更新时间:2026-03-13 GMT+08:00
如何获取跨区域存储迁移源端桶权限和目的端桶权限?
源端桶权限获取
请根据IAM用户的实际情况选择源端桶权限获取方式。
基于IAM旧版细粒度OBS权限,配置方式如下:
- 登录统一身份认证服务控制台。
- 在“统一身份认证服务”导航树,单击“权限管理>权限”,进入权限页面。
- 单击右上角“创建自定义策略”,进入创建自定义策略页面。
- 填写策略名称,策略配置方式选择“JSON视图”。
- 将以下内容拷贝到策略内容,单击“确定”按钮。
{ "Version": "1.1", "Statement": [ { "Effect": "Allow", "Action": [ "obs:bucket:GetBucketPolicy", "obs:bucket:GetLifecycleConfiguration", "obs:bucket:GetBucketLocation", "obs:bucket:GetBucketWebsite", "obs:bucket:GetBucketCORS", "obs:bucket:GetDirectColdAccessConfiguration", "obs:bucket:GetBucketLogging", "obs:bucket:GetBucketPublicAccessBlock", "obs:bucket:GetReplicationConfiguration", "obs:bucket:GetBucketVersioning", "obs:bucket:GetBucketQuota", "obs:bucket:HeadBucket", "obs:bucket:GetBucketAcl", "obs:bucket:GetBucketTagging", "obs:bucket:GetBucketStoragePolicy", "obs:bucket:GetEncryptionConfiguration", "obs:bucket:ListAllMyBuckets", "obs:bucket:ListBucket", "obs:object:GetObject", "obs:object:RestoreObject", "obs:object:GetObjectAcl", "obs:object:GetAccessLabel" ] } ] }{ "Version": "1.1", "Statement": [ { "Effect": "Allow", "Action": [ "kms:cmk:decrypt", "kms:cmk:create", "kms:cmk:encrypt", "kms:dek:create", "kms:dek:decrypt", "kms:cmk:list", "kms:dek:encrypt" ] } ] }
自定义策略创建完成后,还需要完成以下操作,用户才能拥有相应权限。
- 如迁移用户已加入用户组,将自定义策略授权到该用户组,迁移用户即可拥有自定义策略权限。授权方式参见给用户组授权。
- 如迁移用户未加入用户组,请进行如下操作。
- 迁移用户的“访问方式”必须同时勾选“编程访问”和“管理控制台访问”。
- 授权后需等待15-30分钟才可生效。
基于IAM新版细粒度OBS权限,配置方式如下:
- 登录统一身份认证服务控制台。
- 在“统一身份认证服务”导航树,单击“权限管理>权限”,进入权限页面。
- 单击右上角“创建自定义策略”,进入创建自定义策略页面。
- 填写策略名称,策略配置方式选择“JSON视图”。
- 将以下内容拷贝到策略内容,单击“确定”按钮。
{ "Version": "5.0", "Statement": [ { "Effect": "Allow", "Action": [ "obs:bucket:getBucketAcl", "obs:bucket:getBucketCORS", "obs:bucket:getBucketLocation", "obs:bucket:getBucketLogging", "obs:bucket:getBucketPolicy", "obs:bucket:getBucketPublicAccessBlock", "obs:bucket:getBucketQuota", "obs:bucket:getBucketStoragePolicy", "obs:bucket:getBucketTagging", "obs:bucket:getBucketVersioning", "obs:bucket:getBucketWebsite", "obs:bucket:getDirectColdAccessConfiguration", "obs:bucket:getEncryptionConfiguration", "obs:bucket:getLifecycleConfiguration", "obs:bucket:getReplicationConfiguration", "obs:bucket:headBucket", "obs:bucket:listAllMyBuckets", "obs:bucket:listBucket", "obs:object:getAccessLabel", "obs:object:getObject", "obs:object:getObjectAcl", "obs:object:restoreObject", "kms:cmk:create", "kms:cmk:decryptDataKey", "kms:cmk:list" ] } ] }
自定义策略创建完成后,还需要完成以下操作,用户才能拥有相应权限。
- 如迁移用户已加入用户组,将自定义策略授权到该用户组,迁移用户即可拥有自定义策略权限。授权方式参见给用户组授权。
- 如迁移用户未加入用户组,请进行如下操作。
- 迁移用户的“访问方式”必须同时勾选“编程访问”和“管理控制台访问”。
- 授权后需等待15-30分钟才可生效。
目的端桶权限获取
请根据IAM用户的实际情况选择目的端桶权限获取方式。
基于IAM旧版细粒度OBS权限,配置方式如下:
- 登录统一身份认证服务控制台。
- 在“统一身份认证服务”导航树,单击“权限管理>权限”,进入权限页面。
- 单击右上角“创建自定义策略”,进入创建自定义策略页面。
- 填写策略名称,策略配置方式选择“JSON视图”。
- 将以下内容拷贝到策略内容,单击“确定”按钮。
