yexinru/doc-exports
1
0
Fork 0
forked from docs/doc-exports
Code Pull Requests Activity
Files
a41a4e0331fbc0beff63bb28fa59228cc9a751df
doc-exports/docs/obs/perms-cfg/obs_40_0016.html
zhangyue 6ae4b62d6f OBS PREMISSION DOC 
Reviewed-by: Sabelnikov, Dmitriy <dmitriy.sabelnikov@t-systems.com>
Co-authored-by: zhangyue <zhangyue164@huawei.com>
Co-committed-by: zhangyue <zhangyue164@huawei.com>
2025-04-25 08:19:55 +00:00

13 KiB
Raw Blame History

Granting an IAM User the Specified Permissions for a Bucket

Scenario

This topic describes how to grant an IAM user the permissions required to delete a bucket.

To grant other permissions, select required actions from Action Name in the bucket policy. For details, see Action/NotAction.

Recommended Configuration

To grant resource-level permissions to an IAM user, use a bucket policy.

Precautions

After configuration, the IAM user can use APIs to delete buckets. However, if they log in to OBS Console or OBS Browser+ to delete buckets, a message will be displayed indicating that they do not have required permissions.

This is because when they log in to OBS Console or OBS Browser+, more APIs (such as ListAllMyBuckets and ListBucketVersions) will be called to load the list of buckets and versioned objects. In such case, the message is displayed.

If you want an IAM user to delete buckets on OBS Console or OBS Browser+, you need to allow the ListBucketVersions permission in the bucket policy and configure a custom IAM policy to grant the ListAllMyBuckets permission by referring to Follow-up Procedure.

Procedure

  1. In the navigation pane of OBS Console, choose Object Storage.
  2. In the bucket list, click the bucket name you want to go to the Objects page.
  3. In the navigation pane, choose Permissions > Bucket Policies.
  4. On the Bucket Policies page, click Create.
  5. Configure a bucket policy.

    Figure 1 Configuring a bucket policy
    Table 1 Parameters for configuring a bucket policy

    Parameter

    Description

    Policy view

    Select Visual Editor or JSON based on your own habits. Visual Editor is used here.

    Policy Name

    Enter a policy name.

    Effect

    Select Allow.

    Principal
    • Select Current account.
    • IAM users: Select an IAM user that you want to grant permissions to.

    Resources
    • Select Current bucket.

    Actions
    • Choose Customize.
    • Select actions:
      • DeleteBucket
      • ListBucketVersions (to list object versions in the bucket)
        NOTE:

        To configure other permissions, select the corresponding actions. For details, see Action/NotAction.

  6. Confirm and click Create.

Follow-up Procedure

To delete buckets on OBS Console or OBS Browser+, you need to allow the obs🪣ListAllMyBuckets permission in the IAM policy.

  1. Log in to the management console using a cloud service account.
  2. On the top menu bar, choose Service List > Management & Deployment > Identity and Access Management.
  3. In the navigation pane, choose Permissions > Policies/Roles.
  4. Click Create Custom Policy in the upper right corner.
  5. Configure a custom policy.

    Figure 2 Configuring a custom policy
    Table 2 Parameters for configuring a custom policy

    Parameter

    Description

    Policy Name

    Enter a policy name.

    Policy View

    Select one based on your own habits. Visual editor is used here.

    Policy Content
    • Select Allow.
    • Select Object Storage Service (OBS).
    • Select obs🪣ListAllMyBuckets from the actions.
    • Select All for resources.

    Scope

    Use the default value Global services.

  6. Click OK.
  7. Create a user group and assign permissions.

    Apply the created custom policy to the user group by following the instructions in the IAM document.

  8. Add the IAM user you want to authorize to the created user group.

    Due to data caching, it takes about 10 to 15 minutes for a custom policy to take effect.