vpruthi/doc-exports
1
0
Fork 0
forked from docs/doc-exports
Code Pull Requests Activity
doc-exports/docs/obs/perms-cfg/obs_40_0015.html
zhangyue 2c8baf104e OBS PERM DOC 
Reviewed-by: Sabelnikov, Dmitriy <dmitriy.sabelnikov@t-systems.com>
Co-authored-by: zhangyue <zhangyue164@huawei.com>
Co-committed-by: zhangyue <zhangyue164@huawei.com>
2024-10-29 16:45:36 +00:00

90 lines
13 KiB
HTML
Raw Blame History

<a name="obs_40_0015"></a><a name="obs_40_0015"></a>
<h1 class="topictitle1">Granting an IAM User the Read/Write Permission on a Bucket</h1>
<div id="body1588765301378"><div class="section" id="obs_40_0015__section43491717165116"><h4 class="sectiontitle">Scenario</h4><p id="obs_40_0015__p3431154410448">This topic describes how to grant an IAM user the read/write permission on an OBS bucket.</p>
</div>
<div class="section" id="obs_40_0015__section106520378518"><h4 class="sectiontitle">Recommended Configuration</h4><p id="obs_40_0015__p103657437515">To grant resource-level permissions to an IAM user, use a bucket policy.</p>
</div>
<div class="section" id="obs_40_0015__section786219432319"><h4 class="sectiontitle">Precautions</h4>
<p id="obs_40_0015__p817120327254">After configuration, the IAM user can use APIs or SDKs to upload, download, and delete objects in the bucket. However, if they log in to OBS Console or OBS Browser+ to perform those operations, an error will be reported indicating that they do not have required permissions. .</p>
<p id="obs_40_0015__p7807163365117">If you still want the IAM user to perform read and write operations on OBS Console or OBS Browser+, you need to configure custom IAM policies. For details, see <a href="#obs_40_0015__section220405220511">Follow-up Procedure</a>.</p>
<p id="obs_40_0015__p135531349172915">After configuration, the system still displays a message indicating that the IAM user does not have required permissions, because OBS Console also calls other APIs for advanced configurations. However, the IAM user can still perform read/write operations.</p>
</div>
<div class="section" id="obs_40_0015__section18368164564"><h4 class="sectiontitle">Procedure</h4><ol id="obs_40_0015__ol170633855216"><li id="obs_40_0015__li973618915320"><span>In the navigation pane of OBS Console, choose <strong id="obs_40_0015__b17942540145715">Object Storage</strong>.</span></li><li id="obs_40_0015__li11242915363"><span>In the bucket list, click the bucket name you want to go to the <strong id="obs_40_0015__b1480210341667">Overview</strong> page.</span></li><li id="obs_40_0015__li13508181724617"><span>In the navigation pane, choose <strong id="obs_40_0015__b2605105313511">Permissions</strong>.</span></li><li id="obs_40_0015__li1568715376490"><span>On the <strong id="obs_40_0015__b2317141425">Bucket Policies</strong> page, click <strong id="obs_40_0015__b5734202684217">Create Bucket Policy</strong> under <strong id="obs_40_0015__b29453318428">Custom Bucket Policies</strong>.</span></li><li id="obs_40_0015__li3552175452220"><span>Configure a bucket policy.</span><p><div class="fignone" id="obs_40_0015__fig13644856182710"><span class="figcap"><b>Figure 1 </b>Configuring a bucket policy</span><br><span><img id="obs_40_0015__image16647195692714" src="en-us_image_0000001436220057.png"></span></div>
