• Object Storage Service

obs
  1. Help Center
  2. Object Storage Service
  3. User Guide
  4. OBS Console Operation Guide
  5. Bucket Permissions
  6. Bucket Policy Principal

Bucket Policy Principal

This parameter specifies users on whom this bucket policy takes effect, including cloud service users and federated users. The registration on the cloud service access of the public cloud system user is called cloud service. This user name authenticated by the federal access of the public cloud system user is called federated users. Target users can be specified in either of the following ways:

  • Include: Specifies the user on whom the bucket policy statement takes effect.
  • Exclude: Specifies the user on whom the bucket policy statement does not take effect.

You can specify one or more accounts, one or more IAM users, or anyone (anonymous users).

Specifying One or More Accounts

An account is the owner who registers public cloud service. An account can either be an individual or an enterprise. The bucket access permission can be granted to one or more accounts by using account IDs. If a single account is specified, directly enter the account ID. If multiple accounts are specified, use commas (,) to separate multiple account IDs.

NOTE:
  • An account ID uniquely identifies an account. An authorized user can go to the My Credential page to obtain the account ID after login.
  • After the bucket access permission is granted to an account, all IAM users under this account obtain the same bucket access permission.

Specifying One or More IAM Users

IAM users are created in IAM and correspond to enterprise employees, systems, or applications. IAM users have independent identity credentials and can log in to the console to access services. To grant the bucket access permission to one or more IAM users, both the account IDs and IAM user IDs are required. The input format is Account ID:user/IAM user ID. Use commas (,) to separate multiple IAM users.

NOTE:

An authorized user can go to the My Credential page to obtain the account ID and user IDs after login.

Specifying Anyone (Anonymous Users)

The bucket access permission can be granted to anyone by entering the wildcard * in the text box of Authorized User.

NOTICE:

Exercise caution when granting the bucket access permissions to anonymous users. If you grant the bucket access permission to anonymous users, anyone can access your bucket, and the traffic and storage fees generated will be borne by the bucket owner. You are advised to set restrictions on access requests. For example, you can permit the access request from only one IP address.