copyright | lastupdated | keywords | subcollection | ||
---|---|---|---|---|---|
|
2024-02-26 |
authorization, iam, basics |
cloud-object-storage |
{{site.data.keyword.attribute-definition-list}}
{: #iam}
Access to {{site.data.keyword.cos_full}} service instances for users in your account is controlled by {{site.data.keyword.cloud_notm}} Identity and Access Management (IAM). {: shortdesc}
{: #iam-roles}
Every user that accesses the {{site.data.keyword.cos_full}} service in your account must be assigned an access policy with an IAM user role defined. That policy determines what actions the user can perform within the context of the service or instance you select. The allowable actions are customized and defined by the {{site.data.keyword.cloud_notm}} service as operations that are allowed to be performed on the service. The actions are then mapped to IAM user roles.
Policies enable access to be granted at different levels. Some of the options include the following:
- Access across all instances of the service in your account
- Access to an individual service instance in your account
- Access to a specific bucket within an instance (see Bucket permissions)
- Access to all IAM-enabled services in your account
- Access to a specific object or group of objects within a bucket
After you define the scope of the access policy, you assign a role. Review the following tables which outline what actions each role allows within the {{site.data.keyword.cos_short}} service.
The following table details actions that are mapped to platform management roles. Platform management roles enable users to perform tasks on service resources at the platform level, for example assign user access for the service, create or delete service IDs, create instances, and bind instances to applications.
Platform management role | Description of actions | Example actions |
---|---|---|
Viewer | View service instances but not modify them |
|
Editor | Perform all platform actions except for managing the accounts and assigning access policies |
|
Operator | Not used by COS | None |
Administrator | Perform all platform actions based on the resource this role is being assigned, including assigning access policies to other users, as well as setting PublicAccess policy on buckets. |
|
{: caption="IAM user roles and actions"} |
The following table details actions that are mapped to service access roles. Service access roles enable users access to {{site.data.keyword.cos_short}} as well as the ability to call the {{site.data.keyword.cos_short}} API.
Service access role | Description of actions | Example actions |
---|---|---|
Object Writer | Upload and overwrite objects (including uploading objects in multiple parts). |
|
Object Reader | Download objects, read object metadata (headers), but not list objects or buckets. |
|
Content Reader | Download and list objects, read object metadata (headers), but not list buckets. |
|
Reader | In addition to Content Reader actions, Readers can list buckets and read bucket metadata, but not make modifications. |
|
Writer | In addition to Reader actions, Writers can create buckets and upload objects. |
|
Manager | In addition to Writer actions, Managers can complete privileged actions that affect access control. |
|
{: caption="IAM service access roles and actions"} |
For information about assigning user roles in the UI, see Managing IAM access.
{: #iam-actions}
Action id | Description | Condition attributes supported |
---|---|---|
cloud-object-storage.account.get_account_buckets |
List all buckets in a service instance. | none |
cloud-object-storage.bucket.put_bucket |
Create a bucket. | none |
cloud-object-storage.bucket.post_bucket |
Internal use only - unsupported for users. | none |
cloud-object-storage.bucket.delete_bucket |
Delete a bucket. | none |
cloud-object-storage.bucket.get |
List all the objects in a bucket. | prefix, delimiter |
cloud-object-storage.bucket.list_crk_id |
List the IDs of encryption root keys associated with a bucket. | none |
cloud-object-storage.bucket.head |
View bucket metadata. | none |
cloud-object-storage.bucket.get_versions |
List object versions. | prefix, delimiter |
cloud-object-storage.bucket.get_uploads |
List all active multipart uploads for a bucket. | prefix, delimiter |
cloud-object-storage.bucket.put_quota |
Unsupported operation - used for S3 API compatibility only. | none |
cloud-object-storage.bucket.get_acl |
Read a bucket ACL [deprecated]. | none |
cloud-object-storage.bucket.put_acl |
Create a bucket ACL [deprecated]. | none |
cloud-object-storage.bucket.get_cors |
Read CORS rules. | none |
cloud-object-storage.bucket.put_cors |
Add CORS rules to a bucket. | none |
cloud-object-storage.bucket.delete_cors |
Delete CORS rules. | none |
cloud-object-storage.bucket.get_website |
Read bucket website configuration. | none |
cloud-object-storage.bucket.put_website |
Add bucket website configuration. | none |
cloud-object-storage.bucket.delete_website |
Delete bucket website configuration. | none |
cloud-object-storage.bucket.get_versioning |
Check versioning status of a bucket. | none |
cloud-object-storage.bucket.put_versioning |
Enable versioning on a bucket. | none |
cloud-object-storage.bucket.get_object_lock_configuration |
Get Object Lock Configuration from the bucket. | none |
cloud-object-storage.bucket.put_object_lock_configuration |
Set Object Lock Configuration from the bucket. | none |
cloud-object-storage.bucket.get_fasp_connection_info |
View Aspera FASP connection information. | none |
cloud-object-storage.account.delete_fasp_connection_info |
Delete Aspera FASP connection information. | none |
cloud-object-storage.bucket.get_location |
View the location and storage class of a bucket. | none |
cloud-object-storage.bucket.get_lifecycle |
Read a bucket lifecycle policy. | none |
cloud-object-storage.bucket.put_lifecycle |
Create a bucket lifecycle policy. | none |
