All Products
Search

This Product

    Cloud Storage Gateway:Permissions required by a RAM user to activate on-premises gateways

    Document Center

    Cloud Storage Gateway:Permissions required by a RAM user to activate on-premises gateways

    Last Updated:Aug 02, 2022

    Before a RAM user activates an on-premises gateway, you must grant the RAM user the required permissions. Then, the RAM user can use its AccessKey ID and AccessKey secret to activate the on-premises gateway and use the activated gateway. This topic describes the permissions required for a RAM user to access different Alibaba Cloud services that work with Cloud Storage Gateway (CSG).

    Permissions required to access CSG

    On-premises gateways are managed in the CSG console. Therefore, you must grant the RAM user the AliyunHCSSGWFullAccess permission.

    Permissions required to access OSS

    On-premises gateways need to access Object Storage Service (OSS) buckets for file management such as file upload and download. Therefore, we recommend that you grant the RAM user the AliyunOSSFullAccess permission.

    To perform fine-grained permission control, you can refer to the following code that describes the permissions on OSS buckets. If you require stricter permission control, you can set the Resource parameter to specify the OSS bucket that is used by a specific on-premises gateway. 

    {
"Action": [
"oss:ListBuckets",
"oss:ListObjects",
"oss:GetObject",
"oss:PutObject",
"oss:DeleteObject",
"oss:HeadObject",
"oss:CopyObject",
"oss:InitiateMultipartUpload",
"oss:UploadPart",
"oss:UploadPartCopy",
"oss:CompleteMultipartUpload",
"oss:AbortMultipartUpload",
"oss:ListMultipartUploads",
"oss:ListParts",
"oss:GetBucketStat",
"oss:GetBucketWebsite",
"oss:GetBucketInfo",
"oss:GetBucketEncryption",
"oss:GetBucketVersioning",
"oss:PutBucketEncryption",
"oss:DeleteBucketEncryption",
"oss:RestoreObject",
"oss:PutObjectTagging",
"oss:GetObjectTagging",
"oss:DeleteObjectTagging"
],
"Resource":"*",
"Effect":"Allow"
}

    Permissions required to access MNS

    CSG detects data changes in OSS buckets within seconds by using the express synchronization feature. This feature is used in combination with Message Service (MNS). To ensure that the RAM user can use this feature, we recommend that you grant the RAM user the AliyunMNSFullAccess permission. To perform fine-grained permission control, you can refer to the following code that describes the permissions on MNS. 

    {
"Action": [
"mns:SendMessage",
"mns:ReceiveMessage",
"mns:PublishMessage",
"mns:DeleteMessage",
"mns:GetQueueAttributes",
"mns:GetTopicAttributes",
"mns:PutEventNotifications",
"mns:DeleteEventNotifications",
"mns:UpdateEventNotifications",
"mns:GetEvent",
"mns:Subscribe",
"mns:Unsubscribe"
],
"Resource":"*",
"Effect":"Allow"
}

    Permissions required to access KMS

    CSG supports OSS server-side encryption and gateway-side encryption. To ensure that the RAM user can use the two types of encryption methods, we recommend that you grant the RAM user the AliyunKMSFullAccess permission. To perform fine-grained permission control, you can refer to the following code that describes the permissions on Key Management Service (KMS). 

    {
"Action": [
"kms:DescribeKey",
"kms:Encrypt",
"kms:Decrypt",
"kms:GenerateDataKey"
],
"Resource":"*",
"Effect":"Allow"
}