vpruthi/doc-exports
1
0
Fork 0
forked from docs/doc-exports
Code Pull Requests Activity
doc-exports/docs/obs/perms-cfg/obs_40_0015.html
zhangyue 32b9354795 OBS PERMS DOC 
Reviewed-by: Sabelnikov, Dmitriy <dmitriy.sabelnikov@t-systems.com>
Reviewed-by: Hasko, Vladimir <vladimir.hasko@t-systems.com>
Co-authored-by: zhangyue <zhangyue164@huawei.com>
Co-committed-by: zhangyue <zhangyue164@huawei.com>
2023-04-18 07:48:10 +00:00

91 lines
14 KiB
HTML
Raw Blame History

<a name="obs_40_0015"></a><a name="obs_40_0015"></a>
<h1 class="topictitle1">Granting an IAM User the Read and Write Permissions on a Bucket</h1>
<div id="body1588765301378"><div class="section" id="obs_40_0015__section43491717165116"><h4 class="sectiontitle">Scenario</h4><p id="obs_40_0015__p3431154410448">This topic describes how to grant an IAM user the read and write permissions on an OBS bucket.</p>
</div>
<div class="section" id="obs_40_0015__section106520378518"><h4 class="sectiontitle">Recommended Configuration</h4><p id="obs_40_0015__p103657437515">You are advised to use bucket policies to grant resource-level permissions to an IAM user.</p>
</div>
<div class="section" id="obs_40_0015__section786219432319"><h4 class="sectiontitle">Configuration Precautions</h4><p id="obs_40_0015__p1436151622312">The preset read/write mode of OBS has the following permissions:</p>
<ul id="obs_40_0015__ul12273198112311"><li id="obs_40_0015__li1327378202314">GetObject: downloading objects</li><li id="obs_40_0015__li227314817237">PutObject: uploading objects</li><li id="obs_40_0015__li127318812235">GetObjectVersion: downloading versioned objects</li><li id="obs_40_0015__li727310818238">DeleteObjectVersion: deleting objects versions</li><li id="obs_40_0015__li8273888232">DeleteObject: deleting objects</li></ul>
<p id="obs_40_0015__p817120327254">After the configuration is complete, read and write operations (uploading, downloading, and deleting all objects in the bucket) can be performed using APIs or SDKs. However, if you log in to OBS Console or OBS Browser+ to perform those operations, an error is reported indicating that you do not have required permissions. .</p>
<p id="obs_40_0015__p7807163365117">If you want an IAM user to perform read and write operations on OBS Console or OBS Browser+, configure custom IAM policies by referring to <a href="#obs_40_0015__section220405220511">Follow-up Procedure</a>.</p>
<p id="obs_40_0015__p135531349172915">After the configuration is complete, the system still displays a message indicating that you do not have the permission to access the bucket. This is normal because the console invokes other advanced configuration APIs, but you can still perform operations allowed in read/write mode.</p>
</div>
<div class="section" id="obs_40_0015__section18368164564"><h4 class="sectiontitle">Procedure</h4><ol id="obs_40_0015__ol170633855216"><li id="obs_40_0015__li973618915320"><span>In the navigation pane of OBS Console, choose <strong id="obs_40_0015__b17942540145715">Object Storage</strong>.</span></li><li id="obs_40_0015__li11242915363"><span>In the bucket list, click the bucket name you want to go to the <strong id="obs_40_0015__b1480210341667">Overview</strong> page.</span></li><li id="obs_40_0015__li13508181724617"><span>In the navigation pane, choose <strong id="obs_40_0015__b2605105313511">Permissions</strong>.</span></li><li id="obs_40_0015__li1568715376490"><span>On the <strong id="obs_40_0015__b2317141425">Bucket Policies</strong> page, click <strong id="obs_40_0015__b5734202684217">Create Bucket Policy</strong> under <strong id="obs_40_0015__b29453318428">Custom Bucket Policies</strong>.</span></li><li id="obs_40_0015__li3552175452220"><span>Configure parameters for a bucket policy.</span><p><div class="fignone" id="obs_40_0015__fig13644856182710"><span class="figcap"><b>Figure 1 </b>Configuring parameters for a bucket policy</span><br><span><img id="obs_40_0015__image16647195692714" src="en-us_image_0000001436220057.png"></span></div>
