IBM Cloud Docs
Limiting access to a single Object Storage bucket

Limiting access to a single Object Storage bucket

IBM Cloud IAM resource groups and access groups allow administrators to restrict users access to various service instances, but what if a user needs to only access a limited number of buckets within a service instance? This can be accomplished using a custom role and a narrowly tailored IAM policy.

This tutorial provides an introduction to granting access to a single Object Storage bucket.

If you're not familiar with IBM Cloud® Object Storage, you can quickly get an overview by getting started with IBM Cloud Object Storage. Also, if you're not familiar with IAM, you may wish to check out how to get started with IAM.

Before you begin

If you are already managing instances of Object Storage or IAM, you do not need to create more. However, as this tutorial will modify and configure the instance we are working with, make sure that any accounts or services are not being used in a production environment.

This tutorial will create a new access policy and a new custom role in the process.

For this tutorial, you need:

Create a custom role

First, we need to create a role that allows a user to view a list of buckets, but not to access them or be able to create new buckets.

  1. Navigate to IAM by following the Manage drop-down menu, and selecting Access (IAM).

  2. Select Roles from the navigation menu.

  3. Click the Create button to create a new role.

    Figure 1: Creating a custom role.
    Create a new role

  4. We can call this role "List Buckets Only". Give it a name, ID, and brief description, and then select Cloud Object Storage from the drop down.

    Create a new role

  5. Scroll down until you see the list of actions. Click Clear all to remove all actions from the new role.

    Create a new role

  6. Look for the cloud-object-storage.account.get_account_buckets action and click Add.

    Create a new role

  7. Click Create to finish creating the custom role.

Create a new user access policy

Now that we have our new role, we can apply it to a user.

  1. Follow the Users link in the navigation menu, and select the user requiring limited access.

  2. Click on the Assign access button.

    Create a new policy

  3. Select the Access policy tile and select Cloud Object Storage.

    Create a new policy

  4. Scroll down and assign the new role by checking the box next to List Buckets Only.

  5. Click Add.

    Create a new policy

  6. Repeat step 3, but this time we'll limit the scope. Select the radio toggle next to Specific resources.

  7. Select Resource ID from the Attribute type drop-down menu.

  8. Type in the name of the bucket that the user should be able to access in the Value field. In this case, it's a bucket called diagnostics.

    Create a new policy

  9. In the Roles and access section, select the roles Content Reader and Object Writer roles. You'll also need the Platform Viewer role, if you don't already have it, in order to view the UI.

    Create a new policy

Next steps

Congratulations, you've just set up a policy to limit access to a single bucket.