Granting an Account the Specified Permissions on a Bucket

Scenario

This topic describes how to grant other accounts (excluding the IAM users under them) specific operation permissions on OBS buckets. For details about how to grant permissions to an IAM user, see Granting IAM Users Under an Account the Access to a Bucket and Resources in the Bucket.

The following example explains how to grant the permissions to configure a bucket ACL and obtain the bucket ACL configuration information. If you need to configure other permissions, select the corresponding actions from the Action Name drop-down list in the bucket policy. For details about the actions supported by OBS, see Action/NotAction.

Recommended Configuration

You are advised to use bucket policies to grant permissions to other accounts.

Configuration Precautions

After the configuration is complete, the authorized account can configure and obtain a bucket ACL by using APIs or SDKs or by adding external buckets through OBS Browser+. To do this by adding external buckets, the ListBucket permission is also required. Currently, access to buckets of other accounts is not allowed on OBS Console.

Procedure

  1. In the navigation pane of OBS Console, choose Object Storage.
  2. In the bucket list, click the bucket name you want to go to the Overview page.
  3. In the navigation pane, choose Permissions.
  4. On the Bucket Policies page, click Create Bucket Policy under Custom Bucket Policies.
  5. Configure parameters for a bucket policy.

    Figure 1 Configuring parameters for a bucket policy
    Table 1 Parameters for creating a bucket policy

    Parameter

    Description

    Policy Mode

    Select Customized.

    Effect

    Select Allow.

    Principal
    • Select Include > Other account.
    • Account ID: Enter the ID of the account which you want to grant permissions to. You can obtain it from the My Credentials page of the account.
    • User ID: Enter the account ID, which can be obtained from the My Credentials page of the account.
      NOTE:

      In this example, permissions are granted to an account, excluding any IAM user under the account. Therefore, the user ID is the same as the account ID.

    Resources

    Select Include > Entire bucket.

    Actions
    • Include
    • Action Name:
      • PutBucketAcl
      • GetBucketAcl
      • ListBucket (required when the authorized account wants to access the OBS bucket on OBS Browser+ by mounting an external bucket)

    To configure other permissions, select the corresponding actions. For details about the actions supported by OBS, see Action/NotAction.

  6. Click OK. The bucket policy is created.
Parent topic: Granting Permissions to Other Accounts