Granting an IAM User the Specified Permissions on Specified Objects
Scenario
This topic describes how to grant an IAM user the permissions required to download specific objects from a bucket.
If you need to configure other permissions, select the corresponding actions from the Action Name drop-down list in the bucket policy. For details, see Action/NotAction.
Recommended Configuration Method
You are advised to use bucket policies to grant resource-level permissions to an IAM user.
Configuration Precautions
After finishing the configuration, the IAM user can download objects using APIs or SDKs. However, if they log in to OBS Console or OBS Browser+ to download an object, an error will be reported indicating that they do not have required permissions.
This is because when they log in to OBS Console or OBS Browser+, APIs (such as ListAllMyBuckets and ListBucket) are called to load the bucket list and object list and some other APIs will also be called on other pages. In such case, their access or operation is not allowed.
If you want an IAM user to successfully download objects on OBS Console or OBS Browser+, you need to configure custom IAM policies by referring to Follow-up Procedure.
Procedure
- In the navigation pane of OBS Console, choose Buckets.
- In the bucket list, click the bucket name you want to go to the Objects page.
- In the navigation pane, choose Permissions > Bucket Policies.
- On the Bucket Policies page, click Create.
- Choose a policy configuration method you like. Visual Editor is used here.
- Configure a bucket policy.
Figure 1 Configuring a bucket policy
Table 1 Parameters for configuring a bucket policy Parameter
Description
Policy Name
Enter a policy name.
Policy content
Effect
Select Allow.
Principals
- Select Current account.
- IAM users: Select an IAM user that you want to grant permissions to.
Resources
- Select Specified objects.
- Enter an object name prefix for the resource path.
NOTE:
- You can click Add to specify multiple resource paths.
- You can specify a specific object, an object set, or a directory. * indicates all objects in the bucket.
To specify a specific object, enter the object name.
To specify a set of objects, enter Object name prefix*, *Object name suffix, or *.
Actions
- Choose Customize.
- Select GetObject (to obtain object content and metadata).
NOTE:
To configure other permissions, select the corresponding actions. For details, see Action/NotAction.
- Ensure all the configurations are correct and click Create.
Follow-up Procedure
To perform specific operations on OBS Console or OBS Browser+, you must add the obs:bucket:ListAllMyBuckets (for listing buckets) and obs:bucket:ListBucket (for listing objects in a bucket) permissions to the custom IAM policy.
obs:bucket:ListAllMyBuckets applies to all resources, while obs:bucket:ListBucket applies only to the authorized bucket. Therefore, you need to add these two permissions to the policy.
- Log in to Huawei Cloud and click Console in the upper right corner.
- On the console, hover your cursor over the username in the upper right corner, and choose Identity and Access Management from the drop-down list.
- In the navigation pane, choose Permissions > Policies/Roles > Create Custom Policy.
- Configure a custom policy.
Figure 2 Configuring a custom policy
Table 2 Parameters for configuring a custom policy Parameter
Description
Policy Name
Enter a policy name.
Policy View
Set this parameter based on your own habits. Visual editor is used here.
Policy Content
[Permission 1]
- Select Allow.
- Select Object Storage Service (OBS).
- Select obs:bucket:ListAllMyBuckets from the actions.
- Select All for resources.
[Permission 2]
- Select Allow.
- Select Object Storage Service (OBS).
- Select obs:bucket:ListBucket from the actions.
- Select Specific for Resources and select Specify resource path for Bucket. Click Add Resource Path. Enter the bucket name in the Path text box for applying the policy only to this bucket.
Scope
Use the default value Global services.
- Click OK.
- Create a user group and assign permissions.
Apply the created custom policy to the user group by following the instructions in the IAM document.
- Add the IAM user you want to authorize to the created user group by referring to Adding Users to or Removing Users from a User Group.
Due to data caching, it takes about 10 to 15 minutes for a custom policy to take effect.
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot