Object Storage - Gestión de identidad y acceso (EN)

Bases de conocimiento

KB0047360

Object Storage - Gestión de identidad y acceso (EN)


Icons/System/eye-open Created with Sketch. 594 visualizaciones 25.09.2025 Cloud / Object Storage S3

Objective

The purpose of this guide is to show you how to manage your identities and access your Object Storage resources.

Requirements

Instructions

Log in to the OVHcloud Control Panel, go to the Public Cloud section, and select the Public Cloud project concerned. Then click on Object Storage in the left-hand menu.

Creating a user

Click Create User.

If you already have OpenStack users, you can select one of these:

Add Object Storage user

then

Add Object Storage user

If you choose to select an existing user, ensure that the user has an ObjectStore operator or Administrator role.

Otherwise, create a new user:

Add Object Storage user

Once your user has been created, you will see the credentials:

Credentials

By clicking on the ... at the end of a user's line, you can, among other things, download the rclone configuration file, see the user's secret key, delete the user.

Manage access to a bucket via a profile

You can define access to your buckets via predefined profiles.

Click on the ... at the end of your bucket line, then Add a user to a container.

Add a user to a container

Select the user to add to your bucket and click Next.

Add a user to my container

Set access to your bucket for this user and click on Confirm.

Add a user to my container - Role

Manage access to an object via a profile

You can also set access to your objects via predefined profiles.

Click on the ... at the end of your object line, then Add user to my object.

object menu

Select the user and click Next.

add user to my object

Select the access profile for this user and click Confirm.

add role to my object

Advanced resource access management

Overview

By default, all resources (buckets, objects) and sub-resources (lifecycle configuration, webite configuration, etc.) are private in Object Storage. Only the resource owner, i.e the user account that creates it, has full control.

Access to private resources can be granted via access policies. Access policies can be categorized broadly into 2 types :

  • user based: access policies attached to a specific user are called user policies. A user policy is evaluated using Object Storage IAM permissions and applies only to the specific user it is attached to.
  • resource based : bucket policies and ACLs are policies that are attached directly to specific resources

Bucket policies is a feature that is not yet available for Object Storage. This article is about user policies.

You can refine your permissions by importing a JSON configuration file. To do this, go to the Object Storage Policy Users tab.

Object Storage users

Click on the ... at the end of your user's line, then Import JSON file.

If you want to change a user's rights, you may need to download the JSON configuration file in advance by selecting Download JSON File.

Understanding the user policy evaluation process

At the moment, user permissions are evaluated as follows:

  1. if exists, evaluate user policy else fallback to ACLs
    1. check for an explicit deny: if there is an explicit deny, then deny permission, else, check for an explicit allow
    2. check for an explicit allow: if there is an explicit allow, then allow permission
    3. if there is no explicit deny nor explicit allow, then fallback to ACLs
  2. fallback to ACLs

This evaluation process will be subject to change with the upcoming implementation of bucket policies.

Some examples of JSON configuration files:

Read/write access to a bucket and its objects

{
  "Statement":[{
    "Sid": "RWContainer",
    "Effect": "Allow",
    "Action":["s3:GetObject", "s3:PutObject", "s3:DeleteObject", "s3:ListBucket", "s3:ListMultipartUploadParts", "s3:ListBucketMultipartUploads", "s3:AbortMultipartUpload", "s3:GetBucketLocation"],
    "Resource":["arn:aws:s3:::hp-bucket", "arn:aws:s3:::hp-bucket/*"]
  }]
}

Read-only access to a bucket and its objects

{
  "Statement":[{
    "Sid": "ROContainer",
    "Effect": "Allow",
    "Action":["s3:GetObject", "s3:ListBucket", "s3:ListMultipartUploadParts", "s3:ListBucketMultipartUploads"],
    "Resource":["arn:aws:s3:::hp-bucket", "arn:aws:s3:::hp-bucket/*"]
  }]
}

Deny listing of all buckets owned by the parent account

The (s3:ListAllMyBuckets) action is allowed by default for a given user. Add the deny effect if you want to explictly refuse the use of the ListBuckets API operation. 

