Creating a Custom Policy for a Log Transfer Destination OBS Bucket
When creating a task for transferring logs to OBS, you must have the following permissions in addition to the LTS permissions: setting a bucket ACL (obs:bucket:PutBucketAcl), listing buckets (obs:bucket:ListAllMyBuckets), obtaining the bucket metadata (obs:bucket:HeadBucket), and obtaining a bucket ACL (obs:bucket:GetBucketAcl), and obtaining bucket encryption configuration(obs:bucket:GetEncryptionConfiguration). For details, see Bucket Actions.
After configuring the LTS FullAccess or LTS Administrator permission policy, you must select the lts:transfers:create action for the custom policy. For more permission information, see Permissions.
This section describes how to create a custom policy for OBS bucket actions in IAM and attach the policy to a user group, thereby granting its users the specified permissions.
Prerequisites
An OBS bucket has been created.
Granting Permissions to an OBS Bucket
When configuring permissions, follow the principle of least privilege and grant only the permissions required for log transfer to avoid over-authorization.
- Log in to the IAM console.
- In the navigation pane, choose Permissions > Policies/Roles. Then, click Create Custom Policy.
- On the Create Custom Policy page, set parameters as follows. For details, see Creating a Custom Policy.
Figure 1 Custom authorization
- Select Visual editor for Policy View.
- For Policy Content, click Select service and select Object Storage Service (OBS).
- Click Actions, enter the following permissions in the search box, and select them:
- obs:bucket:PutBucketAcl (for configuring bucket ACLs)
- obs:bucket:ListAllMyBuckets (for obtaining the bucket list)
- obs:bucket:HeadBucket (for obtaining bucket metadata)
- obs:bucket:GetBucketAcl (for obtaining bucket ACLs)
- obs:bucket:GetEncryptionConfiguration (for obtaining bucket encryption configurations)
- Click OK. The custom policy is created.
- Attach the policy to the user group to which the IAM user belongs. Users in the group then inherit the permissions defined in the policy. For details, see Creating a User Group and Assigning Permissions.
- Go to the LTS console to configure log transfer to OBS.
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot