检测到您已登录华为云国际站账号,为了您更好的体验,建议您访问国际站服务网站 https://www.huaweicloud.com/intl/zh-cn
不再显示此消息
检测到您已登录华为云国际站账号,为了您更好的体验,建议您访问国际站服务网站 https://www.huaweicloud.com/intl/zh-cn
不再显示此消息
In the navigation pane, choose Permissions > Bucket Policies and check whether there is a policy that restricts the account or IAM user to download objects. If yes, modify the bucket policy to grant the account or IAM user the permission.
Elastic Cloud Server (ECS) Accessing OBS over Intranet IAM provides the following functions: User identity authentication IAM user permission control IAM agency configuration Identity and Access Management (IAM) Permissions Management Configuring User Permissions Cloud Eye monitors
Before configuring an IAM policy, you need to understand what permissions are required. An IAM user only has the permissions defined by the policy. In this example, user APPServer only has full permissions on objects in the APPClient folder.
NOTE: You can obtain the account ID and IAM user ID from the My Credentials page. Accounts should be configured in the Domain ID/IAM user ID format, with each one on a separate line. Account ID/* indicates that permission is granted to all IAM users under the account.
In the navigation pane, choose Permissions > Bucket Policies and check whether there is a policy preventing the account or IAM user from uploading objects. If yes, modify the bucket policy to grant the account or IAM user the permission.
Through the Identity and Access Management (IAM) service, you can create a user who has the permission to access OBS resources and manage buckets and objects on obsutil. If you do not need to use any IAM user, skip this step.
On the console homepage, choose Service List > Management & Governance > Identity and Access Management to access the IAM console. On the IAM console, choose User in the left navigation tree. On the User page, click Create User.
Once an AK and SK are entered, IAM receives the AK and SK, finds the cloud service account or IAM user that own the pair of AK and SK, and checks which OBS permissions the account or IAM user has.
ACLs control write and read permissions based on accounts, whose permission granularity is not as fine as bucket policies or IAM policies. Generally, it is recommended that you use IAM permissions and bucket policies for access control.
These users do not have IAM user permissions, so you can grant temporary permissions to allow these users to temporarily access OBS.
Therefore, before configuring logging for a bucket, you need to create an IAM agency for OBS and add this IAM agency when configuring logging for the bucket.
NOTE: You can obtain the account ID and IAM user ID from the My Credentials page. Accounts should be configured in the Domain ID/IAM user ID format, with each one on a separate line. Account ID/* indicates that permission is granted to all IAM users under the account.
The Agency field indicates the name of the IAM agency for OBS created by the owner of the target bucket. For details about how to create an IAM agency, see the IAM User Guide. Enabling Bucket Logging Sample code: // Initialize configuration parameters.
When an IAM user initiates a request, this is the ID of the account to which the IAM user belongs. When a request is initiated by an anonymous user, the value of this parameter is Anonymous.
For details, see Creating an IAM User. Add the administrator to the admin user group. Do not add other users to user groups with OBS access permissions. For details, see Assigning Permissions to an IAM User. Create a bucket.
An AK can also identify an IAM user. OBS identifies an IAM user by their AK and SK, and then checks whether they have the permissions to access the resources they are requesting. For details about how to obtain the permanent access keys, see Obtaining Access Keys (AK/SK).
OBS permission control means to grant permissions to other accounts or IAM users by editing access policies. For example, if you have a bucket, you can authorize another IAM user to upload objects to your bucket.
Permission Control Methods IAM Permissions Bucket Policies ACLs
Permissions Control Configuring IAM Permissions Configuring a Bucket Policy Configuring an Object Policy Configuring a Bucket ACL Configuring an Object ACL
Current account: Specify one or more IAM users under the current account. Other accounts: Specify one or more accounts. NOTE: The account ID and IAM user ID can be obtained from the My Credentials page.
