Help Center/ Content Delivery Network/ FAQs/ Usage/ How Do I Replace the Old OBS Agency Permissions with New Ones?
Updated on 2025-04-11 GMT+08:00

How Do I Replace the Old OBS Agency Permissions with New Ones?

Since April 2, 2025 (Beijing time), Huawei Cloud CDN has enabled the new OBS agency. It has fewer permissions than the old one. For details about their differences, see Table 1.

Table 1 Comparison of OBS agency permissions

Version

Permissions Granted to CDN After the Agency Is Enabled

Old

All permissions of the IAM system-defined role Tenant Guest. For details, see IAM Permissions.

New

obs:object:GetObject for obtaining object content and metadata.

To use the new agency, perform the following steps:

  1. Create a custom policy.

    1. Log in to Huawei Cloud console. Choose Service List > Management & Government > Identity and Access Management to access the IAM console.
    2. In the navigation pane, choose Permissions > Policies/Roles.
    3. Click Create Custom Policy in the upper right corner of the page.
      Figure 1 Creating a custom policy
    4. Set the parameters as follows:
      • Policy Name: Enter a custom name, for example, CDNAccessPrivateOBS GetAccess.
      • Policy Content:
        • Select Allow.
        • Cloud service: Select Object Storage Service (OBS).
        • Action: Select obs:object:GetObject.
        • Resources: Select All.
        • (Optional) Request conditions: Retain the default value.
      • Description: Briefly describe the policy.
      • Scope: Global services
    5. After the parameters are set, click OK.

  2. Authorize the custom policy to the OBS agency.

    1. In the navigation pane, choose Agencies.
    2. Locate the row that contains CDNAccessPrivateOBS and click Authorize in the Operation column.
    3. Select the custom policy created in 1 and click Next.
    4. Set Scope to All resources and click OK.

  3. Delete permissions of the old version.

    1. On the Agencies page, click CDNAccessPrivateOBS.
    2. Click the Permissions tab. Thera are two policies/roles.
      Figure 2 Policy/Role list
    3. Delete the Tenant Guest role.

      It takes 15 to 30 minutes for a new custom policy to take effect. Delete the old role after the new policy takes effect to prevent service loss.