bucket name you want to go to the Objects page.
- In the navigation pane, choose Permissions > Bucket Policies.
- On the Bucket Policies page, click Create.
- Configure a bucket policy.
Figure 1 Configuring a bucket policy
Table 1 Parameters for configuring a bucket policy Parameter
Description
Policy view
Select Visual Editor or JSON based on your own habits. Visual Editor is used here.
Policy Name
Enter a policy name.
Effect
Select Allow.
Principal
- Select Other accounts.
Enter the account ID and IAM user ID in the format of Account ID/IAM user ID. To specify multiple IAM users, enter each one on a separate line. An asterisk (*) indicates all accounts or IAM users.NOTE:
The account ID and IAM user ID can be obtained on the My Credentials page. The following describes different authorization scenarios:
- Granting permissions to all accounts and IAM users: Enter */*.
- Granting permissions to an account and all IAM users under the account: Enter Account ID/*.
- Granting permissions to a specific IAM user under an account: Enter Account ID/IAM user ID.
- Delegated accounts: Enter the ID of a delegating account and an agency name.
NOTE:
The format is Account ID/Agency name. To specify multiple agencies, enter each one on a separate line.
- You can specify one or more common accounts or delegated accounts. Either of the two types of accounts must be specified.
Resources
- Select Specified objects.
- Enter an object name prefix for the resource path.
NOTE:
- You can click Add to specify multiple resource paths.
- You can specify a specific object, an object set, or a directory. * indicates all objects in the bucket.
To specify a specific object, enter the object name.
To specify a set of objects, enter Object name prefix*, *Object name suffix, or *.
Actions
- Choose Use a template.
- Select Object Read-Only.
- Select Other accounts.
- Confirm and click Create.
Verification
In cross-account authorization scenarios, authorized users can access the buckets and objects via APIs or SDKs, or by adding external buckets through OBS Browser+.
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot