vpruthi/doc-exports
1
0
Fork 0
forked from docs/doc-exports
Code Pull Requests Activity
doc-exports/docs/obs/perms-cfg/obs_40_0016.html
zhangyue 2c8baf104e OBS PERM DOC 
Reviewed-by: Sabelnikov, Dmitriy <dmitriy.sabelnikov@t-systems.com>
Co-authored-by: zhangyue <zhangyue164@huawei.com>
Co-committed-by: zhangyue <zhangyue164@huawei.com>
2024-10-29 16:45:36 +00:00

97 lines
13 KiB
HTML
Raw Blame History

<a name="obs_40_0016"></a><a name="obs_40_0016"></a>
<h1 class="topictitle1">Granting an IAM User the Specified Permissions for a Bucket</h1>
<div id="body1588765301378"><div class="section" id="obs_40_0016__section43491717165116"><h4 class="sectiontitle">Scenario</h4><p id="obs_40_0016__p3431154410448">This topic describes how to grant an IAM user the permissions required to delete a bucket.</p>
<p id="obs_40_0016__p131221236151420">To grant other permissions, select required actions from <strong id="obs_40_0016__b1968674651912">Action Name</strong> in the bucket policy. For details, see <a href="obs_40_0041.html#obs_40_0041__en-us_topic_0118394684_section1623516525350">Action/NotAction</a>.</p>
</div>
<div class="section" id="obs_40_0016__section106520378518"><h4 class="sectiontitle">Recommended Configuration</h4><p id="obs_40_0016__p103657437515">To grant resource-level permissions to an IAM user, use a bucket policy.</p>
</div>
<div class="section" id="obs_40_0016__section786219432319"><h4 class="sectiontitle">Precautions</h4><p id="obs_40_0016__p4883191595712">After configuration, the IAM user can use APIs to delete buckets. However, if they log in to OBS Console or OBS Browser+ to delete buckets, a message will be displayed indicating that they do not have required permissions.</p>
<p id="obs_40_0016__p20343339195015">This is because when they log in to OBS Console or OBS Browser+, more APIs (such as <strong id="obs_40_0016__b146471514264">ListAllMyBuckets</strong> and <strong id="obs_40_0016__b13906172152620">ListBucketVersions</strong>) will be called to load the list of buckets and versioned objects. In such case, the message is displayed.</p>
<p id="obs_40_0016__p7807163365117">If you want an IAM user to delete buckets on OBS Console or OBS Browser+, you need to allow the <strong id="obs_40_0016__b15892192319290">ListBucketVersions</strong> permission in the bucket policy and configure a custom IAM policy to grant the <strong id="obs_40_0016__b81561239102919">ListAllMyBuckets</strong> permission by referring to <a href="#obs_40_0016__section220405220511">Follow-up Procedure</a>.</p>
</div>
<div class="section" id="obs_40_0016__section18368164564"><h4 class="sectiontitle">Procedure</h4><ol id="obs_40_0016__ol170633855216"><li id="obs_40_0016__li724955124912"><span>In the navigation pane of OBS Console, choose <strong id="obs_40_0016__b817114045810">Object Storage</strong>.</span></li><li id="obs_40_0016__li32491951194912"><span>In the bucket list, click the bucket name you want to go to the <strong id="obs_40_0016__b10271330143111">Overview</strong> page.</span></li><li id="obs_40_0016__li5249145194918"><span>In the navigation pane, choose <strong id="obs_40_0016__b19373029959044">Permissions</strong>.</span></li><li id="obs_40_0016__li1568715376490"><span>On the <strong id="obs_40_0016__b1581710142711">Bucket Policies</strong> page, click <strong id="obs_40_0016__b1681790132717">Create Bucket Policy</strong> under <strong id="obs_40_0016__b18818190172710">Custom Bucket Policies</strong>.</span></li><li id="obs_40_0016__li3552175452220"><span>Configure a bucket policy.</span><p><div class="fignone" id="obs_40_0016__fig136019591588"><span class="figcap"><b>Figure 1 </b>Configuring a bucket policy</span><br><span><img id="obs_40_0016__image10615592819" src="en-us_image_0000001385678272.png"></span></div>
