Object Storage - Identity and access management – Support Guides

Learn how to manage your identities and access your Object Storage resources.

Requirements

A Public Cloud project in your OVHcloud account
Access to your OVHcloud Control Panel

Instructions

Creating a user

From the OVHcloud Control Panel:

Choose Public Cloud from the top navigation bar.
In the left-hand menu, click Object Storage.
Choose the Object Storage users tab.
Click + Add User.

PCI_OS_GS_users01**.png

In the pop-up window, you can create a new user or select an existing user.

Select Create a new user, provide a User description, and click Create.

PCI_OS_GS_users02*.png

If you choose to select an existing user, ensure that the user has an ObjectStore operator or Administrator role.

Select Select an existing user, select the user, and click Create.

PCI_OS_GS_users03*.png

Once your user has been created, you will see the credentials:

By clicking on the more options ... button at the end of a user’s line, you can, among other things, download the Rclone configuration file, see the user’s secret key, and delete the user.

Manage access to a container via a profile

You can define access to your containers via pre-defined profiles.

From the My containers tab, click on the more options ... button at the end of your container line, and then select Add a user to a container from the drop-down menu.

PCI_OS_GS_users05*.png

Select the user to add to your container and click Next.

PCI_OS_GS_users06*.png

Select the role of your user on your container and click on Confirm.

PCI_OS_GS_users07*.png

Manage access to an object via a profile

You can also set access to your objects via pre-defined profiles.

Click the more options ... button at the end of your object line and then select Add user to my object from the drop-down menu.

PCI_OS_GS_users08*.png

Select the user and click Next.

PCI_OS_GS_users09*.png

Select the access profile for this user and click Confirm.

PCI_OS_GS_users10*.png

Advanced resource access management

You can refine your permissions by importing a JSON configuration file. To do this, go to the Object Storage Users tab.

Click on the more options ... at the end of your user’s line, then Import Policy (JSON).

PCI_OS_GS_users11*.png

If you want to change a user’s rights, you may need to download the JSON configuration file in advance by selecting Download Policy (JSON).

Some examples of JSON configuration files:

Read/write access to a bucket and its objects

{
  "Statement":[{
    "Sid": "RWContainer",
    "Effect": "Allow",
    "Action":["s3:GetObject", "s3:PutObject", "s3:DeleteObject", "s3:ListBucket", "s3:ListMultipartUploadParts", "s3:ListBucketMultipartUploads", "s3:AbortMultipartUpload", "s3:GetBucketLocation"],
    "Resource":["arn:aws:s3:::hp-bucket", "arn:aws:s3:::hp-bucket/*"]
  }]
}

Read-only access to a bucket and its objects

{
  "Statement":[{
    "Sid": "ROContainer",
    "Effect": "Allow",
    "Action":["s3:GetObject", "s3:ListBucket", "s3:ListMultipartUploadParts", "s3:ListBucketMultipartUploads"],
    "Resource":["arn:aws:s3:::hp-bucket", "arn:aws:s3:::hp-bucket/*"]
  }]
}

Allow all operations on all project resources

{
  "Statement":[{
    "Sid": "FullAccess",
    "Effect": "Allow",
    "Action":["s3:*"],
    "Resource":["*"]
  }]
}

Read/write access to all objects in a specific folder (/home/user2) in a specific bucket (companybucket)

{
  "Statement":[{
    "Sid": "RWContainer",
    "Effect": "Allow",
    "Action":["s3:GetObject", "s3:PutObject", "s3:DeleteObject", "s3:ListBucket", "s3:ListMultipartUploadParts", "s3:ListBucketMultipartUploads", "s3:AbortMultipartUpload", "s3:GetBucketLocation"],
    "Resource":["arn:aws:s3:::companybucket", "arn:aws:s3:::companybucket/home/user2/*"]
  }]
}

List of supported actions

Action	Scope
s3:AbortMultipartUpload	Object
s3:BypassGovernanceRetention	Object
s3:CreateBucket	Bucket
s3:DeleteBucket	Bucket
s3:DeleteObject	Object
s3:DeleteBucketTagging	Bucket
s3:DeleteBucketWebsite	Bucket
s3:DeleteObject	Object
s3:DeleteObjectTagging	Object
s3:GetBucketAcl	Bucket
s3:GetBucketCORS	Bucket
s3:GetBucketLocation	Bucket
s3:GetBucketLogging"	Bucket
s3:GetBucketObjectLockConfiguration	Bucket
s3:GetBucketTagging	Bucket
s3:GetBucketVersioning	Bucket
s3:GetBucketWebsite	Bucket
s3:GetEncryptionConfiguration	Bucket
s3:GetIntelligentTieringConfiguration	Bucket
s3:GetLifecycleConfiguration	Bucket
s3:GetObject	Object
s3:GetObjectAcl	Object
s3:GetObjectLegalHold	Object
s3:GetObjectRetention	Object
s3:GetObjectTagging	Object
s3:GetReplicationConfiguration	Bucket
s3:ListBucket	Bucket
s3:ListBucketMultipartUploads	Bucket
s3:ListMultipartUploadParts	Object
s3:ListBucketMultipartUploads	Bucket
s3:ListBucketVersions	Bucket
s3:ListMultipartUploadParts	Object
s3:PutBucketAcl	Bucket
s3:PutBucketCORS	Bucket
s3:PutBucketLogging	Bucket
s3:PutBucketObjectLockConfiguration	Bucket
s3:PutBucketTagging	Bucket
s3:PutBucketVersioning	Bucket
s3:PutBucketWebsite	Bucket
s3:PutEncryptionConfiguration	Bucket
s3:PutIntelligentTieringConfiguration	Bucket
s3:PutLifecycleConfiguration	Bucket
s3:PutObject	Object
s3:PutObjectAcl	Object
s3:PutObjectLegalHold	Object
s3:PutObjectRetention	Object
s3:PutObjectTagging	Object
s3:PutReplicationConfiguration	Object

Go further

For more information and tutorials, please see our other Object Storage support guides or explore the guides for other OVHcloud products and services.

If you need training or technical assistance to implement our solutions, contact your sales representative or click on this link to get a quote and ask our Professional Services experts for a custom analysis of your project.

*S3 is a trademark filed by Amazon Technologies, Inc. OVHcloud's service is not sponsored by, endorsed by, or otherwise affiliated with Amazon Technologies, Inc.