Using IAM Identity Policies to Grant Access to OBS (New IAM Console)
You can use Identity and Access Management (IAM) to control access to your OBS resources. IAM provides two authorization models: role/policy-based authorization and identity policy-based authorization. For details about the differences between these two models, see Permissions and Supported Actions. This section describes identity policy-based authorization. With IAM identity policy-based authorization, you can:
- Create IAM users or user groups for personnel based on your enterprise's organizational structure. Each IAM user has their own identity credentials for accessing OBS resources.
- Grant users only the permissions required to perform a given task based on their job responsibilities.
- Entrust a HUAWEI ID or a cloud service to perform professional and efficient O&M on your OBS resources.
If your Huawei Cloud account meets your permissions requirements, you can skip this section.
Figure 1 shows the process of identity policy-based authorization.
Prerequisites
You have learned the OBS permissions that can be assigned. For details about the system-defined policies supported by OBS, see IAM-based Permissions Management. To grant permissions for services other than OBS, learn about all system-defined permissions supported by IAM.
Process Flow
- On the IAM console, create an IAM user or create a user group.
- Attach a system-defined identity policy to the user or user group.
Attach the OBSReadOnlyPolicy policy.
- Log in to the management console as the IAM user and verify permissions.
Log in to OBS Console as the authorized user and verify the permissions.
- On OBS Console, click Create Bucket in the upper right corner. If the bucket creation fails (assuming that the OBSReadOnlyPolicy permission is available), the OBSReadOnlyPolicy policy is in effect.
- Choose another service from Service List. If a message appears indicating that you have insufficient permissions to access the service, the OBSReadOnlyPolicy policy is in effect.
Example Custom Identity Policies
You can create custom identity policies to supplement the system-defined identity policies of OBS. For details about actions supported in custom policies, see Object Actions.
To create a custom policy, choose either visual editor or JSON.
- Visual editor: Select cloud services, actions, resources, and request conditions. This does not require knowledge of policy syntax.
- JSON: Create a JSON policy or edit an existing one.
For details, see Creating a Custom Identity Policy and Attaching It to a Principal.
When creating a custom policy, use the Resource element to specify the resources the policy applies to and use the Condition element (condition keys) to control when the policy is in effect. For details about resource types and condition keys supported in custom policies, see Object Actions. The following provides some examples of commonly used custom OBS policies.
- Example 1: Grant users all OBS permissions.
- Example 2: Grant users all permissions for OBS Console.
This policy allows users to perform all operations on OBS Console.
When logging in to OBS Console, users may need to access resources of other services, such as CTS audit information, CDN acceleration domain names, and KMS keys. For this reason, in addition to the OBS permissions granted in example 1, the access permissions for other services need to be granted. CDN is global, while CTS and KMS are regional. You need to configure the Tenant Guest permission for the global project and regional projects based on the services and regions that you use. The Tenant Guest permission includes the read-only permission for all services except IAM.{ "Version": "5.0", "Statement": [ { "Effect": "Allow", "Action": [ "obs:*:*" ] } ] } - Example 3: Grant users the permissions to list and download all objects in a bucket.
- Example 4: Grant users the permissions to list objects and download objects from a specified directory in a bucket. This policy allows an authorized user to download objects only in the my-project/ directory in bucket obs-example. Objects in any other directory in the bucket can be listed but cannot be downloaded.
{ "Version": "5.0", "Statement": [ { "Effect": "Allow", "Action": [ "obs:object:getObject", "obs:bucket:listBucket" ], "Resource": [ "obs:*:*:object:obs-example/my-project/*", "obs:*:*:bucket:obs-example" ] } ] } - Example 5: Grant users the read/write permissions for a specified directory in a bucket. This policy allows an authorized user to list, upload, download, and delete objects in the my-project directory in bucket obs-example.
{ "Version": "5.0", "Statement": [ { "Effect": "Allow", "Action": [ "obs:object:getObject", "obs:object:listMultipartUploadParts", "obs:bucket:listBucket", "obs:object:deleteObject", "obs:object:putObject" ], "Resource": [ "obs:*:*:object:obs-example/my-project/*", "obs:*:*:bucket:obs-example" ] } ] } - Example 6: Grant users all permissions for a bucket.
- Example 7: Grant users the permission to deny object upload.
A policy with only "Deny" permissions must be used together with other policies. If the permissions granted to an IAM user contain both "Allow" and "Deny", the "Deny" permissions take precedence over the "Allow" permissions.
If you need to assign the system-defined identity policy OBSBasicOperationsPolicy to a user but also prevent the user from uploading objects, create a custom policy to deny object uploads, and assign both this custom policy and OBSBasicOperationsPolicy to the user. Then the user can perform all operations allowed by OBSBasicOperationsPolicy except for uploading objects. The following gives an example policy that denies object upload.
{ "Version": "5.0", "Statement": [ { "Effect": "Deny", "Action": [ "obs:object:putObject" ] } ] }
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot
