Granting Sub-account Under One Root Account Permission to Manipulate Buckets Under Another Root Account

Last updated: 2020-09-21 18:11:18


    There are two buckets under root account A (APPID: 1250000000): examplebucket1-1250000000 and examplebucket2-1250000000, which sub-account B0 under root account B wants to manipulate to meet its business needs. This document describes how to authorize it to do so.


    Authorizing root account B to manipulate buckets under root account A

    1. Log in to the COS Console with root account A.
    2. Click Bucket List, find the bucket to be authorized, and click its name to enter the bucket details page.
    3. On the left sidebar, click Permission Management to enter the bucket's permission management page.
    4. Locate Permission Policy Settings, click Add Policy, and select or enter the items as shown below:
      • Effect: Allowed.
      • User: Click "Add User", select root account for user type, and enter root account B's UIN for account ID, such as 100000000002.
      • Resource: Select an option as needed (the entire bucket by default).
      • Resource Path: It needs to be entered only for specified resources.
      • Operation: Click "Add Operation" and select all operations. If you want to grant root account B permissions to only certain operations, you can also select one or more operations as needed.
      • Filter: Add a filter or leave it blank as needed.
    5. Click OK to grant root account B specified permissions to the bucket.
    6. If you need to authorize root account B to manipulate other buckets, repeat the above steps.

    Authorizing sub-account B0 to manipulate buckets under root account A

    1. Log in to the CAM Console with root account B and go to the Policy page.

    2. Click Create Custom Policy > Create by Policy Syntax, select a blank template, and click Next.

      Root account B can grant its sub-account B0 permissions only using a custom policy, but not a preset policy.

    3. Fill in the form as shown below:

      • Policy Name: Designate a unique and meaningful name for the policy, such as cos-child-account.
      • Remarks: Optional; add remarks as needed.
      • Policy Content:
        "version": "2.0",
        "statement": [
              "action": "cos:*",
              "effect": "allow",
              "resource": "qcs::cos::uid/1250000000:examplebucket1-1250000000/*"
        Specifically, "1250000000" in uid/1250000000 is the APPID of root account A, and examplebucket1-1250000000 is the bucket name to be authorized. The examplebucket1-1250000000/*, meaning that all buckets under root account A that root account B are authorized to manipulate will be authorized to sub-account B0.
    4. Click Done.

    5. Locate the created policy in the policy list and click Bind User/User Group on the right.

    6. In the Bind User/User Group pop-up window, select sub-account B0 and click OK.

    7. Then, the authorization is completed, and you can use the key of sub-account B0 to manipulate the bucket under root account A.