Granting Temporary Access to OBS

Scenario

This case describes how to use temporary access keys (temporary AK/SK and security token) to access OBS.

Assume that you want to enable an IAM user (user name: APPServer) to access the APPClient folder in bucket hi-company and apply for two different temporary access keys to distribute to APP-1 and APP-2. APP-1 can only access files in APPClient/APP-1. APP-2 can access only the files in APPClient/APP-2.

Procedure

  1. Log in to the management console using a cloud service account.
  2. On the top menu bar, choose Service List > Management & Deployment > Identity and Access Management.
  3. Create an IAM user APPServer. For details, see Creating an IAM User.
  4. Create a user-defined policy that allows access to the AppClient folder in bucket hi-company.

    1. In the navigation pane, choose Permissions.
    2. Configure parameters for a custom policy.

      Before configuring an IAM policy, you need to understand what permissions are required. An IAM user only has the permissions defined by the policy. In this example, user APPServer only has full permissions on objects in the APPClient folder.

      Figure 1 Configuring a custom policy
      Table 1 Parameters for configuring a custom policy

      Parameter

      Description

      Policy Name

      Enter a policy name.

      Policy View

      Select one based on your own habits. JSON is used here.

      Policy Content

      		 
      {
    "Version": "1.1",
    "Statement": [
        {
            "Action": [
                "obs:object:*"
            ],
            "Resource": [
                "obs:*:*:object:hi-company/APPClient/*"
            ],
            "Effect": "Allow"
        }
    ]
}

      Scope

      The default value is Global services.
    3. Click OK.

  5. Create a user group and assign permissions.

    Apply the created custom policy to the user group by following the instructions in the IAM document.

  6. Add the IAM user (APPServer) to the created user group.

    Due to data caching, it takes about 10 to 15 minutes for a custom policy to take effect.

  7. The IAM user (APPServer) obtains temporary access keys (temporary access keys and security token) for APP-1 and APP-2.

    To obtain temporary access keys with different permissions, you need to set a temporary policy by adding the policy parameter in the request body. For details, see Obtaining a Temporary AK/SK.

    The following is a sample request for obtaining a pair of temporary access keys. The temporary policy parameters are displayed in bold.

    A sample request for obtaining a pair of temporary access keys for the device app APP-1:

    {
    "auth": {
	"identity": {
	    "policy": {
		"Version": "1.1",
		"Statement": [
		    {
			"Action": [
			    "obs:object:*"
			],
			"Resource": [
			    "obs:*:*:object:hi-company/APPClient/APP-1/*"
			],
			"Effect": "Allow"
		    }
		]
	    },
	    "token": {
		"duration-seconds": 900
		
	    },
	    "methods": [
		"token"
	    ]
	}
    }
}

    A sample request for obtaining a pair of temporary access keys for the device app APP-2:

    {
    "auth": {
	"identity": {
	    "policy": {
		"Version": "1.1",
		"Statement": [
		    {
			"Action": [
			    "obs:object:*"
			],
			"Resource": [
			    "obs:*:*:object:hi-company/APPClient/APP-2/*"
			],
			"Effect": "Allow"
		    }
		]
	    },
	    "token": {
		"duration-seconds": 900
		
	    },
	    "methods": [
		"token"
	    ]
	}
    }
}

Verification

After APP-1 and APP-2 have the temporary access keys, they can access OBS through OBS APIs. APP-1 can access only files in the APPClient/APP-1 folder, and APP-2 can access only files in the APPClient/APP-2 folder.

Parent topic: Permission Configuration in Typical Scenarios