Creating an Object User

An object user is created by an account. The account can control how object users utilize resources by granting object users different permissions.

Prerequisites

Procedure

  1. Choose Resources > Access > Authentication User > Object Users.
  2. Select a desired account from the Account drop-down list in the upper left corner.
  3. Click Create.

    The Create Object User dialog box is displayed.

  4. Set a user name.

    • The name contains 1 to 64 characters.
    • The name can contain only letters, digits, and special characters + = , . @ - _.

  5. (Optional) Set a user ID. If this parameter is left blank, the system automatically generates an ID after the user is created.

    • The value contains 1 to 64 characters.
    • The value can contain only letters and digits.

  6. Set User Access Key Creation.

    • Automatic: The system automatically generates a set of the object user access keys. This mode applies to scenarios where an object user is created on a primary device.
    • Manual: You need to manually enter AKs and SKs. This mode applies only to creating a user on the secondary end in the remote replication scenario. The user information of primary and secondary ends must be the same. You need to obtain the AK and SK of the primary end corresponding to the current secondary end user.

  7. Set a user permission policy.

    1. Click Create.

      The Create User Permission Policy page is displayed.

    2. Set Policy Name.
      • The name contains 1 to 128 characters.
      • The name can only contain basic Latin (ASCII) characters other than /*\?, and spaces. Besides, it cannot contain single quotation marks (') and double quotation marks (") at the same time.
      • The name cannot be modified after the policy is created.
    3. Set Policy Mode. Possible options are as follows:
      • Recommended: provides three policies.
        • Read-only: Authorized users can read bucket resources. This policy mode does not define the write operation permission. You need to determine the permission based on other policies (such as the bucket permission). For example, if the bucket permission is read and write, the user permission is read and write.
        • Write-only: Authorized users can write bucket resources. This policy mode does not define the read operation permission. You need to determine the permission based on other policies (such as the bucket permission). For example, if the bucket permission is read and write, the user permission is read and write.
        • Read and Write: Authorized users can read and write bucket resources.
      • Custom: configures related parameters as required.

        For details about how to set user permission policy parameters, see the description of parameter PolicyDocument in Object Service Account Management API Description > User Policy Management > PutUserPolicy in the Service Plane API Description for Object of the corresponding version.

        • The policy content must be in JSON format and the total length of all policies for an object user can contain a maximum of 6400 characters. Example: {"Statement":[{"Sid": "self","Effect":"Allow","Action":[ "s3:List*","s3:Get*"],"Resource":"*"}]}
        • If the object user needs to use the temporary security credential service, set Action to the value in the example. Example: {"Statement":[{"Sid": "self","Effect":"Allow","Action":[ "sts:AssumeRole","sts:TagSession"],"Resource":"*"}]}
    4. Click OK.

    To remove a policy, select the policy and click Remove.

  8. Click OK.

    The system generates the AK and SK of the current user. Keep the AK and SK secure and do not disclose them to others.

  9. Click Copy Access Key Information.
  10. Click Close.
Parent topic: Configuring and Managing Object Users