Scenario
This topic describes how to grant an IAM user the permissions to download specific objects from a bucket.
To grant other permissions, select required actions from Action Name in the bucket policy. For details, see Action/NotAction.
Recommended Configuration
To grant resource-level permissions to an IAM user, use a bucket policy.
Precautions
After configuration, the IAM user can download objects using APIs. However, if they download objects using OBS Console or OBS Browser+, a message will be displayed indicating that they do not have required permissions.
When they log in to OBS Console or OBS Browser+, APIs such as ListAllMyBuckets and ListBucket are called. ListAllMyBuckets loads the bucket list while ListBucket loads the object list. Some other APIs are also called on other pages. In such case, the message is displayed.
To allow an IAM user to download objects on OBS Console or OBS Browser+, you need to configure custom IAM policies. For details, see Follow-up Procedure.
Procedure
- In the navigation pane of OBS Console, choose Object Storage.
- In the bucket list, click the bucket name you want to go to the Overview page.
- In the navigation pane, choose Permissions.
- On the Bucket Policies page, click Create Bucket Policy under Custom Bucket Policies.
- Configure a bucket policy.Figure 1 Configuring a bucket policy
Table 1 Parameters for creating a bucket policy Parameter
Description
Policy Mode
Select Customized.
Effect
Select Allow.
Principal
- Choose Include > Cloud service user.
- Account ID: Enter one account ID only, or enter an asterisk (*) to indicate that the policy takes effect on all users (including both registered and anonymous users).
- User ID: Enter one or more user IDs separated by a comma (,).
Resources
- Choose Include > Specific resources.
- Resource Name: Enter the object or the set of objects that will be accessed.
For one object, enter object name.
For a set of objects, enter object name prefix + *, * + object name suffix, or *.
Actions
- Include
- Action Name: Select GetObject.
To configure other permissions, select the corresponding actions. For details, see Action/NotAction.
- Click OK.
Follow-up Procedure
To perform specific operations on OBS Console or OBS Browser+, you must add the obs:bucket:ListAllMyBuckets and obs:bucket:ListBucket permissions to the custom IAM policy. obs:bucket:ListAllMyBuckets lists buckets while obs:bucket:ListBucket lists objects in a bucket.
obs:bucket:ListAllMyBuckets applies to all resources while obs:bucket:ListBucket applies only to the authorized bucket, so you need to add the two permissions to the policy.
- Log in to the management console using a cloud service account.
- On the top menu bar, choose Service List > Management & Deployment > Identity and Access Management.
- In the navigation pane, choose Permissions.
- Click Create Custom Policy in the upper right corner.
- Configure a custom policy.Figure 2 Configuring a custom policy
Table 2 Parameters for configuring a custom policy Parameter
Description
Policy Name
Enter a policy name.
Policy View
Select one based on your own habits. Visual editor is used here.
Policy Content
[Permission 1]
- Select Allow.
- Select Object Storage Service (OBS).
- Select obs:bucket:ListAllMyBuckets from the actions.
- Select All for resources.
[Permission 2]
- Select Allow.
- Select Object Storage Service (OBS).
- Select obs:bucket:ListBucket from the actions.
- Select Specific for Resources and select Specify resource path for Bucket. Click Add Resource Path. Enter the bucket name in the Path text box for applying the policy only to this bucket.
Scope
Use the default value Global services.
- Click OK.
- Create a user group and assign permissions.
Apply the created custom policy to the user group by following the instructions in the IAM document.
- Add the IAM user you want to authorize to the created user group.
Due to data caching, it takes about 10 to 15 minutes for a custom policy to take effect.