<div class="tablenoborder"><table cellpadding="4" cellspacing="0" summary="" id="obs_40_0015__table374341792315" frame="border" border="1" rules="all"><caption><b>Table 1 </b>Parameters for creating a bucket policy</caption><thead align="left"><tr id="obs_40_0015__row27504174239"><th align="left" class="cellrowborder" valign="top" width="26.88%" id="mcps1.3.4.2.5.2.2.2.3.1.1"><p id="obs_40_0015__p107559176234"><strong id="obs_40_0015__b26447525910101">Parameter</strong></p>
</th>
<th align="left" class="cellrowborder" valign="top" width="73.11999999999999%" id="mcps1.3.4.2.5.2.2.2.3.1.2"><p id="obs_40_0015__p1976317170239"><strong id="obs_40_0015__b3595290010101">Description</strong></p>
</th>
</tr>
</thead>
<tbody><tr id="obs_40_0015__row1246385816164"><td class="cellrowborder" valign="top" width="26.88%" headers="mcps1.3.4.2.5.2.2.2.3.1.1 "><p id="obs_40_0015__p04631584161">Policy Mode</p>
</td>
<td class="cellrowborder" valign="top" width="73.11999999999999%" headers="mcps1.3.4.2.5.2.2.2.3.1.2 "><p id="obs_40_0015__p19463175819166">Select <strong id="obs_40_0015__b158883846310101">Read and write</strong>.</p>
</td>
</tr>
<tr id="obs_40_0015__row8783617122317"><td class="cellrowborder" valign="top" width="26.88%" headers="mcps1.3.4.2.5.2.2.2.3.1.1 "><p id="obs_40_0015__p478519172231">Principal</p>
</td>
<td class="cellrowborder" valign="top" width="73.11999999999999%" headers="mcps1.3.4.2.5.2.2.2.3.1.2 "><ul id="obs_40_0015__ul1341145419174"><li id="obs_40_0015__li1024761941819">Choose <strong id="obs_40_0015__b755815531162">Include</strong> &gt; <strong id="obs_40_0015__b355911533613">Cloud service user</strong>.</li><li id="obs_40_0015__li4245545161814"><strong id="obs_40_0015__b9291255812">Account ID</strong>: Enter one account ID only, or enter an asterisk (*) to indicate that the policy takes effect on all users (including both registered and anonymous users).</li><li id="obs_40_0015__li1703812151919"><strong id="obs_40_0015__b237714719102">User ID</strong>: Enter one or more user IDs separated by a comma (,).</li></ul>
</td>
</tr>
<tr id="obs_40_0015__row081741752319"><td class="cellrowborder" valign="top" width="26.88%" headers="mcps1.3.4.2.5.2.2.2.3.1.1 "><p id="obs_40_0015__p15821617102320">Resources</p>
</td>
<td class="cellrowborder" valign="top" width="73.11999999999999%" headers="mcps1.3.4.2.5.2.2.2.3.1.2 "><ul id="obs_40_0015__ul7274173411710"><li id="obs_40_0015__li260555313171"><strong id="obs_40_0015__b48650264710101">Include</strong></li><li id="obs_40_0015__li1338101719199"><strong id="obs_40_0015__b75501972406">Resource Name</strong>: Enter <strong id="obs_40_0015__b17280161141113">*</strong>.</li></ul>
</td>
</tr>
</tbody>
</table>
</div>
</p></li><li id="obs_40_0015__li4406132611218"><span>Click <strong id="obs_40_0015__b19267734154318">OK</strong>.</span></li></ol>
</div>
<div class="section" id="obs_40_0015__section220405220511"><a name="obs_40_0015__section220405220511"></a><a name="section220405220511"></a><h4 class="sectiontitle">Follow-up Procedure</h4><p id="obs_40_0015__p349115115368">To perform read and write operations on OBS Console or OBS Browser+, you must add the <strong id="obs_40_0015__b3328145222113">obs:bucket:ListAllMyBuckets</strong> (for listing buckets) and <strong id="obs_40_0015__b191501957142118">obs:bucket:ListBucket</strong> (for listing objects in a bucket) permissions to the custom IAM policy.</p>
