Help & DocumentationCloud Access ManagementBusiness Use CaseCOS-related CasesAuthorizing Cross-Account ’s Sub-account Read/Write Access to Specified File

Authorizing Cross-Account ’s Sub-account Read/Write Access to Specified File

Last updated: 2019-12-04 10:54:53


The enterprise account CompanyGranter (ownerUin is 12345678 and appId is 1250000000) has an object Object1 located in the directory dir1 of the Bucket1 in Guangzhou region. And the sub-account of another enterprise account CompanyGrantee (ownerUin is 87654321) requires the read/write permission of Object1 above.

Here involves permission propagation.

Step 1: Enterprise account CompanyGrantee creates the following policy using policy syntax

    "version": "2.0",
         "effect": "allow",
         "action": "cos:*",
         "resource": "qcs::cos:ap-shanghai:uid/1250000000:Bucket1-1250000000/dir1/Object1"

Step 2: Authorize the policy to the sub-account. For more information on authorization, please see Authorization Management.

Step 3: Enterprise account CompanyGranter authorizes Object1 to enterprise account CompanyGrantee by configuring Policy and ACL via the COS console. For more information, please see COS documentation.