Help Center> Object Storage Service> User Guide (Ankara Region)> OBS Console Operation Guide> Permissions Control> Application Cases> Granting Other Accounts Permissions to Operate a Specific Bucket
Updated on 2024-04-16 GMT+08:00
View PDF

Granting Other Accounts Permissions to Operate a Specific Bucket

The bucket owner (root account) or other accounts and IAM users, who have the permission to set bucket policies, can configure bucket policies to grant the bucket operation permissions to other accounts or IAM users under other accounts.

The following is an example about how to grant other accounts bucket access and object upload permissions.

To grant permissions to IAM users under other accounts, you need to configure both bucket policies and IAM policies.

  1. Configure a bucket policy to allow IAM users to access the bucket.
  2. Configure IAM policies for the account where authorized IAM users belong, to allow the IAM users to access the bucket.

Only permissions that are allowed by both the bucket policy and IAM policies can take effect.

Procedure

  1. In the bucket list, click the bucket you want to operate to go to the Objects page.
  2. In the navigation pane, choose Permissions > Bucket Policies.
  3. Click Create.
  4. Configure parameters listed in the table below to grant other accounts the permissions to access the bucket (to list objects in the bucket) and to upload objects.

    Table 1 Parameters for granting the object listing and upload permissions

    Parameter

    Description

    Configuration method

    Choose Visual Editor.

    Policy Name

    Enter a custom policy name.

    Policy content

    Effect

    Select Allow.

    Principals
    • Select Other accounts.
      NOTE:
      1. You can obtain the account ID and IAM user ID from the My Credentials page.
      2. Accounts should be configured in the Domain ID/IAM user ID format, with each one on a separate line.
      3. The following describes different authorization scenarios:

        Granting permissions to all the other accounts and their IAM users: Set the account ID and IAM user ID to *.

        Granting permissions to an account: Enter the desired account ID and IAM user ID.

        Granting permissions to an account and its IAM users: Enter the desired account ID, and set the IAM user ID to * (indicating all IAM users under the account).

        Granting permissions to certain IAM users: Enter the account ID and one or more IAM user IDs.

    Resources
    • Method 1:
      • Select Entire bucket (including the objects in it).
    • Method 2:
      • Select Current bucket and Specified objects.
      • Set the resource path to * (indicating all objects in the bucket).

    Actions
    • Choose Customize.
    • Select actions: ListBucket (to list objects in the bucket and obtain the bucket metadata) and PutObject (to upload objects).
    NOTE:

    In this example, only the upload action among object actions is selected. You can also select other object actions to grant corresponding permissions if needed. The asterisk (*) indicates all actions.

    To learn the supported actions and their meanings, see Actions.

  5. Click Create in the lower right corner.
Parent topic: Application Cases