Help Center/ Object Storage Service/ FAQs/ Access Control/ Why Is the Message "Access denied" Still Appearing After OBS System Permissions or Bucket Read and Write Permissions Are Allowed?

Updated on 2024-10-15 GMT+08:00

View PDF

Why Is the Message "Access denied" Still Appearing After OBS System Permissions or Bucket Read and Write Permissions Are Allowed?

Cause

OBS system permissions
System permissions such as OBS ReadOnlyAccess, OBS OperateAccess, and OBS Buckets Viewer configured in IAM only allow certain OBS operations. For example, the OBS OperateAccess permission lets you list buckets, obtain basic bucket information, obtain bucket metadata, list objects (not the objects that have been versioned), upload, download, delete objects, and obtain object ACLs.
Bucket read and write permissions
If you use a bucket policy to grant users the bucket read and write permissions, the users have the permissions to:
- GetObject: Download objects.
- GetObjectVersion: Download objects and their versions.
- PutObject: Upload objects.
- DeleteObject: Delete objects.
- DeleteObjectVersion: Delete objects and their versions.

Each API requires an operation permission. Users can call these APIs directly or through SDKs. However, when users log in to OBS Console or OBS Browser+, APIs, such as ListAllMyBuckets and ListBucket, are called to load the bucket list and object list. Some other APIs are also called on other pages. But their permissions do not cover those APIs. In such case, the message is displayed.

For example, loading the bucket's overview page involves API calls to query the configuration statuses of lifecycle and CORS rules. See Figure 1. However, the preset system permissions do not cover these operations.

Figure 1 Basic bucket configurations

Solutions

Authorized permissions are valid, though operations on the console or client are restricted. You can call the APIs directly or through SDKs.

When the OBS OperateAccess permission or bucket read and write permissions are allowed, you can upload or download objects on OBS Console or OBS Browser+.

If you do not want those error messages to appear, you can configure OBS custom policies on the IAM console to grant more OBS permissions to a user group, and add the user who requires the permissions to this group.

Why Can't I List Objects on OBS Console Even If I Have Been Granted the OBS OperateAccess and OBS ReadOnlyAccess Permissions?

System policies OBS OperateAccess and OBS ReadOnlyAccess contain only obs:bucket:ListBucket (used to list objects), but do not contain obs:bucket:ListBucketVersions (used to list multiple versions of objects).

If a bucket has multiple versions of objects, IAM users may fail to list objects in the bucket through OBS Console. In such case, IAM users need to be granted the obs:bucket:ListBucketVersions permission.

Parent topic: Access Control

Feedback

Was this page helpful?

Helpful Not helpful

Provide feedback

Thank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.

The system is busy. Please try again later.

Which of the following issues have you encountered?

Content is inconsistent with the product UI

Unclear descriptions

Lack of examples or code

Incorrect steps

Can't find what I need

Lack of best practices

Feedback (optional)

0/500

Select at least one type of issue, and enter your comments or suggestions.

Enter a maximum of 500 characters.

Submit Cancel

For any further questions, feel free to contact us through the chatbot.

Chatbot