<div class="tablenoborder"><table cellpadding="4" cellspacing="0" summary="" id="obs_40_0015__table374341792315" frame="border" border="1" rules="all"><caption><b>Table 1 </b>Parameters for creating a bucket policy</caption><thead align="left"><tr id="obs_40_0015__row27504174239"><th align="left" class="cellrowborder" valign="top" width="26.88%" id="mcps1.3.4.2.5.2.2.2.3.1.1"><p id="obs_40_0015__p107559176234"><strong id="obs_40_0015__b26447525910101">Parameter</strong></p>
</th>
<th align="left" class="cellrowborder" valign="top" width="73.11999999999999%" id="mcps1.3.4.2.5.2.2.2.3.1.2"><p id="obs_40_0015__p1976317170239"><strong id="obs_40_0015__b3595290010101">Description</strong></p>
</th>
</tr>
</thead>
<tbody><tr id="obs_40_0015__row1246385816164"><td class="cellrowborder" valign="top" width="26.88%" headers="mcps1.3.4.2.5.2.2.2.3.1.1 "><p id="obs_40_0015__p04631584161">Policy Mode</p>
</td>
<td class="cellrowborder" valign="top" width="73.11999999999999%" headers="mcps1.3.4.2.5.2.2.2.3.1.2 "><p id="obs_40_0015__p19463175819166">Select <strong id="obs_40_0015__b158883846310101">Read and write</strong>.</p>
</td>
</tr>
<tr id="obs_40_0015__row8783617122317"><td class="cellrowborder" valign="top" width="26.88%" headers="mcps1.3.4.2.5.2.2.2.3.1.1 "><p id="obs_40_0015__p478519172231">Principal</p>
</td>
<td class="cellrowborder" valign="top" width="73.11999999999999%" headers="mcps1.3.4.2.5.2.2.2.3.1.2 "><ul id="obs_40_0015__ul1341145419174"><li id="obs_40_0015__li1024761941819">Choose <strong id="obs_40_0015__b755815531162">Include</strong> &gt; <strong id="obs_40_0015__b355911533613">Cloud service user</strong>.</li><li id="obs_40_0015__li4245545161814"><strong id="obs_40_0015__b9291255812">Account ID</strong>: Enter one account ID only, or enter an asterisk (*) to indicate that the policy takes effect on all users (including both registered and anonymous users).</li><li id="obs_40_0015__li1703812151919"><strong id="obs_40_0015__b237714719102">User ID</strong>: Enter one or more user IDs separated by a comma (,).</li></ul>
</td>
</tr>
<tr id="obs_40_0015__row081741752319"><td class="cellrowborder" valign="top" width="26.88%" headers="mcps1.3.4.2.5.2.2.2.3.1.1 "><p id="obs_40_0015__p15821617102320">Resources</p>
</td>
<td class="cellrowborder" valign="top" width="73.11999999999999%" headers="mcps1.3.4.2.5.2.2.2.3.1.2 "><ul id="obs_40_0015__ul7274173411710"><li id="obs_40_0015__li260555313171"><strong id="obs_40_0015__b48650264710101">Include</strong></li><li id="obs_40_0015__li1338101719199"><strong id="obs_40_0015__b75501972406">Resource Name</strong>: Enter <strong id="obs_40_0015__b17280161141113">*</strong>.</li></ul>
</td>
</tr>
</tbody>
</table>
</div>
</p></li><li id="obs_40_0015__li4406132611218"><span>Click <strong id="obs_40_0015__b19267734154318">OK</strong>. The bucket policy is created.</span></li></ol>
</div>
<div class="section" id="obs_40_0015__section220405220511"><a name="obs_40_0015__section220405220511"></a><a name="section220405220511"></a><h4 class="sectiontitle">Follow-up Procedure</h4><p id="obs_40_0015__p349115115368">To perform read and write operations on OBS Console or OBS Browser+, you must add the <strong id="obs_40_0015__b3328145222113">obs:bucket:ListAllMyBuckets</strong> (for listing buckets) and <strong id="obs_40_0015__b191501957142118">obs:bucket:ListBucket</strong> (for listing objects in a bucket) permissions to the custom IAM policy.</p>
