vpruthi/doc-exports
1
0
Fork 0
forked from docs/doc-exports
Code Pull Requests Activity
doc-exports/docs/obs/perms-cfg/obs_40_0037.html
zhangyue 2c8baf104e OBS PERM DOC 
Reviewed-by: Sabelnikov, Dmitriy <dmitriy.sabelnikov@t-systems.com>
Co-authored-by: zhangyue <zhangyue164@huawei.com>
Co-committed-by: zhangyue <zhangyue164@huawei.com>
2024-10-29 16:45:36 +00:00

126 lines
11 KiB
HTML
Raw Blame History

<a name="obs_40_0037"></a><a name="obs_40_0037"></a>
<h1 class="topictitle1">Granting Temporary Access to OBS</h1>
<div id="body1597050561891"><div class="section" id="obs_40_0037__section43491717165116"><h4 class="sectiontitle">Scenario</h4><p id="obs_40_0037__p3431154410448">This case describes how to use temporary access keys (temporary AK/SK and security token) to access OBS.</p>
<p id="obs_40_0037__p1663009161912">Assume that you want to enable an IAM user (user name: APPServer) to access the APPClient folder in bucket <strong id="obs_40_0037__b166099288132">hi-company</strong> and apply for two different temporary access keys to distribute to APP-1 and APP-2. APP-1 can only access files in APPClient/APP-1. APP-2 can access only the files in APPClient/APP-2.</p>
</div>
<div class="section" id="obs_40_0037__section18368164564"><h4 class="sectiontitle">Procedure</h4><ol id="obs_40_0037__ol170633855216"><li id="obs_40_0037__li10432131493113"><span>Log in to the management console using a cloud service account.</span></li><li id="obs_40_0037__li625685643115"><span>On the top menu bar, choose <strong id="obs_40_0037__b1524342811413">Service List</strong> &gt; <strong id="obs_40_0037__b724310286417">Management &amp; Deployment</strong> &gt; <strong id="obs_40_0037__b112433281644">Identity and Access Management</strong>.</span></li><li id="obs_40_0037__li54221529115513"><span>Create an IAM user <strong id="obs_40_0037__b14273510475">APPServer</strong>. For details, see <a href="https://docs.otc.t-systems.com/en-us/usermanual/iam/en-us_topic_0046611303.html" target="_blank" rel="noopener noreferrer">Creating an IAM User</a>.</span></li><li id="obs_40_0037__li148774498186"><span>Create a user-defined policy that allows access to the AppClient folder in bucket hi-company.</span><p><ol type="a" id="obs_40_0037__ol294413212193"><li id="obs_40_0037__li1848615103345">In the navigation pane, choose <strong id="obs_40_0037__b8555846143312">Permissions</strong>.</li><li id="obs_40_0037__li1417104719219">Configure parameters for a custom policy.<div class="note" id="obs_40_0037__note16133193719131"><img src="public_sys-resources/note_3.0-en-us.png"><span class="notetitle"> </span><div class="notebody"><p id="obs_40_0037__p8133113741313">Before configuring an IAM policy, you need to understand what permissions are required. An IAM user only has the permissions defined by the policy. In this example, user <strong id="obs_40_0037__b99995311910740">APPServer</strong> only has full permissions on objects in the <strong id="obs_40_0037__b78713857610740">APPClient</strong> folder.</p>
</div></div>
<div class="fignone" id="obs_40_0037__fig16929854596"><span class="figcap"><b>Figure 1 </b>Configuring a custom policy</span><br><span><img id="obs_40_0037__image49301051598" src="en-us_image_0000001435988521.png"></span></div>
<div class="tablenoborder"><table cellpadding="4" cellspacing="0" summary="" id="obs_40_0037__table6375112782815" frame="border" border="1" rules="all"><caption><b>Table 1 </b>Parameters for configuring a custom policy</caption><thead align="left"><tr id="obs_40_0037__row6375927132818"><th align="left" class="cellrowborder" valign="top" width="21.54%" id="mcps1.3.2.2.4.2.1.2.3.2.3.1.1"><p id="obs_40_0037__p23757272286"><strong id="obs_40_0037__b24613886310740">Parameter</strong></p>
