Help Center/ Object Storage Service/ Permissions Configuration Guide (Paris Region)/ Configuration Cases in Typical Permission Control Scenarios/ Granting Permissions to Other Accounts/ Granting Other Accounts the Read/Write Permission for a Bucket
Updated on 2024-02-29 GMT+08:00
View PDF
Share

Granting Other Accounts the Read/Write Permission for a Bucket

Scenario

This topic describes how to grant other accounts (excluding the IAM users under them) the read/write permission for OBS buckets. For details about how to grant permissions to an IAM user, see Granting IAM Users Under an Account the Access to a Bucket and the Resources in It.

Recommended Configuration

You are advised to use bucket policies to grant permissions to other accounts.

Configuration Precautions

After the configuration is complete, the authorized account can perform read and write operations (upload, download, or delete all objects in a bucket) by using APIs or by adding external buckets through OBS Browser+. Currently, access to buckets of other accounts is not allowed on OBS Console.

When you use OBS Browser+ to access the added external bucket, a message may still be displayed indicating that you do not have required permissions.

Error cause: The loading on the OBS Browser+ bucket details page invokes some other OBS APIs. However, such operations are not allowed by the read and write permissions. Therefore, a message "Access denied. Check the response permission" or "This operation is not allowed on the requested resource" is displayed, however, existing permissions are not affected.

Procedure

  1. In the navigation pane of OBS Console, choose Object Storage.
  2. In the bucket list, click the bucket name you want to go to the Overview page.
  3. In the navigation pane, choose Permissions.
  4. On the Bucket Policies page, click Create Bucket Policy under Custom Bucket Policies.
  5. Configure parameters for a bucket policy.

    Table 1 Parameters for creating a bucket policy

    Parameter

    Description

    Policy Mode

    Select Read and write.

    Principal
    • Select Include > Other account.
    • Account ID: Enter the ID of the account which you want to grant permissions to. You can obtain it from the My Credentials page of the account.
    • User ID: Enter the account ID, which can be obtained from the My Credentials page of the account.
      NOTE:

      In this example, permissions are granted to an account, excluding any IAM user under the account. Therefore, the user ID is the same as the account ID.

    Resources
    • Include
    • Resource Name: Enter *.

  6. Click OK. The bucket policy is created.
  7. (Optional) Click Create Bucket Policy again.

    If the authorized account wants to access the OBS bucket on OBS Browser+ by mounting an external bucket, you need to add a ListBucket permission.

  8. (Optional) Configure the ListBucket permission.

    Table 2 Parameters for creating a bucket policy

    Parameter

    Description

    Policy Mode

    Select Customized.

    Effect

    Select Allow.

    Principal
    • Select Include > Other account.
    • Account ID: Enter the ID of the account which you want to grant permissions to. You can obtain it from the My Credentials page of the account.
    • User ID: Enter the account ID.
      NOTE:

      In this example, permissions are granted to an account, excluding any IAM user under the account. Therefore, the user ID is the same as the account ID.

    Resources

    Select Include > Entire bucket.

    Actions
    • Include
    • Action Name: ListBucket

  9. (Optional) Click OK. The bucket policy is created.