Skip to content

Latest commit

 

History

History
156 lines (135 loc) · 32.5 KB

iam.md

File metadata and controls

156 lines (135 loc) · 32.5 KB
copyright lastupdated keywords subcollection
years
2017, 2024
2024-02-26
authorization, iam, basics
cloud-object-storage

{{site.data.keyword.attribute-definition-list}}

Getting Started with IAM

{: #iam}

Access to {{site.data.keyword.cos_full}} service instances for users in your account is controlled by {{site.data.keyword.cloud_notm}} Identity and Access Management (IAM). {: shortdesc}

Identity and Access Management roles

{: #iam-roles}

Every user that accesses the {{site.data.keyword.cos_full}} service in your account must be assigned an access policy with an IAM user role defined. That policy determines what actions the user can perform within the context of the service or instance you select. The allowable actions are customized and defined by the {{site.data.keyword.cloud_notm}} service as operations that are allowed to be performed on the service. The actions are then mapped to IAM user roles.

Policies enable access to be granted at different levels. Some of the options include the following:

After you define the scope of the access policy, you assign a role. Review the following tables which outline what actions each role allows within the {{site.data.keyword.cos_short}} service.

The following table details actions that are mapped to platform management roles. Platform management roles enable users to perform tasks on service resources at the platform level, for example assign user access for the service, create or delete service IDs, create instances, and bind instances to applications.

Platform management role Description of actions Example actions
Viewer View service instances but not modify them
  • List available COS service instances
  • View COS service plan details
  • View usage details
Editor Perform all platform actions except for managing the accounts and assigning access policies
  • Create and delete COS service instances
Operator Not used by COS None
Administrator Perform all platform actions based on the resource this role is being assigned, including assigning access policies to other users, as well as setting PublicAccess policy on buckets.
  • Update user policies
  • Update pricing plans
{: caption="IAM user roles and actions"}

The following table details actions that are mapped to service access roles. Service access roles enable users access to {{site.data.keyword.cos_short}} as well as the ability to call the {{site.data.keyword.cos_short}} API.

Service access role Description of actions Example actions
Object Writer Upload and overwrite objects (including uploading objects in multiple parts).
  • Upload objects
Object Reader Download objects, read object metadata (headers), but not list objects or buckets.
  • Download objects
Content Reader Download and list objects, read object metadata (headers), but not list buckets.
  • Download and list objects
Reader In addition to Content Reader actions, Readers can list buckets and read bucket metadata, but not make modifications.
  • List buckets
Writer In addition to Reader actions, Writers can create buckets and upload objects.
  • Create new buckets and objects
  • Remove buckets and objects
Manager In addition to Writer actions, Managers can complete privileged actions that affect access control.
  • Configure retention policies
  • Configure bucket firewalls
  • Block public ACLs
{: caption="IAM service access roles and actions"}

For information about assigning user roles in the UI, see Managing IAM access.

Identity and Access Management actions

{: #iam-actions}

Action id Description Condition attributes supported
cloud-object-storage.account.get_account_buckets List all buckets in a service instance. none
cloud-object-storage.bucket.put_bucket Create a bucket. none
cloud-object-storage.bucket.post_bucket Internal use only - unsupported for users. none
cloud-object-storage.bucket.delete_bucket Delete a bucket. none
cloud-object-storage.bucket.get List all the objects in a bucket. prefix, delimiter
cloud-object-storage.bucket.list_crk_id List the IDs of encryption root keys associated with a bucket. none
cloud-object-storage.bucket.head View bucket metadata. none
cloud-object-storage.bucket.get_versions List object versions. prefix, delimiter
cloud-object-storage.bucket.get_uploads List all active multipart uploads for a bucket. prefix, delimiter
cloud-object-storage.bucket.put_quota Unsupported operation - used for S3 API compatibility only. none
cloud-object-storage.bucket.get_acl Read a bucket ACL [deprecated]. none
cloud-object-storage.bucket.put_acl Create a bucket ACL [deprecated]. none
cloud-object-storage.bucket.get_cors Read CORS rules. none
cloud-object-storage.bucket.put_cors Add CORS rules to a bucket. none
cloud-object-storage.bucket.delete_cors Delete CORS rules. none
cloud-object-storage.bucket.get_website Read bucket website configuration. none
cloud-object-storage.bucket.put_website Add bucket website configuration. none
cloud-object-storage.bucket.delete_website Delete bucket website configuration. none
cloud-object-storage.bucket.get_versioning Check versioning status of a bucket. none
cloud-object-storage.bucket.put_versioning Enable versioning on a bucket. none
cloud-object-storage.bucket.get_object_lock_configuration Get Object Lock Configuration from the bucket. none
cloud-object-storage.bucket.put_object_lock_configuration Set Object Lock Configuration from the bucket. none
cloud-object-storage.bucket.get_fasp_connection_info View Aspera FASP connection information. none
cloud-object-storage.account.delete_fasp_connection_info Delete Aspera FASP connection information. none
cloud-object-storage.bucket.get_location View the location and storage class of a bucket. none
cloud-object-storage.bucket.get_lifecycle Read a bucket lifecycle policy. none
cloud-object-storage.bucket.put_lifecycle Create a bucket lifecycle policy. none
cloud-object-storage.bucket.get_basic Read bucket metadata (number of objects, etc) using the Resource Configuration API. none
cloud-object-storage.bucket.get_activity_tracking Read activity tracking configuration. none
cloud-object-storage.bucket.put_activity_tracking Add activity tracking configuration. none
cloud-object-storage.bucket.get_metrics_monitoring Read metrics monitoring configuration. none
cloud-object-storage.bucket.put_metrics_monitoring Add metrics monitoring configuration. none
cloud-object-storage.bucket.put_protection Add Immutable Object Storage policy. none
cloud-object-storage.bucket.get_protection Read Immutable Object Storage policy. none
cloud-object-storage.bucket.put_firewall Add a firewall configuration. none
cloud-object-storage.bucket.get_firewall Read a firewall configuration. none
cloud-object-storage.bucket.put_public_access_block Add/Update a public access block configuration for a bucket. none
cloud-object-storage.bucket.delete_public_access_block Remove public access block configuration for a bucket. none
cloud-object-storage.bucket.get_public_access_block Retrieve public access block configuration for a bucket. none
cloud-object-storage.bucket.list_bucket_crn View a bucket CRN. none
cloud-object-storage.bucket.get_notifications Internal use only - unsupported for users. none
cloud-object-storage.bucket.put_notifications Internal use only - unsupported for users. none
cloud-object-storage.bucket.get_replication Read replication configuration of a bucket. none
cloud-object-storage.bucket.put_replication Add replication configuration to a bucket. none
cloud-object-storage.bucket.delete_replication Delete replication configuration of a bucket. none
cloud-object-storage.object.get View and download objects. path
cloud-object-storage.object.head Read an object's metadata. path
cloud-object-storage.object.get_version Read a specified version of an object. path
cloud-object-storage.object.head_version Get headers for a specific version of an object. path
cloud-object-storage.object.put Write and upload objects. path
cloud-object-storage.object.post Upload an object using HTML forms [deprecated]. path
cloud-object-storage.object.post_md Update object metadata using HTML forms [deprecated]. path
cloud-object-storage.object.post_initiate_upload Initiate multipart uploads. path
cloud-object-storage.object.put_part Upload an object part. path
cloud-object-storage.object.copy_part Copy (write) an object part. path
cloud-object-storage.object.copy_part_get Copy (read) an object part. path
cloud-object-storage.object.copy_part_get_version Copy (read) an object part. path
cloud-object-storage.object.post_complete_upload Complete a multipart upload. path
cloud-object-storage.object.copy Copy (write) an object from one bucket to another. path
cloud-object-storage.object.copy_get Copy (read) an object from one bucket to another. path
cloud-object-storage.object.copy_get_version Copy (read) an object from one bucket to another. path
cloud-object-storage.object.get_acl Read object ACL [deprecated]. path
cloud-object-storage.object.get_acl_version Read object ACL Version [deprecated] path
cloud-object-storage.object.put_acl Write object ACL [deprecated]. path
cloud-object-storage.object.put_acl_version Unsupported operation - used for S3 API compatibility only. path
cloud-object-storage.object.delete Delete an object. path
cloud-object-storage.object.delete_version Delete a specific version of an object. path
cloud-object-storage.object.get_uploads List parts of an object. path
cloud-object-storage.object.delete_upload Abort a multipart upload. path
cloud-object-storage.object.restore Temporarily restore an archived object. path
cloud-object-storage.object.restore_version Temporarily restore an archived object. path
cloud-object-storage.object.get_tagging Read object tag versions path
cloud-object-storage.object.put_tagging Add/Update object tags path
cloud-object-storage.object.delete_tagging Delete object tags path
cloud-object-storage.object.post_multi_delete Delete multiple objects. none
cloud-object-storage.object.post_legal_hold Add a legal hold to an object. path
cloud-object-storage.object.get_legal_hold View any legal holds on an object. path
cloud-object-storage.object.post_extend_retention Extend a retention policy. path
cloud-object-storage.object.get_object_lock_retention Get object lock retention settings on the object. path
cloud-object-storage.object.put_object_lock_retention Set object lock retention settings on the object. path
cloud-object-storage.object.get_object_lock_legal_hold Get object lock legal hold state on the object. path
cloud-object-storage.object.put_object_lock_legal_hold Set object lock legal hold state on the object. path
cloud-object-storage.object.get_object_lock_retention_version Get object lock retention version settings on the object. path
cloud-object-storage.object.put_object_lock_retention_version Set object lock retention version settings on the object. path
cloud-object-storage.object.get_object_lock_legal_hold_version Get object lock legal hold state on the object. path
cloud-object-storage.object.put_object_lock_legal_hold_version Set object lock legal hold state on the object. path
cloud-object-storage.object.put_tagging_version Add/Update object tag versions path
cloud-object-storage.object.get_tagging_version Read object tag versions path
cloud-object-storage.object.delete_tagging_version Delete object tag versions path
{: caption="Granular IAM action descriptions"}