</th>
<th align="left" class="cellrowborder" valign="top" width="78.46%" id="mcps1.3.2.2.4.2.1.2.3.2.3.1.2"><p id="obs_40_0037__p63751027152820"><strong id="obs_40_0037__b43655815910740">Description</strong></p>
</th>
</tr>
</thead>
<tbody><tr id="obs_40_0037__row17375102752819"><td class="cellrowborder" valign="top" width="21.54%" headers="mcps1.3.2.2.4.2.1.2.3.2.3.1.1 "><p id="obs_40_0037__p1737572772816">Policy Name</p>
</td>
<td class="cellrowborder" valign="top" width="78.46%" headers="mcps1.3.2.2.4.2.1.2.3.2.3.1.2 "><p id="obs_40_0037__p83758278280">Enter a policy name.</p>
</td>
</tr>
<tr id="obs_40_0037__row1937592712288"><td class="cellrowborder" valign="top" width="21.54%" headers="mcps1.3.2.2.4.2.1.2.3.2.3.1.1 "><p id="obs_40_0037__p173753272284">Policy View</p>
</td>
<td class="cellrowborder" valign="top" width="78.46%" headers="mcps1.3.2.2.4.2.1.2.3.2.3.1.2 "><p id="obs_40_0037__p17375102714285">Select one based on your own habits. <strong id="obs_40_0037__b1682619311312">JSON</strong> is used here.</p>
</td>
</tr>
<tr id="obs_40_0037__row133751227142812"><td class="cellrowborder" valign="top" width="21.54%" headers="mcps1.3.2.2.4.2.1.2.3.2.3.1.1 "><p id="obs_40_0037__p203751027172816">Policy Content</p>
</td>
<td class="cellrowborder" valign="top" width="78.46%" headers="mcps1.3.2.2.4.2.1.2.3.2.3.1.2 "><pre class="screen" id="obs_40_0037__screen152271923172610">{
"Version": "1.1",
"Statement": [
{
"Action": [
"obs:object:*"
],
"Resource": [
"obs:*:*:object:hi-company/APPClient/*"
],
"Effect": "Allow"
}
]
}</pre>
</td>
</tr>
<tr id="obs_40_0037__row65294186552"><td class="cellrowborder" valign="top" width="21.54%" headers="mcps1.3.2.2.4.2.1.2.3.2.3.1.1 "><p id="obs_40_0037__p5352172114553">Scope</p>
</td>
<td class="cellrowborder" valign="top" width="78.46%" headers="mcps1.3.2.2.4.2.1.2.3.2.3.1.2 "><p id="obs_40_0037__p835292195514">The default value is <strong id="obs_40_0037__b108047303618">Global services</strong>.</p>
</td>
</tr>
</tbody>
</table>
</div>
</li><li id="obs_40_0037__li964374182211">Click <strong id="obs_40_0037__b15661312110740">OK</strong>.</li></ol>
</p></li><li id="obs_40_0037__li81339157389"><span><a href="https://docs.otc.t-systems.com/en-us/usermanual/iam/iam_01_0030.html" target="_blank" rel="noopener noreferrer">Create a user group and assign permissions</a>.</span><p><p id="obs_40_0037__p1312812258417">Apply the created custom policy to the user group by following the instructions in the IAM document.</p>
</p></li><li id="obs_40_0037__li12273529113919"><span><a href="https://docs.otc.t-systems.com/en-us/usermanual/iam/iam_01_0031.html" target="_blank" rel="noopener noreferrer">Add the IAM user (APPServer) to the created user group</a>.</span><p><div class="note" id="obs_40_0037__note1402619155515"><img src="public_sys-resources/note_3.0-en-us.png"><span class="notetitle"> </span><div class="notebody"><p id="obs_40_0037__p37253183814">Due to data caching, it takes about 10 to 15 minutes for a custom policy to take effect.</p>
</div></div>
</p></li><li id="obs_40_0037__li753752717303"><span>The IAM user (APPServer) obtains temporary access keys (temporary access keys and security token) for <strong id="obs_40_0037__b71217300354">APP-1</strong> and <strong id="obs_40_0037__b0972183116356">APP-2</strong>.</span><p><p id="obs_40_0037__p13248204142615">To obtain temporary access keys with different permissions, you need to set a temporary policy by adding the policy parameter in the request body. For details, see <a href="https://docs.otc.t-systems.com/en-us/api/iam/en-us_topic_0097949518.html" target="_blank" rel="noopener noreferrer">Obtaining a Temporary AK/SK</a>.</p>