<div class="note" id="obs_40_0015__note5566228165219"><img src="public_sys-resources/note_3.0-en-us.png"><span class="notetitle"> </span><div class="notebody"><p id="obs_40_0015__p256692825216"><strong id="obs_40_0015__b4310121264120">obs:bucket:ListAllMyBuckets</strong> applies to all resources, while <strong id="obs_40_0015__b1831551254115">obs:bucket:ListBucket</strong> applies only to the authorized bucket. Therefore, you need to add these two permissions to the policy.</p>
</div></div>
<ol id="obs_40_0015__ol8623195417319"><li id="obs_40_0015__li10432131493113"><span>Log in to the management console using a cloud service account.</span></li><li id="obs_40_0015__li625685643115"><span>On the top menu bar, choose <strong id="obs_40_0015__b1624185733610">Service List</strong> &gt; <strong id="obs_40_0015__b112511573364">Management &amp; Deployment</strong> &gt; <strong id="obs_40_0015__b17257573368">Identity and Access Management</strong>.</span></li><li id="obs_40_0015__li1848615103345"><span>In the navigation pane, choose <strong id="obs_40_0015__b757714919113">Permissions</strong>.</span></li><li id="obs_40_0015__li1388483016366"><span>Click <strong id="obs_40_0015__b118613715375">Create Custom Policy</strong> in the upper right corner.</span></li><li id="obs_40_0015__li1161395452712"><span>Configure a custom policy.</span><p><div class="fignone" id="obs_40_0015__fig1814219521628"><span class="figcap"><b>Figure 2 </b>Configuring a custom policy</span><br><span><img id="obs_40_0015__image101432052622" src="en-us_image_0000001385676688.png"></span></div>
<div class="tablenoborder"><table cellpadding="4" cellspacing="0" summary="" id="obs_40_0015__table6375112782815" frame="border" border="1" rules="all"><caption><b>Table 2 </b>Parameters for configuring a custom policy</caption><thead align="left"><tr id="obs_40_0015__row6375927132818"><th align="left" class="cellrowborder" valign="top" width="24.79%" id="mcps1.3.5.4.5.2.2.2.3.1.1"><p id="obs_40_0015__p23757272286"><strong id="obs_40_0015__b68930084110101">Parameter</strong></p>
</th>
<th align="left" class="cellrowborder" valign="top" width="75.21%" id="mcps1.3.5.4.5.2.2.2.3.1.2"><p id="obs_40_0015__p63751027152820"><strong id="obs_40_0015__b186447081110101">Description</strong></p>
</th>
</tr>
</thead>
<tbody><tr id="obs_40_0015__row17375102752819"><td class="cellrowborder" valign="top" width="24.79%" headers="mcps1.3.5.4.5.2.2.2.3.1.1 "><p id="obs_40_0015__p1737572772816">Policy Name</p>
</td>
<td class="cellrowborder" valign="top" width="75.21%" headers="mcps1.3.5.4.5.2.2.2.3.1.2 "><p id="obs_40_0015__p83758278280">Enter a policy name.</p>
</td>
</tr>
<tr id="obs_40_0015__row1937592712288"><td class="cellrowborder" valign="top" width="24.79%" headers="mcps1.3.5.4.5.2.2.2.3.1.1 "><p id="obs_40_0015__p173753272284">Policy View</p>
</td>
<td class="cellrowborder" valign="top" width="75.21%" headers="mcps1.3.5.4.5.2.2.2.3.1.2 "><p id="obs_40_0015__p17375102714285">Select one based on your own habits. <strong id="obs_40_0015__b8703205911914">Visual editor</strong> is used here.</p>
</td>
</tr>
<tr id="obs_40_0015__row133751227142812"><td class="cellrowborder" valign="top" width="24.79%" headers="mcps1.3.5.4.5.2.2.2.3.1.1 "><p id="obs_40_0015__p203751027172816">Policy Content</p>
</td>
