Help Center/ Log Tank Service/ Best Practices/ Log Transfer/ Creating a Custom Policy for a Log Transfer Destination OBS Bucket
Updated on 2025-09-26 GMT+08:00

Creating a Custom Policy for a Log Transfer Destination OBS Bucket

When creating a task for transferring logs to OBS, you must have the following permissions in addition to the LTS permissions: setting a bucket ACL (obs:bucket:PutBucketAcl), listing buckets (obs:bucket:ListAllMyBuckets), obtaining the bucket metadata (obs:bucket:HeadBucket), and obtaining a bucket ACL (obs:bucket:GetBucketAcl), and obtaining bucket encryption configuration(obs:bucket:GetEncryptionConfiguration). For details, see Bucket Actions.

After configuring the LTS FullAccess or LTS Administrator permission policy, you must select the lts:transfers:create action for the custom policy. For more permission information, see Permissions.

This section describes how to create a custom policy for OBS bucket actions in IAM and attach the policy to a user group, thereby granting its users the specified permissions.

Prerequisites

An OBS bucket has been created.

Granting Permissions to an OBS Bucket

When configuring permissions, follow the principle of least privilege and grant only the permissions required for log transfer to avoid over-authorization.

  1. Log in to the IAM console.
  2. In the navigation pane, choose Permissions > Policies/Roles. Then, click Create Custom Policy.
  3. On the Create Custom Policy page, set parameters as follows. For details, see Creating a Custom Policy.

    Figure 1 Custom authorization
    1. Select Visual editor for Policy View.
    2. For Policy Content, click Select service and select Object Storage Service (OBS).
    3. Click Actions, enter the following permissions in the search box, and select them:
      • obs:bucket:PutBucketAcl (for configuring bucket ACLs)
      • obs:bucket:ListAllMyBuckets (for obtaining the bucket list)
      • obs:bucket:HeadBucket (for obtaining bucket metadata)
      • obs:bucket:GetBucketAcl (for obtaining bucket ACLs)
      • obs:bucket:GetEncryptionConfiguration (for obtaining bucket encryption configurations)

  4. Click OK. The custom policy is created.
  5. Attach the policy to the user group to which the IAM user belongs. Users in the group then inherit the permissions defined in the policy. For details, see Creating a User Group and Assigning Permissions.
  6. Go to the LTS console to configure log transfer to OBS.