• Object Storage Service

obs
  1. Help Center
  2. Object Storage Service
  3. User Guide
  4. OBS Console Operation Guide
  5. OBS Access Permission Control

OBS Access Permission Control

IAM policies, bucket policies, and access control lists (ACLs) are available in OBS for access permission control.

IAM Policy

IAM policies define the actions that can be performed on your cloud resources. In other words, an IAM policy specifies what actions are allowed or denied.

You can implement an IAM policy according to the following procedure:

  1. Create a user group and select an IAM permission set for the user group.
  2. Create an IAM user and add it to the user group so that it inherits permissions of the user group.

An IAM policy with OBS permissions takes effect on all OBS buckets and objects. To grant an IAM user the permission to operate OBS resources, you need to assign one or more OBS permission sets to the user group to which the user belongs.

For details about OBS permissions controlled by IAM policies, see User Permissions.

IAM policies apply to the following scenarios:

  • Controlling permissions to cloud resources as a whole
  • Controlling permissions to all OBS buckets and objects

Bucket Policy

A bucket policy is attached to a bucket and objects in the bucket. By leveraging bucket policies, the owner of a bucket can authorize IAM users or other accounts the permissions to operate the bucket and objects in the bucket.

Bucket policies apply to the following scenarios:

  • If no IAM policy is used for access permission control and you want to authorize other accounts the permission to access your OBS resources, you can use bucket policies to authorize such permissions.
  • If you want to authorize IAM users different access permissions to different buckets, you can configure different bucket policies for buckets.
  • If you want to authorize other accounts the permission to access your buckets, you can use bucket policies to authorize such permissions.

Access Control List

Bucket and object ACLs are attached to accounts. By default, an ACL is created when a bucket or object is created, authorizing the owner the full control over the bucket or object.

ACLs are write and read control rules attached to accounts, whose permission granularity is not as fine as bucket policies and IAM policies. Generally, it is recommended that you use IAM policies and bucket policies for access control.

NOTE:

The owner of an object is the account that uploads the object, who may not be the owner of the bucket to which the object belongs. For example, account B is granted the permission to access a bucket of account A, and account B uploads a file to the bucket. In that case, account B is the owner of the object instead of the bucket owner, account A.

How Does Authorization Work When Multiple Access Control Mechanisms Co-Exist?

Based on the least-privilege principle, decisions default to DENY, and an explicit DENY always take precedence over an ALLOW. For example, an IAM policy grants access to an object, a bucket policy denies access to that object, and there is no OBS ACL. Then access will be denied.

if no method specifies an ALLOW, then the request will be denied by default. Only if no method specifies a DENY and one or more methods specify an ALLOW, will the request be allowed.

Figure 1 Authorization process

Table 1 is a matrix of the IAM policy, bucket policy, and ACL control rules (ALLOW and DENY).

Table 1 Matrix of the IAM policy, bucket policy, and ACL control rules (ALLOW and DENY)

Bucket Policy

IAM Policy

ACL

Deny

Allow

Default Deny

Deny

Deny

Allow

Deny

Default Deny

Allow

Deny

Allow

Allow

Allow

Default Deny

Default Deny

Deny

Allow

Deny

Allow

Deny

Default Deny