Granting Other Accounts Permissions to Operate a Specific Bucket

The bucket owner (root account) or other accounts and IAM users, who have the permission to set bucket policies, can configure bucket policies to grant the bucket operation permissions to other accounts or IAM users under other accounts.

The following is an example about how to grant other accounts bucket access and object upload permissions.

To grant permissions to IAM users under other accounts, you need to configure both bucket policies and IAM policies.

Configure a bucket policy to allow IAM users to access the bucket.
Configure IAM policies for the account where authorized IAM users belong, to allow the IAM users to access the bucket.

Only permissions that are allowed by both the bucket policy and IAM policies can take effect.

Procedure

In the bucket list, click the bucket you want to operate to go to the Objects page.
In the navigation pane, choose Permissions > Bucket Policies.
Click Create.

Configure parameters listed in the table below to grant other accounts the permissions to access the bucket (to list objects in the bucket) and to upload objects.

**Table 1** Parameters for granting the object listing and upload permissions
Parameter		Description
Configuration method		Choose Visual Editor.
Policy Name		Enter a custom policy name.
Policy content	Effect	Select Allow.
	Principals	Select Other accounts. NOTE: You can obtain the account ID and IAM user ID from the My Credentials page. Accounts should be configured in the Domain ID/IAM user ID format, with each one on a separate line. The following describes different authorization scenarios: Granting permissions to all the other accounts and their IAM users: Set the account ID and IAM user ID to . Granting permissions to an account: Enter the desired account ID and IAM user ID. Granting permissions to an account and its IAM users: Enter the desired account ID, and set the IAM user ID to (indicating all IAM users under the account). Granting permissions to certain IAM users: Enter the account ID and one or more IAM user IDs.
	Resources	Method 1: Select Entire bucket (including the objects in it). Method 2: Select Current bucket and Specified objects. Set the resource path to * (indicating all objects in the bucket).
	Actions	Choose Customize. Select actions: ListBucket (to list objects in the bucket and obtain the bucket metadata) and PutObject (to upload objects). NOTE: In this example, only the upload action among object actions is selected. You can also select other object actions to grant corresponding permissions if needed. The asterisk (*) indicates all actions. To learn the supported actions and their meanings, see Actions.