Help Center/ Object Storage Service/ Permissions Configuration Guide (Ally Region)/ Permission Configuration in Typical Scenarios/ Granting Permissions to an IAM User Under the Current Account/ Granting an IAM User the Read Permissions on Specific Objects
Updated on 2026-03-17 GMT+08:00
View PDF
Share

Granting an IAM User the Read Permissions on Specific Objects

Scenario

This topic describes how to grant an IAM user the read permissions on an object or a set of objects in an OBS bucket.

Recommended Configuration

To grant resource-level permissions to an IAM user, use a bucket policy.

Precautions

After configuration, the IAM user can download specific objects using APIs. However, if they download an object from OBS Console or OBS Browser+, a message will be displayed, indicating that they do not have required permissions.

This is because when they log in to OBS Console or OBS Browser+, the ListAllMyBuckets API is called to load the bucket list and some other APIs will also be called on other pages. In such case, the message is displayed.

If you want an IAM user to perform read operations on OBS Console or OBS Browser+, you need to configure custom IAM policies by referring to Follow-up Procedure.

Procedure

  1. In the bucket list, click the bucket name you want to go to the Overview page.
  2. In the navigation pane, choose Permissions.

Follow-up Procedure

To perform read operations on OBS Console or OBS Browser+, you must add the obs:bucket:ListAllMyBuckets (for listing buckets) and obs:bucket:ListBucket (for listing objects in a bucket) permissions to the custom IAM policy.

obs:bucket:ListAllMyBuckets applies to all resources, while obs:bucket:ListBucket applies only to the authorized bucket. Therefore, you need to add these two permissions to the policy.

  1. Configure a custom policy.

    Table 1 Parameters for configuring a custom policy

    Parameter

    Description

    Policy Name

    Enter a policy name.

    Policy View

    Select one based on your own habits. Visual editor is used here.

    Policy Content

    [Permission 1]

    • Select Allow.
    • Select Object Storage Service (OBS).
    • Select obs:bucket:ListAllMyBuckets from the actions.
    • Select All for resources.

    [Permission 2]

    • Select Allow.
    • Select Object Storage Service (OBS).
    • Select obs:bucket:ListBucket from the actions.
    • Select Specific for Resources and select Specify resource path for Bucket. Click Add Resource Path. Enter the bucket name in the Path text box to apply the policy only to this bucket.

    Scope

    Use the default value Global services.

  2. Click OK.
  3. .

    Apply the created custom policy to the user group by following the instructions in the IAM document.

  4. .

    Due to data caching, it takes about 10 to 15 minutes for a custom policy to take effect.