Limiting access to a single Object Storage bucket
IBM Cloud IAM resource groups and access groups allow administrators to restrict users access to various service instances, but what if a user needs to only access a limited number of buckets within a service instance? This can be accomplished using a custom role and a narrowly tailored IAM policy.
This tutorial provides an introduction to granting access to a single Object Storage bucket.
If you're not familiar with IBM Cloud® Object Storage, you can quickly get an overview by getting started with IBM Cloud Object Storage. Also, if you're not familiar with IAM, you may wish to check out how to get started with IAM.
Before you begin
If you are already managing instances of Object Storage or IAM, you do not need to create more. However, as this tutorial will modify and configure the instance we are working with, make sure that any accounts or services are not being used in a production environment.
This tutorial will create a new access policy and a new custom role in the process.
For this tutorial, you need:
- An IBM Cloud® Platform account
- An instance of IBM Cloud Object Storage
- A bucket to which a user should be constrained
- To complete the steps to manage access to the service, your user ID needs administrator platform permissions to use the IAM service. You may have to contact or work with an account administrator.
Create a custom role
First, we need to create a role that allows a user to view a list of buckets, but not to access them or be able to create new buckets.
-
Navigate to IAM by following the Manage drop-down menu, and selecting Access (IAM).
-
Select Roles from the navigation menu.
-
Click the Create button to create a new role.
-
We can call this role "List Buckets Only". Give it a name, ID, and brief description, and then select Cloud Object Storage from the drop down.
-
Scroll down until you see the list of actions. Click Clear all to remove all actions from the new role.
-
Look for the
cloud-object-storage.account.get_account_buckets
action and click Add. -
Click Create to finish creating the custom role.
Create a new user access policy
Now that we have our new role, we can apply it to a user.
-
Follow the Users link in the navigation menu, and select the user requiring limited access.
-
Click on the Assign access button.
-
Select the Access policy tile and select Cloud Object Storage.
-
Scroll down and assign the new role by checking the box next to List Buckets Only.
-
Click Add.
-
Repeat step 3, but this time we'll limit the scope. Select the radio toggle next to Specific resources.
-
Select Resource ID from the Attribute type drop-down menu.
-
Type in the name of the bucket that the user should be able to access in the Value field. In this case, it's a bucket called
diagnostics
. -
In the Roles and access section, select the roles Content Reader and Object Writer roles. You'll also need the Platform Viewer role, if you don't already have it, in order to view the UI.
Next steps
Congratulations, you've just set up a policy to limit access to a single bucket.