There are two buckets under root account A (APPID:
examplebucket2-1250000000, which sub-account B0 under root account B wants to manipulate to meet its business needs. This document describes how to authorize it to do so.
Authorizing root account B to manipulate buckets under root account A
- Log in to the COS Console with root account A.
- Click Bucket List, find the bucket to be authorized, and click its name to enter the bucket details page.
- On the left sidebar, click Permission Management to enter the bucket's permission management page.
- Locate Permission Policy Settings, click Add Policy, and select or enter the items as shown below:
- Effect: Allowed.
- User: Click "Add User", select root account for user type, and enter root account B's UIN for account ID, such as 100000000002.
- Resource: Select an option as needed (the entire bucket by default).
- Resource Path: It needs to be entered only for specified resources.
- Operation: Click "Add Operation" and select all operations. If you want to grant root account B permissions to only certain operations, you can also select one or more operations as needed.
- Filter: Add a filter or leave it blank as needed.
- Click OK to grant root account B specified permissions to the bucket.
- If you need to authorize root account B to manipulate other buckets, repeat the above steps.
Authorizing sub-account B0 to manipulate buckets under root account A
- Log in to the CAM Console with root account B and go to the Policy page.
- Click Create Custom Policy > Create by Policy Syntax, select a blank template, and click Next.
Root account B can grant its sub-account B0 permissions only using a custom policy, but not a preset policy.
- Fill in the form as shown below:
- Policy Name: Designate a unique and meaningful name for the policy, such as
- Remarks: Optional; add remarks as needed.
- Policy Content:
uid/1250000000 is the
APPID of root account A, and
examplebucket1-1250000000 is the name of the bucket to authorize.
examplebucket1-1250000000/* means that all buckets under root account A that have been authorized to root account B will be authorized to its sub-account B0.
4. Click Done.
5. Locate the created policy in the policy list and click Bind User/User Group on the right.
6. In the Bind User/User Group pop-up window, select sub-account B0 and click OK.
7. Then, the authorization is completed, and you can use the key of sub-account B0 to manipulate the bucket under root account A.