Object Storage Admin role. Then, you can create an organization access policy to grant the permissions to the users. When you grant these permissions to a user, they can perform the corresponding actions in the Cloud Console. For more information about organization access policies, see About organization access policies.
| Console feature | AI Object Storage permission |
|---|---|
| List (view) buckets | cwobject:ListBucketInfo |
| Create buckets | s3:CreateBucket cwobject:CreateAccessKey |
| Delete buckets | s3:DeleteBucket (policy can include the ability to delete individual buckets or all buckets) |
| Create access keys | cwobject:CreateAccessKeySAML cwobject:CreateAccessKey |
| Revoke access keys | cwobject:RevokeAccessKeyByAccessKey |
| List access keys | cwobject:ListAccessKeyInfo |
| Create or edit organization policies | cwobject:EnsureAccessPolicy |
| Delete organization policies | cwobject:DeleteAccessPolicy |
| View organization policies | cwobject:ListAccessPolicy |
- All
cwobject:permissions are global operations and must specify"resources": ["*"]in the policy statement. - Cloud Console groups aren’t allowed in organization access policies. Use UIDs (from the Cloud Console) or SAML users and groups instead.
Next steps
- Navigate to the Organization Access Policies page in the Cloud Console to create an organization access policy.
- Learn more about creating organization access policies.