<p id="obs_40_0037__p1671713105813">The following is a sample request for obtaining a pair of temporary access keys. The temporary policy parameters are displayed in bold.</p>
<p id="obs_40_0037__p181085211581"><strong id="obs_40_0037__b214707742410740">A sample request for obtaining a pair of temporary access keys for the device app </strong><strong id="obs_40_0037__b83903714510740">APP-1</strong><strong id="obs_40_0037__b28790197010740">:</strong></p>
<pre class="screen" id="obs_40_0037__screen111122027581">{
"auth": {
"identity": {
<strong id="obs_40_0037__b0398557615">"policy": {</strong>
<strong id="obs_40_0037__b039911570118"> "Version": "1.1",</strong>
<strong id="obs_40_0037__b839911573114"> "Statement": [</strong>
<strong id="obs_40_0037__b11400857915"> {</strong>
<strong id="obs_40_0037__b1540065717110"> "Action": [</strong>
<strong id="obs_40_0037__b1340010571216"> "obs:object:*"</strong>
<strong id="obs_40_0037__b1340135719112"> ],</strong>
<strong id="obs_40_0037__b174016578116"> "Resource": [</strong>
<strong id="obs_40_0037__b1240212571316"> "obs:*:*:object:hi-company/APPClient/APP-1/*"</strong>
<strong id="obs_40_0037__b1340214573120"> ],</strong>
<strong id="obs_40_0037__b0403155717115"> "Effect": "Allow"</strong>
<strong id="obs_40_0037__b040305710117"> }</strong>
<strong id="obs_40_0037__b184036577113"> ]</strong>
<strong id="obs_40_0037__b104041057614"> }</strong>,
"token": {
"duration-seconds": 900
},
"methods": [
"token"
]
}
}
}</pre>
<p id="obs_40_0037__p1611212225815"><strong id="obs_40_0037__b144606737310740">A sample request for obtaining a pair of temporary access keys for the device app </strong><strong id="obs_40_0037__b193907232010740">APP-2</strong><strong id="obs_40_0037__b214455897110740">:</strong></p>
<pre class="screen" id="obs_40_0037__screen1211522115812">{
"auth": {
"identity": {
<strong id="obs_40_0037__b115849471811">"policy": {</strong>
<strong id="obs_40_0037__b1358494712113"> "Version": "1.1",</strong>
<strong id="obs_40_0037__b75855476115"> "Statement": [</strong>
<strong id="obs_40_0037__b158584720116"> {</strong>
<strong id="obs_40_0037__b6586447413"> "Action": [</strong>
<strong id="obs_40_0037__b1758619471215"> "obs:object:*"</strong>
<strong id="obs_40_0037__b5587114712117"> ],</strong>
<strong id="obs_40_0037__b558754716111"> "Resource": [</strong>
<strong id="obs_40_0037__b158819471616"> "obs:*:*:object:hi-company/APPClient/APP-2/*"</strong>
<strong id="obs_40_0037__b558815471316"> ],</strong>
<strong id="obs_40_0037__b1958920471217"> "Effect": "Allow"</strong>
<strong id="obs_40_0037__b155898473110"> }</strong>
<strong id="obs_40_0037__b1359014479114"> ]</strong>
<strong id="obs_40_0037__b65913471119"> }</strong>,
"token": {
"duration-seconds": 900
},
"methods": [
"token"
]
}
}
}</pre>
</p></li></ol>
</div>
<div class="section" id="obs_40_0037__section159232335471"><h4 class="sectiontitle">Verification</h4><p id="obs_40_0037__p1589143714477">After <strong id="obs_40_0037__b164284005010740">APP-1</strong> and <strong id="obs_40_0037__b128266330510740">APP-2</strong> have the temporary access keys, they can access OBS through OBS APIs. <strong id="obs_40_0037__b122426104310740">APP-1</strong> can access only files in the <strong id="obs_40_0037__b64938510910740">APPClient/APP-1</strong> folder, and <strong id="obs_40_0037__b44649155010740">APP-2</strong> can access only files in the <strong id="obs_40_0037__b123523403110740">APPClient/APP-2</strong> folder.</p>
</div>
</div>
<div>
<div class="familylinks">
<div class="parentlink"><strong>Parent topic:</strong> <a href="obs_40_0012.html">Permission Configuration in Typical Scenarios</a></div>
</div>
</div>
View Git Blame Copy Permalink