Granting Bucket Access Permissions to SubUsers

Introduction

FPT Object Storage supports creating SubUsers; however, a SubUser's role applies to all of the Admin's resources. For example, if you create a SubUser with the Read Only role, that SubUser will have read access to all of the Admin's buckets. To grant permissions on a per-bucket basis, you must use Bucket Policy. Suppose we have 3 buckets — Bucket-1, Bucket-2, Bucket-3 — and want to grant permissions to 3 SubUsers: SubUser-1, SubUser-2, SubUser-3. The following is a detailed configuration guide on FPT Unify Portal.

Prerequisites

You need an FPT Cloud account with the Object Storage service enabled. The required buckets must already be created in the same Region.

Overview

Step 1: Create SubUsers with the None permission to ensure the SubUser cannot access any other buckets. Step 2: Open access to a specific bucket for the SubUser. For each bucket, declare a Bucket Policy using the following template:

Copy{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": ["arn:aws:iam::SUBUSER_ACCOUNT_ID:user/SUBUSER_NAME"]
      },
      "Action": "s3:*",
      "Resource": [
        "arn:aws:s3:::YOUR_BUCKET_NAME",
        "arn:aws:s3:::YOUR_BUCKET_NAME/*"
      ]
    }
  ]
}

• Version: The policy version (typically "2012-10-17").
• Effect: The permission (can be "Allow" or "Deny").
• Principal: The specific user or role. Replace SUBUSER_ACCOUNT_ID and SUBUSER_NAME with the information of the subuser to be granted access.
• Action: The actions the subuser is allowed to perform on the bucket (here "s3:*" for all actions).
• Resource: The resources the policy applies to (here the bucket and all objects within the bucket).

Step 3: Create SubUser Keys and provide them to the end users.

Conclusion

With the steps above, you have used bucket policy to grant subusers access to different buckets within FPT Object Storage.