Objective
The purpose of this guide is to show you how to manage your identities and access your S3 Object Storage resources.
Requirements
- A Public Cloud project in your OVHcloud account
- Access to your OVHcloud Control Panel
Instructions
Log in to the OVHcloud Control Panel, go to the Public Cloud section, and select the Public Cloud project concerned. Then click on Object Storage on the left-hand sidebar.
Creating a user
Navigate to the S3 users tab and click Add User.
Type in the username you have chosen and then click Create. Once your user has been created, you will see the credentials:
By clicking on the ... at the end of a user’s line, you can, among other things, download the Rclone configuration file, see the user’s secret key, and delete the user.
Manage access to a container via a profile
You can define access to your containers via pre-defined profiles.
Click on the ... at the end of your container line and then select Add a user to a container from the drop-down menu.
Select the user to add to your container and click Next.
Set access to your container for this user and click on Confirm.
Manage access to an object via a profile
You can also set access to your objects via pre-defined profiles.
Click on the ... at the end of your object line and then select Add user to my object from the drop-down menu.
Select the user and click Next.
Select the access profile for this user and click Confirm.
Advanced resource access management
You can refine your permissions by importing a JSON configuration file. To do this, go to the S3 Users tab.
Click on the ... at the end of your user’s line, then Import S3 Policy (JSON).
If you want to change a user’s rights, you may need to download the JSON configuration file in advance by selecting Download S3 Policy (JSON).
Some examples of JSON configuration files:
Read/write access to a container and its objects
{"Statement":[{"Sid":"RWContainer","Effect":"Allow","Action":["s3:GetObject","s3:PutObject","s3:DeleteObject","s3:ListBucket","s3:ListMultipartUploadParts","s3:ListBucketMultipartUploads","s3:AbortMultipartUpload","s3:GetBucketLocation"],"Resource":["arn:aws:s3:::hp-bucket","arn:aws:s3:::hp-bucket/*"]}]}
Read-only access to a container and its objects
{"Statement":[{"Sid":"ROContainer","Effect":"Allow","Action":["s3:GetObject","s3:ListBucket","s3:ListMultipartUploadParts","s3:ListBucketMultipartUploads"],"Resource":["arn:aws:s3:::hp-bucket","arn:aws:s3:::hp-bucket/*"]}]}
Allow all operations on all project resources
{"Statement":[{"Sid":"FullAccess","Effect":"Allow","Action":["s3:*"],"Resource":["*"]}]}
Read/write access to all objects in a specific folder (/home/user2) in a specific container (companybucket)
{"Statement":[{"Sid":"RWContainer","Effect":"Allow","Action":["s3:GetObject","s3:PutObject","s3:DeleteObject","s3:ListBucket","s3:ListMultipartUploadParts","s3:ListBucketMultipartUploads","s3:AbortMultipartUpload","s3:GetBucketLocation"],"Resource":["arn:aws:s3:::companybucket","arn:aws:s3:::companybucket/home/user2/*"]}]}