Estos contenidos se han traducido de forma automática para su comodidad, pero Huawei Cloud no garantiza la exactitud de estos. Para consultar los contenidos originales, acceda a la versión en inglés.

Centro de ayuda/ Object Storage Service/ Guía del usuario/ Control de permisos/ Application Cases/ Granting Other Huawei Cloud Accounts Permissions to Operate a Specific Bucket

Actualización más reciente 2024-09-18 GMT+08:00

Ver PDF

Granting Other Huawei Cloud Accounts Permissions to Operate a Specific Bucket

The bucket owner (root account) or other accounts and IAM users, who have the permission to set bucket policies, can configure bucket policies to grant the bucket operation permissions to other accounts or IAM users under other accounts.

The following is an example about how to grant other accounts bucket access and object upload permissions.

To grant permissions to IAM users under other accounts, you need to configure both bucket policies and permisos de IAM.

Configure a bucket policy to allow IAM users to access the bucket.
Configure permisos de IAM for the account where authorized IAM users belong, to allow the IAM users to access the bucket.

Only permissions that are allowed by both the bucket policy and permisos de IAM can take effect.

Procedure

En el panel de navegación de OBS Console, elija Object Storage.
En la lista de bucket, haga clic en el nombre del bucket que desee. Se muestra la página Objects.
In the navigation pane, choose Permissions > Bucket Policy.
Click Create.
In the first row of the template list, click Create Custom Policy on the right.

Configure parameters listed in the table below to grant other accounts the permissions to access the bucket (to list objects in the bucket) and to upload objects.

**Tabla 1** Parameters for granting bucket access and object upload permissions
Parameter		Description
Policy View		Visual editor
Policy Name		Enter a custom name.
Policy Content	Effect	Allow
	Principal	Other account Enter the account ID and IAM user ID. NOTA: The account ID and IAM user ID can be obtained on the My Credentials page of the account or user to be authorized. The following describes different authorization scenarios: Granting permissions to all the other accounts and their IAM users: Set the account ID and IAM user ID to . Granting permissions to an account: Enter the desired account ID and IAM user ID. Granting permissions to an account and its IAM users: Enter the desired account ID, and set the IAM user ID to (indicating all IAM users under the account). Granting permissions to certain IAM users: Enter the desired account ID and one or more IAM users IDs. User Policy: Include specified users.
	Resources	Select the Current bucket and Object in bucket, and then select All objects. Resource Policy: Include specified resources.
	Actions	Select ListBucket and PutObject actions. Operation Strategy: Include selected actions. NOTA: In this example, only the upload action among object actions is selected. You can also select other object actions to grant corresponding permissions if needed. The asterisk (*) indicates all actions. For details about the supported actions, see Actions.

Click Next in the lower right corner to confirm the policy configuration.
Click Create in the lower right corner.

Verification

Verify the preceding permissions on OBS Browser+.

Create an access key (AK/SK) of the authorized user on OBS Console.
Open OBS Browser+, enter the obtained AK and SK, and set the Access Path to the name of the authorized bucket.
Access requests from unauthorized users are denied.
After being granted the permission to access the bucket, the user can access the bucket on OBS Browser+, with objects in the bucket properly displayed.
Upload an object to the bucket. The upload fails.
After being granted the permission to upload objects, the user can upload objects to the bucket on OBS Browser+, with the uploaded objects properly displayed in the object list.