<div class="note" id="obs_40_0015__note5566228165219"><img src="public_sys-resources/note_3.0-en-us.png"><span class="notetitle"> </span><div class="notebody"><p id="obs_40_0015__p256692825216"><strong id="obs_40_0015__b4310121264120">obs:bucket:ListAllMyBuckets</strong> applies to all resources, while <strong id="obs_40_0015__b1831551254115">obs:bucket:ListBucket</strong> applies to the authorized bucket only. Therefore, you need to add two permissions to the policy.</p>
</div></div>
<ol id="obs_40_0015__ol8623195417319"><li id="obs_40_0015__li10432131493113"><span>Log in to the management console using a cloud service account.</span></li><li id="obs_40_0015__li625685643115"><span>On the top menu bar, choose <strong id="obs_40_0015__b1624185733610">Service List</strong> &gt; <strong id="obs_40_0015__b112511573364">Management &amp; Deployment</strong> &gt; <strong id="obs_40_0015__b17257573368">Identity and Access Management</strong>. The IAM console is displayed.</span></li><li id="obs_40_0015__li1848615103345"><span>In the navigation pane, choose <strong id="obs_40_0015__b757714919113">Permissions</strong>.</span></li><li id="obs_40_0015__li1388483016366"><span>Click <strong id="obs_40_0015__b118613715375">Create Custom Policy</strong> in the upper right corner.</span></li><li id="obs_40_0015__li1161395452712"><span>Configure parameters for a custom policy.</span><p><div class="fignone" id="obs_40_0015__fig1814219521628"><span class="figcap"><b>Figure 2 </b>Configuring a custom policy</span><br><span><img id="obs_40_0015__image101432052622" src="en-us_image_0000001385676688.png"></span></div>
<div class="tablenoborder"><table cellpadding="4" cellspacing="0" summary="" id="obs_40_0015__table6375112782815" frame="border" border="1" rules="all"><caption><b>Table 2 </b>Parameters for configuring a custom policy</caption><thead align="left"><tr id="obs_40_0015__row6375927132818"><th align="left" class="cellrowborder" valign="top" width="24.79%" id="mcps1.3.5.4.5.2.2.2.3.1.1"><p id="obs_40_0015__p23757272286"><strong id="obs_40_0015__b68930084110101">Parameter</strong></p>
</th>
<th align="left" class="cellrowborder" valign="top" width="75.21%" id="mcps1.3.5.4.5.2.2.2.3.1.2"><p id="obs_40_0015__p63751027152820"><strong id="obs_40_0015__b186447081110101">Description</strong></p>
</th>
</tr>
</thead>
<tbody><tr id="obs_40_0015__row17375102752819"><td class="cellrowborder" valign="top" width="24.79%" headers="mcps1.3.5.4.5.2.2.2.3.1.1 "><p id="obs_40_0015__p1737572772816">Policy Name</p>
</td>
<td class="cellrowborder" valign="top" width="75.21%" headers="mcps1.3.5.4.5.2.2.2.3.1.2 "><p id="obs_40_0015__p83758278280">Name of the custom policy</p>
</td>
</tr>
<tr id="obs_40_0015__row1937592712288"><td class="cellrowborder" valign="top" width="24.79%" headers="mcps1.3.5.4.5.2.2.2.3.1.1 "><p id="obs_40_0015__p173753272284">Policy View</p>
</td>
<td class="cellrowborder" valign="top" width="75.21%" headers="mcps1.3.5.4.5.2.2.2.3.1.2 "><p id="obs_40_0015__p17375102714285">Set this parameter based on your own habits. <strong id="obs_40_0015__b15269128171710">Visual editor</strong> is used here.</p>
</td>
</tr>
<tr id="obs_40_0015__row133751227142812"><td class="cellrowborder" valign="top" width="24.79%" headers="mcps1.3.5.4.5.2.2.2.3.1.1 "><p id="obs_40_0015__p203751027172816">Policy Content</p>
