Granting IAM User Groups Specified Permissions on All OBS Resources

Scenario

This topic describes how to grant multiple IAM users or user groups specific permissions on all OBS resources.

Recommended Configuration

IAM custom policies

Configuration Precautions

After the configuration is complete, you can perform allowed operations using APIs. However, if you log in to OBS Console or OBS Browser+ to perform those operations, an error is reported indicating that you do not have required permissions.

This is because when you log in to OBS Console or OBS Browser+, APIs (such as ListAllMyBuckets and ListBucket) are called to load the bucket list and object list and some other APIs will also be called on other pages, but your permissions do not cover those APIs. In such case, your access to OBS Console or OBS Browser+ is denied or your operation is not allowed.

To allow IAM users to operate buckets and objects on OBS Console or OBS Browser+, add at least the obs:bucket:ListAllMyBuckets and obs:bucket:ListBucket permissions to the custom policy.

Procedure

  1. Log in to the management console using a cloud service account.
  2. On the top menu bar, choose Service List > Management & Deployment > Identity and Access Management. The IAM console is displayed.
  3. In the navigation pane, choose Permissions.
  4. Click Create Custom Policy in the upper right corner.
  5. Configure parameters for a custom policy.

    Figure 1 Configuring a custom policy
    Table 1 Parameters for configuring a custom policy

    Parameter

    Description

    Policy Name

    Name of the custom policy

    Policy View

    Set this parameter based on your own habits. Visual editor is used here.

    Policy Content
    • Select Allow.
    • Select Object Storage Service (OBS).
    • Select the actions to be authorized.
    • Select All for resources.

    Scope

    The default value is Global services.

  6. Click OK. The custom policy is created.
  7. Create a user group and assign permissions.

    Add the created custom policy to the user group by following the instructions in the IAM document.

  8. Add the IAM user you want to authorize to the created user group by referring to Creating a User and Adding the User to a User Group.

    Due to data caching, it takes about 10 to 15 minutes for a custom policy to take effect after the authorization.

Parent topic: Granting Permissions to Multiple IAM Users or User Groups Under the Account