vpruthi/doc-exports
1
0
Fork 0
forked from docs/doc-exports
Code Pull Requests Activity
Files
310d2d9eb1cc4bcc4b4288e5a4c59d02f8f963e4
doc-exports/docs/obs/perms-cfg/obs_40_0008.html
zhangyue 32b9354795 OBS PERMS DOC 
Reviewed-by: Sabelnikov, Dmitriy <dmitriy.sabelnikov@t-systems.com>
Reviewed-by: Hasko, Vladimir <vladimir.hasko@t-systems.com>
Co-authored-by: zhangyue <zhangyue164@huawei.com>
Co-committed-by: zhangyue <zhangyue164@huawei.com>
2023-04-18 07:48:10 +00:00

50 lines
8.4 KiB
HTML
Raw Blame History

<a name="obs_40_0008"></a><a name="obs_40_0008"></a>
<h1 class="topictitle1">Accessing OBS Using Temporary Access Keys</h1>
<div id="body1597060383204"><div class="section" id="obs_40_0008__section9831018134415"><h4 class="sectiontitle">Temporary Access Keys</h4><p id="obs_40_0008__p13730171513276">OBS can be accessed through temporary access keys and the security token, which can be obtained on IAM. You can assign the temporary access keys (including the security token) to a third-party application and an IAM user, so they can access OBS within a specified period of time.</p>
<p id="obs_40_0008__p1046714345219">You can obtain the temporary access keys and security token by calling the IAM API in <a href="https://docs.otc.t-systems.com/en-us/api/iam/en-us_topic_0097949518.html" target="_blank" rel="noopener noreferrer">Obtaining a Temporary AK/SK</a>.</p>
<p id="obs_40_0008__p15487641192319">Temporary AK/SK and security token comply with the least privilege principle and can be used to temporarily access OBS. When you use a temporary AK/SK pair to call an API for authentication, you must use the temporary AK/SK and security token at the same time and add the <strong id="obs_40_0008__b24394441318">x-obs-security-token</strong> field to the request header.</p>
<p id="obs_40_0008__p886610168273">Temporary access keys have the following advantages over permanent access keys of IAM users:</p>
<ul id="obs_40_0008__ul48663167279"><li id="obs_40_0008__li118661716152719">Temporary access keys are valid for 15 minutes to 24 hours. You do not need to expose the permanent access keys of IAM users, reducing security risks.</li><li id="obs_40_0008__li957912263442">When obtaining temporary access keys, you can pass policy parameters to further restrict the temporary permissions granted to users. This ensures that IAM users can effectively control permissions granted to other users.</li></ul>
<p id="obs_40_0008__p132948119510">For details, see <a href="https://docs.otc.t-systems.com/api_obs/obs/en-us_topic_0125560435.html" target="_blank" rel="noopener noreferrer">Authenticating a Request</a>.</p>
</div>
<div class="section" id="obs_40_0008__section114813400459"><h4 class="sectiontitle">Permissions of the Temporary Access Keys</h4><p id="obs_40_0008__p88917031019">When an IAM user calls the IAM API in <a href="https://docs.otc.t-systems.com/en-us/api/iam/en-us_topic_0097949518.html" target="_blank" rel="noopener noreferrer">Obtaining a Temporary AK/SK</a>, the user can specify parameter <strong id="obs_40_0008__b194816914418">policy</strong> to add a temporary policy for the temporary access keys to further restrict the permissions granted to other users. The format and content of a temporary policy are consistent with those specified in <a href="obs_40_0003.html">IAM Permissions</a>.</p>
<ul id="obs_40_0008__ul9969419203210"><li id="obs_40_0008__li3649172273215">If policy parameters are not specified, no temporary policies are used. The temporary access keys inherit the IAM user's permissions.</li><li id="obs_40_0008__li220117270328">If policy parameters are specified, a temporary policy is enabled. Then the temporary access keys confine the granted permissions according to the temporary policy and the IAM user permissions.</li></ul>
<p id="obs_40_0008__p96091528153211">As shown in the following figure, circle 1 indicates the original permissions of an IAM user, and circle 2 indicates the temporary permissions specified by a temporary policy. The overlapped part 3 is the scope of permissions enabled by the temporary access keys.</p>
<div class="fignone" id="obs_40_0008__fig479016438362"><span class="figcap"><b>Figure 1 </b>Intersection of IAM user permissions and temporary policy permissions</span><br><span><img id="obs_40_0008__image1769334518330" src="en-us_image_0269157281.png"></span></div>