</td>
<td class="cellrowborder" valign="top" width="75.21%" headers="mcps1.3.5.4.5.2.2.2.3.1.2 "><p id="obs_40_0015__p1928318374535">[Permission 1]</p>
<ul id="obs_40_0015__ul312618263319"><li id="obs_40_0015__li112652673110">Select <strong id="obs_40_0015__b1442421510101">Allow</strong>.</li><li id="obs_40_0015__li1952919359">Select <strong id="obs_40_0015__b1420920813562">Object Storage Service (OBS)</strong>.</li><li id="obs_40_0015__li813512281313">Select <strong id="obs_40_0015__b727714444551">obs:bucket:ListAllMyBuckets</strong> from the actions.</li><li id="obs_40_0015__li1991741116547">Select <strong id="obs_40_0015__b823218256422">All</strong> for resources.</li></ul>
<p id="obs_40_0015__p148511375414">[Permission 2]</p>
<ul id="obs_40_0015__ul127691549205313"><li id="obs_40_0015__li167691496533">Select <strong id="obs_40_0015__b49081477010101">Allow</strong>.</li><li id="obs_40_0015__li1676910494536">Select <strong id="obs_40_0015__b2053811501566">Object Storage Service (OBS)</strong>.</li><li id="obs_40_0015__li18769949195314">Select <strong id="obs_40_0015__b1869165519563">obs:bucket:ListBucket</strong> from the actions.</li><li id="obs_40_0015__li77691949175310">For <strong id="obs_40_0015__b1424511203473">Resources</strong>, select <strong id="obs_40_0015__b14645193125717">Specific</strong>, and for <strong id="obs_40_0015__b9449403471">bucket</strong>, select <strong id="obs_40_0015__b12150205824715">Specify resource path</strong>, and click <strong id="obs_40_0015__b3143112410489">Add Resource Path</strong>. Enter the bucket name in the <strong id="obs_40_0015__b4841111134916">Path</strong> text box, indicating that the policy takes effect only for this bucket.</li></ul>
</td>
</tr>
<tr id="obs_40_0015__row81414412509"><td class="cellrowborder" valign="top" width="24.79%" headers="mcps1.3.5.4.5.2.2.2.3.1.1 "><p id="obs_40_0015__p83756273285">Scope</p>
</td>
<td class="cellrowborder" valign="top" width="75.21%" headers="mcps1.3.5.4.5.2.2.2.3.1.2 "><p id="obs_40_0015__p1037542711283">The default value is <strong id="obs_40_0015__b137650311419">Global services</strong>.</p>
</td>
</tr>
</tbody>
</table>
</div>
</p></li><li id="obs_40_0015__li1293324623719"><span>Click <strong id="obs_40_0015__b117724509310101">OK</strong>. The custom policy is created.</span></li><li id="obs_40_0015__li81339157389"><span><a href="https://docs.otc.t-systems.com/en-us/usermanual/iam/iam_01_0030.html" target="_blank" rel="noopener noreferrer">Create a user group and assign permissions</a>.</span><p><p id="obs_40_0015__p1312812258417">Add the created custom policy to the user group by following the instructions in the IAM document.</p>
</p></li><li id="obs_40_0015__li12273529113919"><span>Add the IAM user you want to authorize to the created user group by referring to <a href="https://docs.otc.t-systems.com/en-us/usermanual/iam/iam_01_0031.html" target="_blank" rel="noopener noreferrer">Creating a User and Adding the User to a User Group</a>.</span><p><div class="note" id="obs_40_0015__note1402619155515"><img src="public_sys-resources/note_3.0-en-us.png"><span class="notetitle"> </span><div class="notebody"><p id="obs_40_0015__p37253183814">Due to data caching, it takes about 10 to 15 minutes for a custom policy to take effect after the authorization.</p>
</div></div>
</p></li></ol>
</div>
</div>
<div>
<div class="familylinks">
<div class="parentlink"><strong>Parent topic:</strong> <a href="obs_40_0013.html">Granting Permissions to an IAM User Under the Account</a></div>
</div>
</div>
View Git Blame Copy Permalink