Setting Access Control Policies for IBM Cloud Object Storage

Share this post:

As your organization explores more digital initiatives, including cloud and mobile, the importance of identity and access management (IAM) is paramount. Nearly all IT decision makers we talk with agree that IAM is essential to the success of their company’s cloud adoption and it is seen as a key enabler for mobility, analytics and IoT initiatives.

Most digital initiatives, have a common linchpin—they are data intensive and need to be managed consistently and seamlessly across the organization, ensuring that the right services and users are given access to critical data and resources, while providing efficiency and compliance.  To help meet this objective, we’ve enabled customer-driven permission identity in our most recent service release by integrating IBM Cloud Object Storage with IBM Identity and Access Manager in the IBM Cloud. You can set Cloud Object Storage bucket-level access policies, selectively grant permissions, assign user roles and control the actions that users and applications can perform. IBM Cloud Identity and Access Management (IAM) allows you to control who has access to the resources in your Cloud Object Storage buckets, as well as other IBM Cloud Services, such as IBM Compute instances.  These controls help deliver:

  • Enhanced Security – IAM enables security best practices by allowing you to grant unique security credentials to users and groups to specify which IBM Cloud Object Storage Buckets they can access. IAM is secure by default; users have no access to Cloud Object Storage resources until permissions are explicitly granted.
  • Granular control – With access control, you can give users access to only the resources they need at service, service instance, or bucket level. Three pre-defined roles are supported for direct data access: Manager, Writer, and Reader. These give you the ability to control the types of actions users can perform against the data they have access to. The Access Control UI provides a simplified way of specifying policies for your buckets from within the IBM Cloud Object Storage console.
  • Consistent IAM model for IBM cloud services – IBM® Cloud Identity & Access Management enables you to securely authenticate users and control access to all cloud resources consistently in the IBM Cloud.

How it works

Users, roles, resources, and policies

IAM Access Control enables the assignment of policies for IBM Cloud Object Storage buckets to allow levels of access for managing resources and users within the assigned context. A policy grants a user a role or roles to a set of resources by using a combination of attributes to define the applicable set of resources. When you assign a policy to a user, you first specify the bucket then a role or roles to assign.

Bucket permissions

You can assign access roles for users and service IDs against buckets, using either the UI or the CLI to create policies.  Here are the roles and example actions:

Granting access to a user

If the user needs to be able to use the IBM Cloud console, it is necessary to also grant them a minimum role of Viewer on the instance itself. This will allow them to view all buckets and list the objects within them. Then you can select Bucket permissions, select the user, and assign the level of access (Manager or Writer) that they require.

If the user will interact with data using the API and doesn’t require console access, and they are a member of your account, you can grant access to a single bucket without any access to the parent instance.

Granting access to a service ID

If you need to grant access to a bucket for an application or other non-human entity, use a Service ID. A Service ID can be created specifically for this purpose, or an existing Service ID can be used.

Policy enforcement

IAM policies are enforced hierarchically from greatest level of access to most restricted. Conflicts are resolved to the more permissive policy. For example, if a user has both the Writer and Reader role on a bucket, the policy granting the Reader role will be ignored. This is also applicable to service instance and bucket level policies.


To Learn more

Getting Started with Identity and Access Management

User and Service IDs

Bucket Permissions

Service Credentials

IBM Cloud Object Storage service features




More Storage stories

Jumpstart your move to IBM Cloud with Mass Data Migration

IBM Cloud Mass Data Migration is the newest addition to the IBM Data Transfer Portfolio offering a fast, simple, secure way to physically transport terabytes to petabytes of data to the IBM Cloud. An alternative to over-the-network options, Mass Data Migration enables clients to use one or multiple devices to accommodate any size workload, overcome […]

Continue reading

Make your disaster recovery testing easier, faster and cheaper

With IBM Cloud block and file storage, conducting your data DR test is easy and you don’t have to fail over, or otherwise disrupt, your replication configuration while doing your test. Learn more about how IBM Cloud block and file storage helps with DR.

Continue reading

Don’t treat your data like an object

In recent years, object storage has become a dominant paradigm for large-scale, cost-effective data storage. Solutions like IBM Cloud Object Storage are both highly scalable and extremely resilient, utilizing ingenious algorithms to distribute data across a cluster of storage systems and provide a high level of fault tolerance. At the same time, these algorithms minimize the number of complete copies of the data that need to be stored, which reduces total data volumes and keeps costs low.

Continue reading