Granting Temporary Access to OBS
Scenario
This case describes how to use temporary access keys (temporary AK/SK and security token) to access OBS in temporary authorization mode.
Assume that you want to enable an IAM user (user name: APPServer) to access the APPClient folder in bucket hi-company and apply for two different temporary access keys to distribute to APP-1 and APP-2. APP-1 can only access files in APPClient/APP-1. APP-2 can access only the files in APPClient/APP-2.
Procedure
- Log in to the management console using a cloud service account.
- On the top menu bar, choose Service List > Management & Deployment > Identity and Access Management. The IAM console is displayed.
- Create an IAM user APPServer. For details, see Creating an IAM User.
- Create a user-defined policy that allows access to the AppClient folder in bucket hi-company.
- In the navigation pane, choose Policies.
- Configure parameters for a custom policy.
Before configuring an IAM policy, you need to understand what permissions are required. An IAM user only has the permissions defined by the policy. In this example, user APPServer only has full permissions on objects in the APPClient folder.
Table 1 Parameters for configuring a custom policy Parameter
Description
Policy Name
Name of the custom policy
Policy View
Set this parameter based on your own habits. JSON is used here.
Policy Content
{ "Version": "1.1", "Statement": [ { "Action": [ "obs:object:*" ], "Resource": [ "obs:*:*:object:hi-company/APPClient/*" ], "Effect": "Allow" } ] }
Scope
The default value is Global services.
- Click OK. The custom policy is created.
- Create a user group and assign permissions.
Add the created custom policy to the user group by following the instructions in the IAM document.
- Add the IAM user (APPServer) you want to authorize to the created user group by referring to Adding Users to or Removing Users from a User Group.
Due to data caching, it takes about 10 to 15 minutes for a custom policy to take effect after the authorization.
- The IAM user (APPServer) obtains temporary access keys (temporary access keys and security token) for APP-1 and APP-2.
To obtain temporary access keys with different permissions, you need to set a temporary policy by adding the policy parameter in the request body. For details, see Obtaining a Temporary Access Key and Security Token Through a Token.
The following is a sample request for obtaining a pair of temporary access keys. The temporary policy parameters are displayed in bold.
A sample request for obtaining a pair of temporary access keys for the device app APP-1:
{ "auth": { "identity": { "policy": { "Version": "1.1", "Statement": [ { "Action": [ "obs:object:*" ], "Resource": [ "obs:*:*:object:hi-company/APPClient/APP-1/*" ], "Effect": "Allow" } ] }, "token": { "duration-seconds": 900 }, "methods": [ "token" ] } } }
A sample request for obtaining a pair of temporary access keys for the device app APP-2:
{ "auth": { "identity": { "policy": { "Version": "1.1", "Statement": [ { "Action": [ "obs:object:*" ], "Resource": [ "obs:*:*:object:hi-company/APPClient/APP-2/*" ], "Effect": "Allow" } ] }, "token": { "duration-seconds": 900 }, "methods": [ "token" ] } } }
Verification
After APP-1 and APP-2 have the temporary access keys, they can access OBS through OBS APIs. APP-1 can access only files in the APPClient/APP-1 folder, and APP-2 can access only files in the APPClient/APP-2 folder.
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot