Last updated September 27th 2022
Objective
The purpose of this guide is to show you how to manage your identities and access your S3 Object Storage resources.
Requirements
- A Public Cloud project in your OVHcloud account
- Access to your OVHcloud Control Panel
Instructions
Log in to the OVHcloud Control Panel, go to the Public Cloud section, and select the Public Cloud project concerned. Then click on Object Storage in the left-hand menu.
Creating a user
Click Create User.
If you already have OpenStack users, you can select one of these:
then
If you choose to select an existing user, ensure that the user has an ObjectStore operator or Administrator role.
Otherwise, create a new user:
Once your user has been created, you will see the credentials:
By clicking on the ... at the end of a user's line, you can, among other things, download the rclone configuration file, see the user's secret key, delete the user.
Manage access to a bucket via a profile
You can define access to your buckets via predefined profiles.
Click on the ... at the end of your bucket line, then Add a user to a container.
Select the user to add to your bucket and click Next.
Set access to your bucket for this user and click on Confirm.
Manage access to an object via a profile
You can also set access to your objects via predefined profiles.
Click on the ... at the end of your object line, then Add user to my object.
Select the user and click Next.
Select the access profile for this user and click Confirm.
Advanced resource access management
You can refine your permissions by importing a JSON configuration file. To do this, go to the S3 Policy Users tab.
Click on the ... at the end of your user's line, then Import JSON file.
If you want to change a user's rights, you may need to download the JSON configuration file in advance by selecting Download JSON File.
Some examples of JSON configuration files:
Read/write access to a bucket and its objects
{
"Statement":[{
"Sid": "RWContainer",
"Effect": "Allow",
"Action":["s3:GetObject", "s3:PutObject", "s3:DeleteObject", "s3:ListBucket", "s3:ListMultipartUploadParts", "s3:ListBucketMultipartUploads", "s3:AbortMultipartUpload", "s3:GetBucketLocation"],
"Resource":["arn:aws:s3:::hp-bucket", "arn:aws:s3:::hp-bucket/*"]
}]
}
Read-only access to a bucket and its objects
{
"Statement":[{
"Sid": "ROContainer",
"Effect": "Allow",
"Action":["s3:GetObject", "s3:ListBucket", "s3:ListMultipartUploadParts", "s3:ListBucketMultipartUploads"],
"Resource":["arn:aws:s3:::hp-bucket", "arn:aws:s3:::hp-bucket/*"]
}]
}
Allow all operations on all project resources
{
"Statement":[{
"Sid": "FullAccess",
"Effect": "Allow",
"Action":["s3:*"],
"Resource":["*"]
}]
}
Read/write access to all objects in a specific folder (/home/user2) in a specific bucket (companybucket)
{
"Statement":[{
"Sid": "RWContainer",
"Effect": "Allow",
"Action":["s3:GetObject", "s3:PutObject", "s3:DeleteObject", "s3:ListBucket", "s3:ListMultipartUploadParts", "s3:ListBucketMultipartUploads", "s3:AbortMultipartUpload", "s3:GetBucketLocation"],
"Resource":["arn:aws:s3:::companybucket", "arn:aws:s3:::companybucket/home/user2/*"]
}]
}
List of supported actions
| Action | Scope |
|---|---|
| s3:AbortMultipartUpload | Object |
| s3:CreateBucket | Bucket |
| s3:DeleteBucket | Bucket |
| s3:DeleteObject | Object |
| s3:GetBucketLocation | Bucket |
| s3:GetObject | Object |
| s3:ListBucket | Bucket |
| s3:ListBucketMultipartUploads | Bucket |
| s3:ListMultipartUploadParts | Object |
| s3:PutObject | Object |
Go further
Join our community of users on https://community.ovh.com.
Did you find this guide useful?
Please feel free to give any suggestions in order to improve this documentation.
Whether your feedback is about images, content, or structure, please share it, so that we can improve it together.
Your support requests will not be processed via this form. To do this, please use the "Create a ticket" form.
Thank you. Your feedback has been received.