Console Permissions Reference
Permissions required to perform AI Object Storage actions in the Cloud Console
This table lists the permissions required to perform AI Object Storage actions in the Cloud Console. In order to grant these permissions to users, you need to have the Object Storage Admin role. Then, you can create an organization access policy to grant the permissions to the users. When these permissions are granted to a user, they will be able to perform the corresponding actions in the Cloud Console. For more information about organization access policies, see About organization access policies.
| Feature in Console | AI Object Storage Permission Requirement |
|---|---|
| List (View) Buckets | cwobject:ListBucketInfo |
| Create Buckets | s3:CreateBucket cwobject:CreateAccessKey |
| Delete Buckets | s3:DeleteBucket (policy can include ability to delete individual buckets or all buckets) |
| Create Access Keys | cwobject:CreateAccessKeySaml cwobject:CreateAccessKey |
| Revoke Access Keys | cwobject:RevokeAccessKeyByAccessKey |
| List Access Keys | cwobject:ListAccessKeyInfo |
| Create or Edit Organization Policies | cwobject:EnsureAccessPolicy |
| Delete Organization Policies | cwobject:DeleteAccessPolicy |
| View Organization Policies | cwobject:ListAccessPolicy |
Info
- All
cwobject:permissions are global operations and must specify"resources": ["*"]in the policy statement. - Cloud Console groups are not allowed in organization access policies; use UIDs (from Cloud Console) or SAML users and groups instead.
Next steps
- Navigate to the Organization Access Policies page in the Cloud Console to create an organization access policy.
- Learn more about creating organization access policies.