Granting an IAM User the Read/Write Permission on a Bucket

Scenario

This topic describes how to grant an IAM user the read/write permission on an OBS bucket.

Recommended Configuration Method

You are advised to use bucket policies to grant resource-level permissions to an IAM user.

Configuration Precautions

The preset template Bucket Read/Write allows a specified IAM user to perform all actions excluding the following ones on a bucket and the objects in it:

DeleteBucket (to delete a bucket)
PutBucketPolicy (to configure a bucket policy)
PutBucketAcl (to configure a bucket ACL)

After finishing the configuration, the IAM user can use APIs or SDKs to upload, download, and delete objects in the bucket. However, if they log in to OBS Console or OBS Browser+ to perform those operations, an error will be reported indicating that they do not have required permissions. For details, see the error cause.

If you still want the IAM user to perform read and write operations on OBS Console or OBS Browser+, you need to configure custom IAM policies by referring to Follow-up Procedure.

After finishing the configuration, the system still displays a message indicating that the IAM user does not have required permissions, because OBS Console also calls other APIs for advanced configuration. However, the IAM user can normally perform read/write operations.

Procedure

In the navigation pane of OBS Console, choose Buckets.
In the bucket list, click the bucket name you want to go to the Objects page.
In the navigation pane, choose Permissions > Bucket Policies.
Click Create.
Choose a policy configuration method you like. Visual Editor is used here.

Configure a bucket policy.

Figure 1 Configuring a bucket policy

**Table 1** Parameters for configuring a bucket policy
Parameter		Description
Policy Name		Enter a policy name.
Policy content	Effect	Select Allow.
	Principals	Select Current account. IAM users: Select an IAM user that you want to grant permissions to.
	Resources	Select Entire bucket (including the objects in it).
	Actions	Choose Use a template. Select Bucket Read/Write.

Ensure all the configurations are correct and click Create.

Follow-up Procedure

To perform read and write operations on OBS Console or OBS Browser+, you must add the obs:bucket:ListAllMyBuckets (for listing buckets) and obs:bucket:ListBucket (for listing objects in a bucket) permissions to the custom IAM policy.

obs:bucket:ListAllMyBuckets applies to all resources, while obs:bucket:ListBucket applies only to the authorized bucket. Therefore, you need to add these two permissions to the policy.

Log in to Huawei Cloud and click Console in the upper right corner.
On the console, hover your cursor over the username in the upper right corner, and choose Identity and Access Management from the drop-down list.
In the navigation pane, choose Permissions > Policies/Roles > Create Custom Policy.

Configure a custom policy.

Figure 2 Configuring a custom policy

**Table 2** Parameters for configuring a custom policy
Parameter	Description
Policy Name	Enter a policy name.
Policy View	Set this parameter based on your own habits. Visual editor is used here.
Policy Content	[Permission 1] Select Allow. Select Object Storage Service (OBS). Select obs:bucket:ListAllMyBuckets from the actions. Select All for resources. [Permission 2] Select Allow. Select Object Storage Service (OBS). Select obs:bucket:ListBucket from the actions. Select Specific for Resources and select Specify resource path for Bucket. Click Add Resource Path. Enter the bucket name in the Path text box for applying the policy only to this bucket.
Scope	Use the default value Global services.

Click OK.
Create a user group and assign permissions.

Apply the created custom policy to the user group by following the instructions in the IAM document.
Add the IAM user you want to authorize to the created user group by referring to Adding Users to or Removing Users from a User Group.

Due to data caching, it takes about 10 to 15 minutes for a custom policy to take effect.