<div class="tablenoborder"><table cellpadding="4" cellspacing="0" summary="" id="obs_40_0016__table374341792315" frame="border" border="1" rules="all"><caption><b>Table 1 </b>Parameters for creating a bucket policy</caption><thead align="left"><tr id="obs_40_0016__row27504174239"><th align="left" class="cellrowborder" valign="top" width="26.88%" id="mcps1.3.4.2.5.2.2.2.3.1.1"><p id="obs_40_0016__p107559176234"><strong id="obs_40_0016__b94846767511353">Parameter</strong></p>
</th>
<th align="left" class="cellrowborder" valign="top" width="73.11999999999999%" id="mcps1.3.4.2.5.2.2.2.3.1.2"><p id="obs_40_0016__p1976317170239"><strong id="obs_40_0016__b91422716911353">Description</strong></p>
</th>
</tr>
</thead>
<tbody><tr id="obs_40_0016__row1246385816164"><td class="cellrowborder" valign="top" width="26.88%" headers="mcps1.3.4.2.5.2.2.2.3.1.1 "><p id="obs_40_0016__p04631584161">Policy Mode</p>
</td>
<td class="cellrowborder" valign="top" width="73.11999999999999%" headers="mcps1.3.4.2.5.2.2.2.3.1.2 "><p id="obs_40_0016__p19463175819166">Select <strong id="obs_40_0016__b127712493711353">Customized</strong>.</p>
</td>
</tr>
<tr id="obs_40_0016__row169652214311"><td class="cellrowborder" valign="top" width="26.88%" headers="mcps1.3.4.2.5.2.2.2.3.1.1 "><p id="obs_40_0016__p136964228313">Effect</p>
</td>
<td class="cellrowborder" valign="top" width="73.11999999999999%" headers="mcps1.3.4.2.5.2.2.2.3.1.2 "><p id="obs_40_0016__p106961221034">Select <strong id="obs_40_0016__b107996728411353">Allow</strong>.</p>
</td>
</tr>
<tr id="obs_40_0016__row8783617122317"><td class="cellrowborder" valign="top" width="26.88%" headers="mcps1.3.4.2.5.2.2.2.3.1.1 "><p id="obs_40_0016__p478519172231">Principal</p>
</td>
<td class="cellrowborder" valign="top" width="73.11999999999999%" headers="mcps1.3.4.2.5.2.2.2.3.1.2 "><ul id="obs_40_0016__ul1341145419174"><li id="obs_40_0016__li1024761941819">Choose <strong id="obs_40_0016__b7531155161315">Include</strong> &gt; <strong id="obs_40_0016__b135321551171319">Cloud service user</strong>.</li><li id="obs_40_0016__li4245545161814"><strong id="obs_40_0016__b59125451318">Account ID</strong>: Enter one account ID only, or enter an asterisk (*) to indicate that the policy takes effect on all users (including both registered and anonymous users).</li><li id="obs_40_0016__li1703812151919"><strong id="obs_40_0016__b3381404010535">User ID</strong>: Enter one or more user IDs separated by a comma (,).</li></ul>
</td>
</tr>
<tr id="obs_40_0016__row081741752319"><td class="cellrowborder" valign="top" width="26.88%" headers="mcps1.3.4.2.5.2.2.2.3.1.1 "><p id="obs_40_0016__p15821617102320">Resources</p>
</td>
<td class="cellrowborder" valign="top" width="73.11999999999999%" headers="mcps1.3.4.2.5.2.2.2.3.1.2 "><p id="obs_40_0016__p154218581644">Select <strong id="obs_40_0016__b46781731143514">Include</strong> &gt; <strong id="obs_40_0016__b19381834133516">Entire bucket</strong>.</p>
</td>
</tr>