<p id="obs_40_0008__p15917195513116"><span style="color:#3D3F43;">Temporary access keys comply with the least privilege principle</span>. Configure a temporary policy within the original permission scope of an IAM user. Otherwise you may be confused about why permissions enabled by a temporary policy are not effective. As illustrated by the following figure, the finally effective permissions are the authorized temporary permissions.</p>
<div class="fignone" id="obs_40_0008__fig78106108396"><span class="figcap"><b>Figure 2 </b>Restricting temporary permissions within the scope of IAM user permissions</span><br><span><img id="obs_40_0008__image79784541391" src="en-us_image_0269160697.png"></span></div>
<p id="obs_40_0008__p2062985411216">A temporary policy authentication starts from the Deny statements. Unspecified permissions are denied by default.</p>
<div class="note" id="obs_40_0008__note1450962491713"><img src="public_sys-resources/note_3.0-en-us.png"><span class="notetitle"> </span><div class="notebody"><p id="obs_40_0008__p9509524111715">Therefore, you are advised to specify only the allowed permission.</p>
</div></div>
</div>
<div class="section" id="obs_40_0008__section1586812104015"><h4 class="sectiontitle">Application Scenarios</h4><p id="obs_40_0008__p582375113811">Temporary access keys are used to authorize third parties to temporarily access OBS. For example, some companies have their user management systems, which manage device app users and local enterprise users. These users do not have IAM user permissions, so IAM users can grant temporary access keys to these users when they need to access OBS.</p>
<p id="obs_40_0008__p2028733765210"><strong id="obs_40_0008__b171291233598">Typical application scenario:</strong></p>
<p id="obs_40_0008__p1722820165317">A company has a large number of device apps that need to access OBS. Different apps represent different end users who require different access permissions. In this case, temporary access keys can be used to access OBS.</p>
<div class="fignone" id="obs_40_0008__fig1578555615594"><span class="figcap"><b>Figure 3 </b>Application scenarios of temporary access keys</span><br><span><img id="obs_40_0008__image8785185610591" src="en-us_image_0268971273.jpg"></span></div>
<ol id="obs_40_0008__ol13913571123"><li id="obs_40_0008__li187401810623">If the customer's server can obtain permanent access keys for IAM users, the server can send requests to IAM to generate different temporary access keys for different apps.<p id="obs_40_0008__p1515944241010"><a name="obs_40_0008__li187401810623"></a><a name="li187401810623"></a>IAM users can obtain the temporary access keys and security token by calling the IAM API in <a href="https://docs.otc.t-systems.com/en-us/api/iam/en-us_topic_0097949518.html" target="_blank" rel="noopener noreferrer">Obtaining a Temporary AK/SK</a>. When calling this API, pass the <strong id="obs_40_0008__b17874234156">policy</strong> parameter to set a temporary policy. An example is provided as follows:</p>
<pre class="screen" id="obs_40_0008__screen895118193314">{
"auth": {
"identity": {
"methods": [
... ...
],
<strong id="obs_40_0008__b10174183511418"> "policy": {</strong>
<strong id="obs_40_0008__b49022111524"> ... ...</strong>
<strong id="obs_40_0008__b39038111622"> }</strong>
}
}
}</pre>
<p id="obs_40_0008__p196416033516">The policy's syntax and format are the same as those specified in <a href="obs_40_0003.html">IAM Permissions</a>.</p>
</li><li id="obs_40_0008__li02417287213">IAM generates temporary access keys with different permissions and validity periods based on the passed policy parameters and returns the access keys to the customer server.</li><li id="obs_40_0008__li11742153019213">Then the customer server distributes the temporary access keys to device apps that require such permissions.</li><li id="obs_40_0008__li173616331227">A device app can use the temporary access keys to access OBS through OBS SDKs or APIs. Temporary access keys are valid for a short period of time. If the device app needs to prolong its use of OBS, it should send a request to the customer server for updating temporary access keys before they expire.</li></ol>
</div>
<div class="section" id="obs_40_0008__section68052393915"><h4 class="sectiontitle">Configuration Example</h4><p id="obs_40_0008__p14371168163915">For details, see <a href="obs_40_0037.html">Granting Temporary Access to OBS</a>.</p>
</div>
</div>
<div>
<div class="familylinks">
<div class="parentlink"><strong>Parent topic:</strong> <a href="obs_40_0006.html">Access Requests</a></div>
</div>
</div>
View Git Blame Copy Permalink