• Object Storage Service

  1. Help Center
  2. Object Storage Service
  3. User Guide
  4. FAQ
  5. Security
  6. How Can I Control Access to the Data on OBS?

How Can I Control Access to the Data on OBS?

You can use the following mechanisms to control access to the data on OBS:

  • AK and SK identity authentication

    A user's account provided by OBS contains an AK and an SK. The AK and SK are used for user authentication. If you use a client to send a request to OBS, the request header must contain a signature. The signature is generated based on the SK, request time, and request type.

  • ACLs

    An access control list (ACL) is a list that defines grantees and their granted permissions. Bucket ACLs control access to buckets for accounts and user groups. A bucket owner can grant access permissions to other accounts or user groups by configuring the bucket ACL.

    It is recommended that bucket ACLs be used in the following scenarios:

    • Grant the write permission of a bucket to the log delivery user, so that access logs can be delivered to the target bucket.
    • Grant the read and write permissions of a bucket to an account, so that bucket data can be shared or external buckets can be added. For example, if account A grants the bucket read and write permissions to account B, then account B can access the bucket by using the API and SDK, and can add an external bucket through OBS Browser.
  • Bucket policies

    You can define rules for applying for OBS resources to control one or multiple users' or accounts' permissions to access buckets or objects in the buckets. For example, if a request is from an IP address or an IP address segment, you can use a bucket policy to grant the write permission to a user or account. A bucket policy can be used to grant and deny permissions.