Estos contenidos se han traducido de forma automática para su comodidad, pero Huawei Cloud no garantiza la exactitud de estos. Para consultar los contenidos originales, acceda a la versión en inglés.
Centro de ayuda/ Object Storage Service/ Guía del usuario/ Control de permisos/ Application Cases/ Granting an IAM User Permissions to Operate a Specific Bucket
Actualización más reciente 2024-09-18 GMT+08:00
Ver PDF
Compartir

Granting an IAM User Permissions to Operate a Specific Bucket

Create an IAM user under in an account. The IAM user has no permission to any resource before it is added to any user group. The bucket owner (root account) or other accounts and IAM users, who have the permission to set bucket policies, can configure bucket policies to grant the bucket operation permissions to IAM users.

The following is an example about how to grant an IAM user the bucket access and object upload permissions.

Notes

In this example, the authorized IAM user can access the authorized bucket and upload objects to the bucket using OBS Browser+, APIs, or SDKs, but cannot access the bucket on OBS Console. To allow the access through OBS Console, you need to create a custom policy to add the IAM user to the user group that has the obs:bucket:ListAllMyBuckets permission for all OBS resources. In this way, the IAM user can view the authorized bucket on OBS Console.

Procedure

  1. En el panel de navegación de OBS Console, elija Object Storage.
  2. En la lista de bucket, haga clic en el nombre del bucket que desee. Se muestra la página Objects.
  3. In the navigation pane, choose Permissions > Bucket Policy.
  4. Click Create.
  5. In the first row of the template list, click Create Custom Policy on the right.
  6. Configure parameters listed in the table below to grant an IAM user the permissions to access the bucket (to list objects in the bucket) and to upload objects.

    Tabla 1 Parameters for granting bucket access and object upload permissions

    Parameter

    Description

    Policy View

    Visual editor

    Policy Name

    Enter a custom name.

    Policy Content

    Effect

    Allow

    Principal
    • Current account
    • Sub-user: Specify IAM users under the current account.
    • User Policy: Include specified users.

    Resources
    • Select the Current bucket and Object in bucket, and then select All objects.
    • Resource Policy: Include specified resources.

    Actions
    • Select ListBucket and PutObject actions.
    • Operation Strategy: Include selected actions.
    NOTA:

    In this example, only the upload action among object actions is selected. You can also select other object actions to grant corresponding permissions if needed. The asterisk (*) indicates all actions.

    For details about the supported actions, see Actions.

  7. Click Next in the lower right corner to confirm the policy configuration.
  8. Click Create in the lower right corner.

Verification

Verify the preceding permissions on OBS Browser+.

  1. Create an access key (AK/SK) of the authorized user on OBS Console.
  2. Open OBS Browser+, enter the obtained AK and SK, and set the Access Path to the name of the authorized bucket.
  3. Access requests from unauthorized users are denied.
  4. After being granted the permission to access the bucket, the user can access the bucket on OBS Browser+, with objects in the bucket properly displayed.
  5. Upload an object to the bucket. The upload fails.
  6. After being granted the permission to upload objects, the user can upload objects to the bucket on OBS Browser+, with the uploaded objects properly displayed in the object list.
Tema principal: Application Cases