{
  "Statement":[{
    "Sid": "DenyListBucket",
    "Effect": "Deny",
    "Action":["s3:ListAllMyBuckets"],
    "Resource":["*"]
  }]
}

Allow all operations on all project resources

{
  "Statement":[{
    "Sid": "FullAccess",
    "Effect": "Allow",
    "Action":["s3:*"],
    "Resource":["*"]
  }]
}

Read/write access to all objects in a specific folder (/home/user2) in a specific bucket (companybucket)

{
  "Statement":[{
    "Sid": "RWContainer",
    "Effect": "Allow",
    "Action":["s3:GetObject", "s3:PutObject", "s3:DeleteObject", "s3:ListBucket", "s3:ListMultipartUploadParts", "s3:ListBucketMultipartUploads", "s3:AbortMultipartUpload", "s3:GetBucketLocation"],
    "Resource":["arn:aws:s3:::companybucket", "arn:aws:s3:::companybucket/home/user2/*"]
  }]
}

Allow all operations to specific IPs by whitelisting authorized IPs

{
  "Statement": [{
    "Sid": "ExampleStatement01",
    "Effect": "Allow",
    "Action": "s3:*",
    "Resource": [
      "arn:aws:s3:::companybucket",
      "arn:aws:s3:::companybucket/*"
    ],
    "Condition": {
      "IpAddress": {
        "aws:SourceIp": "10.0.0.5/16"
      }
    }
  }]
}

As a consequence of the current authorization process, implicit deny is not supported by OVHcloud Object Storage if the user is the bucket owner i.e since ACLs are evaluated by default and since the bucket owner has FULL_CONTROL ACL, if the user is the bucket owner and even if there is no explicit allow in the policy file, he will be authorized.

The following policy to attempt to allow read access to objects only to specific IPs will not work under current conditions if attached to the bucket owner i.e even if the bucket owner makes his requests from IPs that are not in the specified range, he will be authorized.

{
  "Statement": [{
    "Sid": "ExampleStatement01",
    "Effect": "Allow",
    "Action": [
      "s3:GetObject",
      "s3:ListBucket",
      "s3:ListBucketVersions"
    ],
    "Resource": [
      "arn:aws:s3:::companybucket/*"
    ],
    "Condition": {
      "IpAddress": {
        "aws:SourceIp": "10.0.0.5/16"
      }
    }
  }]
}

The following policy to attempt to deny read access to objects to specific IPs by blacklisting unauthorized IPs will not work under current conditions if attached to the bucket owner because there is no explicit deny and requests from the specified IPs will not match the allow, therefore, we fallback to the ACLs.

{
  "Statement": [{
    "Sid": "ExampleStatement01",
    "Effect": "Allow",
    "Action": [
      "s3:GetObject",
      "s3:ListBucket",
      "s3:ListBucketVersions"
    ],
    "Resource": [
      "arn:aws:s3:::companybucket/*"
    ],
    "Condition": {
      "NotIpAddress": {
        "aws:SourceIp": "10.0.0.5/16"
      }
    }
  }]
}

List of supported actions

ActionScope
s3:AbortMultipartUploadObject
s3:BypassGovernanceRetentionObject
s3:CreateBucketBucket
s3:DeleteBucketBucket
s3:DeleteObjectObject
s3:DeleteBucketTaggingBucket
s3:DeleteBucketWebsiteBucket
s3:DeleteObjectObject
s3:DeleteObjectTaggingObject
s3:GetBucketAclBucket
s3:GetBucketCORSBucket
s3:GetBucketLocationBucket
s3:GetBucketLogging"Bucket
s3:GetBucketObjectLockConfigurationBucket
s3:GetBucketTaggingBucket
s3:GetBucketVersioningBucket
s3:GetBucketWebsiteBucket
s3:GetEncryptionConfigurationBucket
s3:GetIntelligentTieringConfigurationBucket
s3:GetLifecycleConfigurationBucket
s3:GetObjectObject
s3:GetObjectAclObject
s3:GetObjectLegalHoldObject
s3:GetObjectRetentionObject
s3:GetObjectTaggingObject
s3:GetReplicationConfigurationBucket
s3:ListAllMyBucketsBucket
s3:ListBucketBucket
s3:ListBucketMultipartUploadsBucket
s3:ListMultipartUploadPartsObject
s3:ListBucketMultipartUploadsBucket
s3:ListBucketVersionsBucket
s3:ListMultipartUploadPartsObject
s3:PutBucketAclBucket
s3:PutBucketCORSBucket
s3:PutBucketLoggingBucket
s3:PutBucketObjectLockConfigurationBucket
s3:PutBucketTaggingBucket
s3:PutBucketVersioningBucket
s3:PutBucketWebsiteBucket
s3:PutEncryptionConfigurationBucket
s3:PutIntelligentTieringConfigurationBucket
s3:PutLifecycleConfigurationBucket
s3:PutObjectObject
s3:PutObjectAclObject
s3:PutObjectLegalHoldObject
s3:PutObjectRetentionObject
s3:PutObjectTaggingObject
s3:PutReplicationConfigurationObject

Go further

If you need training or technical assistance to implement our solutions, contact your sales representative or click on this link to get a quote and ask our Professional Services experts for assisting you on your specific use case of your project.

Join our community of users.

Artículos relacionados