{ "Version": "1.1", "Statement": [ { "Effect": "Allow", "Action": [ "obs:bucket:GetBucketLocation", "obs:bucket:ListBucketMultipartUploads", "obs:bucket:ListBucket", "obs:object:PutObject", "obs:object:PutObjectAcl", "obs:object:GetObject", "obs:object:ModifyObjectMetaData", "obs:object:RestoreObject", "obs:object:DeleteAccessLabel", "obs:object:PutAccessLabel" ], "Resource": [ "OBS:*:*:bucket:*", "OBS:*:*:object:*" ] }, { "Effect": "Allow", "Action": [ "obs:bucket:PutLifecycleConfiguration", "obs:bucket:PutBucketAcl", "obs:bucket:PutBucketTagging", "obs:bucket:PutBucketStoragePolicy", "obs:bucket:PutBucketLogging", "obs:bucket:PutReplicationConfiguration", "obs:bucket:PutBucketPolicy", "obs:bucket:HeadBucket", "obs:bucket:PutDirectColdAccessConfiguration", "obs:bucket:PutBucketWebsite", "obs:bucket:PutBucketQuota", "obs:bucket:PutBucketVersioning", "obs:bucket:PutBucketCORS", "obs:bucket:PutBucketPublicAccessBlock", "obs:bucket:CreateBucket", "obs:bucket:ListAllMyBuckets", "obs:bucket:PutEncryptionConfiguration" ] } ] }{ "Version": "1.1", "Statement": [ { "Effect": "Allow", "Action": [ "kms:cmk:decrypt", "kms:cmk:create", "kms:cmk:encrypt", "kms:dek:create", "kms:dek:decrypt", "kms:cmk:list", "kms:dek:encrypt" ] } ] }
自定义策略创建完成后,还需要完成以下操作,用户才能拥有相应权限。
- 如迁移用户已加入用户组,将自定义策略授权到该用户组,迁移用户即可拥有自定义策略权限。授权方式参见给用户组授权。
- 如迁移用户未加入用户组,请进行如下操作。
- 迁移用户的“访问方式”必须同时勾选“编程访问”和“管理控制台访问”。
- 授权后需等待15-30分钟才可生效。
基于IAM新版细粒度OBS权限,配置方式如下:
- 登录统一身份认证服务控制台。
- 在“统一身份认证服务”导航树,单击“权限管理>权限”,进入权限页面。
- 单击右上角“创建自定义策略”,进入创建自定义策略页面。
- 填写策略名称,策略配置方式选择“JSON视图”。
- 将以下内容拷贝到策略内容,单击“确定”按钮。
{ "Version": "5.0", "Statement": [ { "Effect": "Allow", "Action": [ "obs:bucket:getBucketLocation", "obs:bucket:listBucket", "obs:bucket:listBucketMultipartUploads", "obs:object:deleteAccessLabel", "obs:object:getObject", "obs:object:modifyObjectMetadata", "obs:object:putAccessLabel", "obs:object:putObject", "obs:object:putObjectAcl", "obs:object:restoreObject" ], "Resource": [ "obs:*:*:bucket:*", "obs:*:*:object:*" ] }, { "Effect": "Allow", "Action": [ "obs:bucket:createBucket", "obs:bucket:headBucket", "obs:bucket:listAllMyBuckets", "obs:bucket:putBucketAcl", "obs:bucket:putBucketCORS", "obs:bucket:putBucketLogging", "obs:bucket:putBucketPolicy", "obs:bucket:putBucketPublicAccessBlock", "obs:bucket:putBucketQuota", "obs:bucket:putBucketStoragePolicy", "obs:bucket:putBucketTagging", "obs:bucket:putBucketVersioning", "obs:bucket:putBucketWebsite", "obs:bucket:putDirectColdAccessConfiguration", "obs:bucket:putEncryptionConfiguration", "obs:bucket:putLifecycleConfiguration", "obs:bucket:putReplicationConfiguration" ] }, { "Effect": "Allow", "Action": [ "kms:cmk:create", "kms:cmk:createDataKey", "kms:cmk:decryptDataKey", "kms:cmk:list" ] } ] }
自定义策略创建完成后,还需要完成以下操作,用户才能拥有相应权限。
- 如迁移用户已加入用户组,将自定义策略授权到该用户组,迁移用户即可拥有自定义策略权限。授权方式参见给用户组授权。
- 如迁移用户未加入用户组,请进行如下操作。
- 迁移用户的“访问方式”必须同时勾选“编程访问”和“管理控制台访问”。
- 授权后需等待15-30分钟才可生效。
