Why Does Message "Access denied" Appear After I Was Granted the Read and Write Permissions for a Bucket?

Cause

If you use a bucket policy to grant the IAM user the bucket read and write permissions, the IAM user has the permissions to call the following APIs:

• GetObject: downloading objects
• GetObjectVersion: downloading objects and their versions
• PutObject: uploading objects
• DeleteObject: deleting objects
• DeleteObjectVersion: deleting objects and their versions

Each API requires an operation permission. IAM users can call these APIs directly or through SDKs. However, when you log in to OBS Console or using a client tool such as OBS Browser+, more APIs (such as ListAllMyBuckets and ListBucket) are called to load the bucket list and object list. If your permissions do not cover those APIs, your access is denied, or you are informed that the operation is not allowed.

Solutions

Authorized permissions are valid, though operations on the console or client are restricted. You can call the APIs directly or through SDKs.

If you want to access OBS through OBS Console or OBS Browser+ (a client), you can configure OBS custom policies on the IAM console to grant more OBS permissions to a user group, and add the user who requires the permissions to this group.