Granting Other Accounts the Read/Write Permission for a Bucket

Scenario

This topic describes how to grant other accounts (excluding the IAM users under them) the read/write permission for OBS buckets. For details about how to grant permissions to an IAM user, see Granting IAM Users Under an Account the Access to a Bucket and the Resources in It.

Recommended Configuration

Use bucket policies to grant permissions to other accounts.

Precautions

After the configuration is complete, the authorized account can perform read and write operations (upload, download, or delete all objects in a bucket) by using APIs or by adding external buckets through OBS Browser+. Currently, access to buckets of other accounts is not allowed on OBS Console.

When you use OBS Browser+ to access the added external bucket, a message may still be displayed indicating that you do not have required permissions.

Error cause: The loading on the OBS Browser+ bucket details page invokes some other OBS APIs. However, such operations are not allowed by the read and write permissions. Therefore, a message "Access denied. Check the response permission" or "This operation is not allowed on the requested resource" is displayed, however, existing permissions are not affected.

Procedure

  1. In the navigation pane of OBS Console, choose Object Storage.
  2. In the bucket list, click the bucket name you want to go to the Overview page.
  3. In the navigation pane, choose Permissions.
  4. On the Bucket Policies page, click Create Bucket Policy under Custom Bucket Policies.
  5. Configure a bucket policy.

    Figure 1 Configuring a bucket policy
    Table 1 Parameters for creating a bucket policy

    Parameter

    Description

    Policy Mode

    Select Read and write.

    Principal
    • Select Include > Other account.
    • Account ID: Enter the ID of the account which you want to grant permissions to. You can obtain it from the My Credentials page of the account.
    • User ID: Enter the account ID. You can obtain it from the My Credentials page of the account.
      NOTE:

      In this example, permissions are granted to an account, excluding any IAM user under the account. Therefore, the user ID is the same as the account ID.

    Resources
    • Include
    • Resource Name: Enter *.

  6. Click OK.
  7. (Optional) Click Create Bucket Policy again.

    If the authorized account wants to access the OBS bucket on OBS Browser+ by mounting an external bucket, you need to add a ListBucket permission.

  8. (Optional) Configure the ListBucket permission.

    Figure 2 Configuring the ListBucket permission
    Table 2 Parameters for creating a bucket policy

    Parameter

    Description

    Policy Mode

    Select Customized.

    Effect

    Select Allow.

    Principal
    • Select Include > Other account.
    • Account ID: Enter the ID of the account which you want to grant permissions to. You can obtain it from the My Credentials page of the account.
    • User ID: Enter the account ID.
      NOTE:

      In this example, permissions are granted to an account, excluding any IAM user under the account. Therefore, the user ID is the same as the account ID.

    Resources

    Select Include > Entire bucket.

    Actions
    • Include
    • Action Name: ListBucket

  9. (Optional) Click OK.
Parent topic: Granting Permissions to Other Accounts