<tr id="obs_40_0016__row3951641158"><td class="cellrowborder" valign="top" width="26.88%" headers="mcps1.3.4.2.5.2.2.2.3.1.1 "><p id="obs_40_0016__p10952134114519">Actions</p>
</td>
<td class="cellrowborder" valign="top" width="73.11999999999999%" headers="mcps1.3.4.2.5.2.2.2.3.1.2 "><ul id="obs_40_0016__ul1663065817513"><li id="obs_40_0016__li1563025812519"><strong id="obs_40_0016__b160478738111353">Include</strong></li><li id="obs_40_0016__li9382124645310"><strong id="obs_40_0016__b2621916135014">Action Name</strong>:<ul id="obs_40_0016__ul0371748105310"><li id="obs_40_0016__li10224301466">DeleteBucket</li><li id="obs_40_0016__li1996111505537">ListBucketVersions (required when an authorized user needs to access OBS from OBS Console or OBS Browser+)</li></ul>
</li></ul>
<p id="obs_40_0016__p175400381720">To configure other permissions, select the corresponding actions. For details, see <a href="obs_40_0041.html#obs_40_0041__en-us_topic_0118394684_section1623516525350">Action/NotAction</a>.</p>
</td>
</tr>
</tbody>
</table>
</div>
</p></li><li id="obs_40_0016__li4406132611218"><span>Click <strong id="obs_40_0016__b2045315417430">OK</strong>.</span></li></ol>
</div>
<div class="section" id="obs_40_0016__section220405220511"><a name="obs_40_0016__section220405220511"></a><a name="section220405220511"></a><h4 class="sectiontitle">Follow-up Procedure</h4><p id="obs_40_0016__p349115115368">To delete buckets on OBS Console or OBS Browser+, you need to allow the <strong id="obs_40_0016__b99410010315">obs:bucket:ListAllMyBuckets</strong> permission in the IAM policy.</p>
<ol id="obs_40_0016__ol8623195417319"><li id="obs_40_0016__li10432131493113"><span>Log in to the management console using a cloud service account.</span></li><li id="obs_40_0016__li625685643115"><span>On the top menu bar, choose <strong id="obs_40_0016__b587704120115">Service List</strong> &gt; <strong id="obs_40_0016__b6878144115116">Management &amp; Deployment</strong> &gt; <strong id="obs_40_0016__b9878241815">Identity and Access Management</strong>.</span></li><li id="obs_40_0016__li1848615103345"><span>In the navigation pane, choose <strong id="obs_40_0016__b127792011191410">Permissions</strong>.</span></li><li id="obs_40_0016__li1388483016366"><span>Click <strong id="obs_40_0016__b111271552914">Create Custom Policy</strong> in the upper right corner.</span></li><li id="obs_40_0016__li1161395452712"><span>Configure a custom policy.</span><p><div class="fignone" id="obs_40_0016__fig2216161311520"><span class="figcap"><b>Figure 2 </b>Configuring a custom policy</span><br><span><img id="obs_40_0016__image921815136158" src="en-us_image_0000001385362028.png"></span></div>
<div class="tablenoborder"><table cellpadding="4" cellspacing="0" summary="" id="obs_40_0016__table6375112782815" frame="border" border="1" rules="all"><caption><b>Table 2 </b>Parameters for configuring a custom policy</caption><thead align="left"><tr id="obs_40_0016__row6375927132818"><th align="left" class="cellrowborder" valign="top" width="24.48%" id="mcps1.3.5.3.5.2.2.2.3.1.1"><p id="obs_40_0016__p23757272286"><strong id="obs_40_0016__b204053214211353">Parameter</strong></p>
</th>
<th align="left" class="cellrowborder" valign="top" width="75.52%" id="mcps1.3.5.3.5.2.2.2.3.1.2"><p id="obs_40_0016__p63751027152820"><strong id="obs_40_0016__b94244928311353">Description</strong></p>
</th>
</tr>
