Granting an IAM User Permissions to Operate a Specific Bucket
Create an IAM user under in an account. The IAM user has no permission to any resource before it is added to any user group. The bucket owner (root account) or other accounts and IAM users, who have the permission to set bucket policies, can configure bucket policies to grant the bucket operation permissions to IAM users.
The following is an example about how to grant an IAM user the bucket access and object upload permissions.
Procedure
- In the bucket list, click the bucket you want to operate. The Overview page is displayed.
- In the navigation pane, choose Permissions.
- Choose Bucket Policies > Custom Bucket Policies.
- Click Create Bucket Policy. The Create Bucket Policy dialog box is displayed.
- Configure parameters listed in the table below to grant an IAM user the permission to access the bucket (to list objects in the bucket).
Table 1 Parameters for granting permission to access a bucket Parameter
Value
Policy Mode
Customized
Effect
Allow
Principal
- Include
- Select Current account and select the IAM user to be authorized.
Resources
- Include
- Leave it blank.
Actions
- Include
- ListBucket
- Click OK.
- Click Create Bucket Policy. The Create Bucket Policy dialog box is displayed.
- Configure parameters in the table below to grant an IAM user the permission to upload objects to a bucket.
Before granting this permission to a user, ensure that the user has the permission to access the bucket.
Table 2 Parameters for granting permission to upload objects Parameter
Value
Policy Mode
Customized
Effect
Allow
Principal
- Include
- Select Current account and select the IAM user to be authorized.
Resources
- Include
- Resource name: *
Actions
- Include
- PutObject
NOTE:In this example, only the permission to upload objects is granted. You can also select other object actions to grant corresponding permissions if needed. The asterisk (*) indicates all actions.
For details about the supported actions, see Actions.
- Click OK.
Verification
Verify the preceding permissions on OBS Browser.
- Obtain the AK and SK for the authorized IAM user from OBS Console.
- Open OBS Browser, enter the obtained AK and SK, and set the Access Path to the name of the authorized bucket.
Figure 1 Adding a new account - OBS
- Access requests from unauthorized users are denied.
- After being granted the permission to access the bucket, the user can access the bucket on OBS Browser, with objects in the bucket properly displayed.
- Upload an object to the bucket. The upload fails. Click in the upper right corner of the page. On the task management page displayed, you can see the task status is Failed and the failure reason is Access denied.
- After being granted the permission to upload objects, the user can upload objects to the bucket on OBS Browser, with the uploaded objects properly displayed in the object list.
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot