Granting authorization through bucket policy (Policy) only targets specified buckets, and you need to [create a bucket] first (https://intl.cloud.tencent.com/document/product/436/13309). For authorization on account dimension, please refer to Granting authorization through access management (CAM) in this document.
2. Prepare UIN of the account to be authorized
This document assumes that the primary account who owns the target bucket has a UIN of 100000000001, and that for its sub-account is 100000000011. The sub-account needs to be authorized to access the destination bucket.
- To query sub-accounts created under the main account, log into the CAM Console and view them under User List.
- To create a new sub-account, please refer to the Create New Sub-User document.
- Open the [Add Policy] dialog box
Enter [Permission Management] of the destination bucket, select [Policy Permission Settings]> [Graphic Settings], click to open the [Add Policy] dialog box, and then configure following the authorization cases in this document. For detailed instructions on how to add policies, see the Add Bucket Policy document.
The following lists several authorization cases, which you can configure according to actual needs.
The configuration information is as follows:
| Configuration Item | Configuration Value |
|---|---|
| Effect | Allow |
| User Type | Sub-Account |
| Account ID | UIN of the sub-account, which must be a sub-account under the current main account, such as 100000000011 |
| Resource | Specified Resource |
| Resource Path | Specified directory prefix, such as folder/sub-folder/, need to end with / |
| Operation Name | All Operations |
The configuration information is as follows:
| Configuration Item | Configuration Value |
|---|---|
| Effect | Allow |
| User Type | Sub-Account |
| Account ID | UIN of the sub-account, which must be a sub-account under the current main account, such as 100000000011 |
| Resource | Specified Resource |
| Resource Path | Specified directory prefix, such as folder/sub-folder/, need to end with / |
| Operation Name | Read operation (including list of objects) |
The configuration information is as follows:
| Configuration Item | Configuration Value |
|---|---|
| Effect | Allow |
| User Type | Sub-Account |
| Account ID | UIN of the sub-account, which must be a sub-account under the current main account, such as 100000000011 |
| Resource | Specified Resource |
| Resource Path | Specified object key, such as folder/sub-folder/exampleobject |
| Operation Name | All Operations |
For this case, we need to add two policies: allow policy and prohibit policy.
| Configuration Item | Configuration Value |
|---|---|
| Effect | Allow |
| User Type | Sub-Account |
| Account ID | UIN of the sub-account, which must be a sub-account under the current main account, such as 100000000011 |
| Resource | Specified Resource |
| Resource Path | Specified directory prefix, such as folder/sub-folder/, need to end with / |
| Operation Name | All Operations |
| Configuration Item | Configuration Value |
|---|---|
| Effect | Prohibit |
| User Type | Sub-Account |
| Account ID | UIN of the sub-account, which must be a sub-account under the current main account, such as 100000000011 |
| Resource | Specified Resource |
| Resource path | Object keys to be prohibited, such as folder/sub-folder/privateobject |
| Operation Name | All Operations |
| Configuration Item | Configuration Value |
|---|---|
| Effect | Allow |
| User Type | Sub-Account |
| Account ID | UIN of the sub-account, which must be a sub-account under the current main account, such as 100000000011 |
| Resource | Specified Resource |
| Resource Path | Specified prefix, such as `folder/sub-folder/prefix |
| Operation Name | All Operations |
If users need to authorize the account dimension, please refer to the following documents for configuration:
Was this page helpful?