<td class="cellrowborder" valign="top" width="75.21%" headers="mcps1.3.5.4.5.2.2.2.3.1.2 "><p id="obs_40_0015__p1928318374535">[Permission 1]</p>
<ul id="obs_40_0015__ul312618263319"><li id="obs_40_0015__li112652673110">Select <strong id="obs_40_0015__b1442421510101">Allow</strong>.</li><li id="obs_40_0015__li1952919359">Select <strong id="obs_40_0015__b1420920813562">Object Storage Service (OBS)</strong>.</li><li id="obs_40_0015__li813512281313">Select <strong id="obs_40_0015__b727714444551">obs:bucket:ListAllMyBuckets</strong> from the actions.</li><li id="obs_40_0015__li1991741116547">Select <strong id="obs_40_0015__b823218256422">All</strong> for resources.</li></ul>
<p id="obs_40_0015__p148511375414">[Permission 2]</p>
<ul id="obs_40_0015__ul127691549205313"><li id="obs_40_0015__li167691496533">Select <strong id="obs_40_0015__b49081477010101">Allow</strong>.</li><li id="obs_40_0015__li1676910494536">Select <strong id="obs_40_0015__b2053811501566">Object Storage Service (OBS)</strong>.</li><li id="obs_40_0015__li18769949195314">Select <strong id="obs_40_0015__b1869165519563">obs:bucket:ListBucket</strong> from the actions.</li><li id="obs_40_0015__li77691949175310">Select <strong id="obs_40_0015__b14645193125717">Specific</strong> for <strong id="obs_40_0015__b1424511203473">Resources</strong> and select <strong id="obs_40_0015__b12150205824715">Specify resource path</strong> for <strong id="obs_40_0015__b9449403471">Bucket</strong>. Click <strong id="obs_40_0015__b3143112410489">Add Resource Path</strong>. Enter the bucket name in the <strong id="obs_40_0015__b4841111134916">Path</strong> text box for applying the policy only to this bucket.</li></ul>
</td>
</tr>
<tr id="obs_40_0015__row81414412509"><td class="cellrowborder" valign="top" width="24.79%" headers="mcps1.3.5.4.5.2.2.2.3.1.1 "><p id="obs_40_0015__p83756273285">Scope</p>
</td>
<td class="cellrowborder" valign="top" width="75.21%" headers="mcps1.3.5.4.5.2.2.2.3.1.2 "><p id="obs_40_0015__p1037542711283">Use the default value <strong id="obs_40_0015__b137650311419">Global services</strong>.</p>
</td>
</tr>
</tbody>
</table>
</div>
</p></li><li id="obs_40_0015__li1293324623719"><span>Click <strong id="obs_40_0015__b117724509310101">OK</strong>.</span></li><li id="obs_40_0015__li81339157389"><span><a href="https://docs.otc.t-systems.com/en-us/usermanual/iam/iam_01_0030.html" target="_blank" rel="noopener noreferrer">Create a user group and assign permissions</a>.</span><p><p id="obs_40_0015__p1312812258417">Apply the created custom policy to the user group by following the instructions in the IAM document.</p>
</p></li><li id="obs_40_0015__li12273529113919"><span><a href="https://docs.otc.t-systems.com/en-us/usermanual/iam/iam_01_0031.html" target="_blank" rel="noopener noreferrer">Add the IAM user you want to authorize to the created user group</a>.</span><p><div class="note" id="obs_40_0015__note1402619155515"><img src="public_sys-resources/note_3.0-en-us.png"><span class="notetitle"> </span><div class="notebody"><p id="obs_40_0015__p37253183814">Due to data caching, it takes about 10 to 15 minutes for a custom policy to take effect.</p>
</div></div>
</p></li></ol>
</div>
</div>
<div>
<div class="familylinks">
<div class="parentlink"><strong>Parent topic:</strong> <a href="obs_40_0013.html">Granting Permissions to an IAM User Under the Account</a></div>
</div>
</div>
View Git Blame Copy Permalink