检测到您已登录华为云国际站账号,为了您更好的体验,建议您访问国际站服务网站 https://www.huaweicloud.com/intl/zh-cn
不再显示此消息
Table 1 OBS access control Method Description Reference Permission control IAM permissions IAM permissions define which actions on your cloud resources are allowed or denied.
Elastic Cloud Server (ECS) Accessing OBS over Intranet IAM provides the following functions: User identity authentication IAM user permission control IAM agency configuration Identity and Access Management (IAM) Permissions Management Creating an IAM User and Granting OBS Permissions
In the navigation pane, choose Permissions > Bucket Policies and check whether there is a policy that restricts the account or IAM user to download objects. If yes, modify the bucket policy to grant the account or IAM user the permission.
Before configuring an IAM policy, you need to understand what permissions are required. An IAM user only has the permissions defined by the policy. In this example, user APPServer only has full permissions on objects in the APPClient folder.
NOTE: You can obtain the account ID and IAM user ID from the My Credentials page. Accounts should be configured in the Domain ID/IAM user ID format, with each one on a separate line. Account ID/* indicates that permission is granted to all IAM users under the account.
In the navigation pane, choose Permissions > Bucket Policies and check whether there is a policy preventing the account or IAM user from uploading objects. If yes, modify the bucket policy to grant the account or IAM user the permission.
Through the Identity and Access Management (IAM) service, you can create a user who has the permission to access OBS resources and manage buckets and objects on obsutil. If you do not need to use any IAM user, skip this step.
On the console homepage, choose Service List > Management & Governance > Identity and Access Management to access the IAM console. On the IAM console, choose User in the left navigation tree. On the User page, click Create User.
ACLs control write and read permissions based on accounts, whose permission granularity is not as fine as bucket policies or IAM permissions. Generally, it is recommended that you use IAM permissions and bucket policies for access control.
Therefore, before configuring logging for a bucket, you need to create an IAM agency for OBS and add this IAM agency when configuring logging for the bucket.
These users do not have IAM user permissions, so you can grant temporary permissions to allow these users to temporarily access OBS.
NOTE: You can obtain the account ID and IAM user ID from the My Credentials page. Accounts should be configured in the Domain ID/IAM user ID format, with each one on a separate line. Account ID/* indicates that permission is granted to all IAM users under the account.
The Agency field indicates the name of the IAM agency for OBS created by the owner of the target bucket. For details about how to create an IAM agency, see the IAM User Guide. Enabling Bucket Logging Sample code: // Initialize configuration parameters.
For details, see Creating an IAM User. Add the administrator to the admin user group. Do not add other users to user groups with OBS access permissions. For details, see Assigning Permissions to an IAM User. Create a bucket.
OBS permission control means to grant permissions to other accounts or IAM users by editing access policies. For example, if you have a bucket, you can authorize another IAM user to upload objects to your bucket.
An AK can also identify an IAM user. OBS identifies an IAM user by their AK and SK, and then checks whether they have the permissions to access the resources they are requesting. For details about how to obtain the permanent access keys, see Obtaining Access Keys (AK/SK).
Permission Control Methods IAM Permissions Bucket Policies ACLs
To configure a bucket policy, you must be the bucket owner or the bucket owner's IAM user with the required permission (obs:bucket:PutBucketPolicy in IAM or PutBucketPolicy in a bucket policy).
Permissions Control Configuring IAM permissions Configuring a Bucket Policy Configuring an Object Policy Configuring a Bucket ACL Configuring an Object ACL
With this function, you can grant fine-grained OBS policies to IAM user groups, so that IAM users in the groups have the specified operation permissions. Such policies can take effect on OBS as a whole or on a specific bucket or object.