Granting Other Accounts the Specified Permissions for a Bucket

Scenario

This topic describes how to grant other accounts (excluding the IAM users under them) specific permissions for OBS buckets. For details about how to grant permissions to an IAM user, see Granting IAM Users Under an Account the Access to a Bucket and the Resources in It.

The following example explains how to grant the permissions to configure a bucket ACL and obtain the bucket ACL configuration information. To grant other permissions, select required actions from Action Name in the bucket policy. For details about the actions supported by OBS, see Action/NotAction.

Recommended Configuration

Use bucket policies to grant permissions to other accounts.

Precautions

After configuration, the authorized account can configure and obtain a bucket ACL by using APIs or SDKs or by adding external buckets through OBS Browser+. To do this by adding external buckets, the ListBucket permission is also required. Currently, access to buckets of other accounts is not allowed on OBS Console.

Procedure

  1. In the navigation pane of OBS Console, choose Object Storage.
  2. In the bucket list, click the bucket name you want to go to the Overview page.
  3. In the navigation pane, choose Permissions.
  4. On the Bucket Policies page, click Create Bucket Policy under Custom Bucket Policies.
  5. Configure a bucket policy.

    Figure 1 Configuring a bucket policy
    Table 1 Parameters for creating a bucket policy

    Parameter

    Description

    Policy Mode

    Select Customized.

    Effect

    Select Allow.

    Principal
    • Select Include > Other account.
    • Account ID: Enter the ID of the account which you want to grant permissions to. You can obtain it from the My Credentials page of the account.
    • User ID: Enter the account ID. You can obtain it from the My Credentials page of the account.
      NOTE:

      In this example, permissions are granted to an account, excluding any IAM user under the account. Therefore, the user ID is the same as the account ID.

    Resources

    Select Include > Entire bucket.

    Actions
    • Include
    • Action Name:
      • PutBucketAcl
      • GetBucketAcl
      • ListBucket (required when the authorized account wants to access the OBS bucket on OBS Browser+ by mounting an external bucket)

    To configure other permissions, select the corresponding actions. For details about the actions supported by OBS, see Action/NotAction.

  6. Click OK.
Parent topic: Granting Permissions to Other Accounts