cloud-object-storage.bucket.get_basic |
Read bucket metadata (number of objects, etc) using the Resource Configuration API. | none |
cloud-object-storage.bucket.get_activity_tracking |
Read activity tracking configuration. | none |
cloud-object-storage.bucket.put_activity_tracking |
Add activity tracking configuration. | none |
cloud-object-storage.bucket.get_metrics_monitoring |
Read metrics monitoring configuration. | none |
cloud-object-storage.bucket.put_metrics_monitoring |
Add metrics monitoring configuration. | none |
cloud-object-storage.bucket.put_protection |
Add Immutable Object Storage policy. | none |
cloud-object-storage.bucket.get_protection |
Read Immutable Object Storage policy. | none |
cloud-object-storage.bucket.put_firewall |
Add a firewall configuration. | none |
cloud-object-storage.bucket.get_firewall |
Read a firewall configuration. | none |
cloud-object-storage.bucket.put_public_access_block |
Add/Update a public access block configuration for a bucket. | none |
cloud-object-storage.bucket.delete_public_access_block |
Remove public access block configuration for a bucket. | none |
cloud-object-storage.bucket.get_public_access_block |
Retrieve public access block configuration for a bucket. | none |
cloud-object-storage.bucket.list_bucket_crn |
View a bucket CRN. | none |
cloud-object-storage.bucket.get_notifications |
Internal use only - unsupported for users. | none |
cloud-object-storage.bucket.put_notifications |
Internal use only - unsupported for users. | none |
cloud-object-storage.bucket.get_replication |
Read replication configuration of a bucket. | none |
cloud-object-storage.bucket.put_replication |
Add replication configuration to a bucket. | none |
cloud-object-storage.bucket.delete_replication |
Delete replication configuration of a bucket. | none |
cloud-object-storage.object.get |
View and download objects. | path |
cloud-object-storage.object.head |
Read an object's metadata. | path |
cloud-object-storage.object.get_version |
Read a specified version of an object. | path |
cloud-object-storage.object.head_version |
Get headers for a specific version of an object. | path |
cloud-object-storage.object.put |
Write and upload objects. | path |
cloud-object-storage.object.post |
Upload an object using HTML forms [deprecated]. | path |
cloud-object-storage.object.post_md |
Update object metadata using HTML forms [deprecated]. | path |
cloud-object-storage.object.post_initiate_upload |
Initiate multipart uploads. | path |
cloud-object-storage.object.put_part |
Upload an object part. | path |
cloud-object-storage.object.copy_part |
Copy (write) an object part. | path |
cloud-object-storage.object.copy_part_get |
Copy (read) an object part. | path |
cloud-object-storage.object.copy_part_get_version |
Copy (read) an object part. | path |
cloud-object-storage.object.post_complete_upload |
Complete a multipart upload. | path |
cloud-object-storage.object.copy |
Copy (write) an object from one bucket to another. | path |
cloud-object-storage.object.copy_get |
Copy (read) an object from one bucket to another. | path |
cloud-object-storage.object.copy_get_version |
Copy (read) an object from one bucket to another. | path |
cloud-object-storage.object.get_acl |
Read object ACL [deprecated]. | path |
cloud-object-storage.object.get_acl_version |
Read object ACL Version [deprecated] | path |
cloud-object-storage.object.put_acl |
Write object ACL [deprecated]. | path |
cloud-object-storage.object.put_acl_version |
Unsupported operation - used for S3 API compatibility only. | path |
cloud-object-storage.object.delete |
Delete an object. | path |
cloud-object-storage.object.delete_version |
Delete a specific version of an object. | path |
cloud-object-storage.object.get_uploads |
List parts of an object. | path |
cloud-object-storage.object.delete_upload |
Abort a multipart upload. | path |
cloud-object-storage.object.restore |
Temporarily restore an archived object. | path |
cloud-object-storage.object.restore_version |
Temporarily restore an archived object. | path |
cloud-object-storage.object.get_tagging |
Read object tag versions | path |
cloud-object-storage.object.put_tagging |
Add/Update object tags | path |
cloud-object-storage.object.delete_tagging |
Delete object tags | path |
cloud-object-storage.object.post_multi_delete |
Delete multiple objects. | none |
cloud-object-storage.object.post_legal_hold |
Add a legal hold to an object. | path |
cloud-object-storage.object.get_legal_hold |
View any legal holds on an object. | path |
cloud-object-storage.object.post_extend_retention |
Extend a retention policy. | path |
cloud-object-storage.object.get_object_lock_retention |
Get object lock retention settings on the object. | path |
cloud-object-storage.object.put_object_lock_retention |
Set object lock retention settings on the object. | path |
cloud-object-storage.object.get_object_lock_legal_hold |
Get object lock legal hold state on the object. | path |
cloud-object-storage.object.put_object_lock_legal_hold |
Set object lock legal hold state on the object. | path |
cloud-object-storage.object.get_object_lock_retention_version |
Get object lock retention version settings on the object. | path |
cloud-object-storage.object.put_object_lock_retention_version |
Set object lock retention version settings on the object. | path |
cloud-object-storage.object.get_object_lock_legal_hold_version |
Get object lock legal hold state on the object. | path |
cloud-object-storage.object.put_object_lock_legal_hold_version |
Set object lock legal hold state on the object. | path |
cloud-object-storage.object.put_tagging_version |
Add/Update object tag versions | path |
cloud-object-storage.object.get_tagging_version |
Read object tag versions | path |
cloud-object-storage.object.delete_tagging_version |
Delete object tag versions | path |
{: caption="Granular IAM action descriptions"} |