</thead>
<tbody><tr id="obs_40_0016__row17375102752819"><td class="cellrowborder" valign="top" width="24.48%" headers="mcps1.3.5.3.5.2.2.2.3.1.1 "><p id="obs_40_0016__p1737572772816">Policy Name</p>
</td>
<td class="cellrowborder" valign="top" width="75.52%" headers="mcps1.3.5.3.5.2.2.2.3.1.2 "><p id="obs_40_0016__p83758278280">Enter a policy name.</p>
</td>
</tr>
<tr id="obs_40_0016__row1937592712288"><td class="cellrowborder" valign="top" width="24.48%" headers="mcps1.3.5.3.5.2.2.2.3.1.1 "><p id="obs_40_0016__p173753272284">Policy View</p>
</td>
<td class="cellrowborder" valign="top" width="75.52%" headers="mcps1.3.5.3.5.2.2.2.3.1.2 "><p id="obs_40_0016__p17375102714285">Select one based on your own habits. <strong id="obs_40_0016__b987183435712">Visual editor</strong> is used here.</p>
</td>
</tr>
<tr id="obs_40_0016__row133751227142812"><td class="cellrowborder" valign="top" width="24.48%" headers="mcps1.3.5.3.5.2.2.2.3.1.1 "><p id="obs_40_0016__p203751027172816">Policy Content</p>
</td>
<td class="cellrowborder" valign="top" width="75.52%" headers="mcps1.3.5.3.5.2.2.2.3.1.2 "><ul id="obs_40_0016__ul312618263319"><li id="obs_40_0016__li112652673110">Select <strong id="obs_40_0016__b28255102711353">Allow</strong>.</li><li id="obs_40_0016__li1952919359">Select <strong id="obs_40_0016__b29871293911353">Object Storage Service (OBS)</strong>.</li><li id="obs_40_0016__li813512281313">Select <strong id="obs_40_0016__b74550775011353">obs:bucket:ListAllMyBuckets</strong> from the actions.</li><li id="obs_40_0016__li1991741116547">Select <strong id="obs_40_0016__b24821520181313">All</strong> for resources.</li></ul>
</td>
</tr>
<tr id="obs_40_0016__row154361617514"><td class="cellrowborder" valign="top" width="24.48%" headers="mcps1.3.5.3.5.2.2.2.3.1.1 "><p id="obs_40_0016__p83756273285">Scope</p>
</td>
<td class="cellrowborder" valign="top" width="75.52%" headers="mcps1.3.5.3.5.2.2.2.3.1.2 "><p id="obs_40_0016__p1037542711283">Use the default value <strong id="obs_40_0016__b6254525056">Global services</strong>.</p>
</td>
</tr>
</tbody>
</table>
</div>
</p></li><li id="obs_40_0016__li1293324623719"><span>Click <strong id="obs_40_0016__b139894679711353">OK</strong>.</span></li><li id="obs_40_0016__li81339157389"><span><a href="https://docs.otc.t-systems.com/en-us/usermanual/iam/iam_01_0030.html" target="_blank" rel="noopener noreferrer">Create a user group and assign permissions</a>.</span><p><p id="obs_40_0016__p1312812258417">Apply the created custom policy to the user group by following the instructions in the IAM document.</p>
</p></li><li id="obs_40_0016__li12273529113919"><span><a href="https://docs.otc.t-systems.com/en-us/usermanual/iam/iam_01_0031.html" target="_blank" rel="noopener noreferrer">Add the IAM user you want to authorize to the created user group</a>.</span><p><div class="note" id="obs_40_0016__note1402619155515"><img src="public_sys-resources/note_3.0-en-us.png"><span class="notetitle"> </span><div class="notebody"><p id="obs_40_0016__p37253183814">Due to data caching, it takes about 10 to 15 minutes for a custom policy to take effect.</p>
</div></div>
</p></li></ol>
</div>
</div>
<div>
<div class="familylinks">
<div class="parentlink"><strong>Parent topic:</strong> <a href="obs_40_0013.html">Granting Permissions to an IAM User Under the Account</a></div>
</div>
</div>
View Git Blame Copy Permalink