Granting an Account the Read and Write Permissions on a Bucket

Scenario

This topic describes how to grant other accounts (excluding the IAM users under them) the read and write permissions on OBS buckets. For details about how to grant permissions to an IAM user, see Granting IAM Users Under an Account the Access to a Bucket and Resources in the Bucket.

Recommended Configuration

You are advised to use bucket policies to grant permissions to other accounts.

Configuration Precautions

The preset read/write mode of OBS has the following permissions:
  • GetObject: downloading objects
  • PutObject: uploading objects
  • GetObjectVersion: downloading versioned objects
  • DeleteObjectVersion: deleting objects versions
  • DeleteObject: deleting objects

After the configuration is complete, the authorized account can perform read and write operations (upload, download, or delete all objects in a bucket) by using APIs or by adding external buckets through OBS Browser+. To do this by adding external buckets, the ListBucket permission is also required. Currently, access to buckets of other accounts is not allowed on OBS Console.

After the ListBucket permission is configured, a message may still be displayed indicating that you do not have the permission to access the added external bucket through OBS Browser+.

Error cause: The loading on the OBS Browser+ bucket details page invokes some other OBS APIs. However, such operations are not allowed by the read and write permissions. Therefore, a message "Access denied. Check the response permission" or "This operation is not allowed on the requested resource" is displayed, however, existing permissions are not affected.

Procedure

  1. In the navigation pane of OBS Console, choose Object Storage.
  2. In the bucket list, click the bucket name you want to go to the Overview page.
  3. In the navigation pane, choose Permissions.
  4. On the Bucket Policies page, click Create Bucket Policy under Custom Bucket Policies.
  5. Configure parameters for a bucket policy.

    Figure 1 Configuring parameters for a bucket policy
    Table 1 Parameters for creating a bucket policy

    Parameter

    Description

    Policy Mode

    Select Read and write.

    Principal
    • Select Include > Other account.
    • Account ID: Enter the ID of the account which you want to grant permissions to. You can obtain it from the My Credentials page of the account.
    • User ID: Enter the account ID, which can be obtained from the My Credentials page of the account.
      NOTE:

      In this example, permissions are granted to an account, excluding any IAM user under the account. Therefore, the user ID is the same as the account ID.

    Resources
    • Include
    • Resource Name: Enter *.

  6. Click OK. The bucket policy is created.
  7. (Optional) Click Create Bucket Policy again.

    If the authorized account wants to access the OBS bucket on OBS Browser+ by mounting an external bucket, you need to add a ListBucket permission.

  8. (Optional) Configure the ListBucket permission.

    Figure 2 Configuring the ListBucket permission
    Table 2 Parameters for creating a bucket policy

    Parameter

    Description

    Policy Mode

    Select Customized.

    Effect

    Select Allow.

    Principal
    • Select Include > Other account.
    • Account ID: Enter the ID of the account which you want to grant permissions to. You can obtain it from the My Credentials page of the account.
    • User ID: Enter the account ID.
      NOTE:

      In this example, permissions are granted to an account, excluding any IAM user under the account. Therefore, the user ID is the same as the account ID.

    Resources

    Select Include > Entire bucket.

    Actions
    • Include
    • Action Name: ListBucket

  9. (Optional) Click OK. The bucket policy is created.
Parent topic: Granting Permissions to Other Accounts