Identity and Access Management (IAM)
Tip
IAM is part of our paid plans.
Get in touch with the team or visit the page describing our plans.
Introduction
OpenIO SDS 20.04 implements a subset of AWS Identity and Access Management for its S3 gateway. This allows platform administrators to control which user has access to which resource. Only user policies are supported at the moment.
User management
A CLI allows to set IAM rules for each user. Here is an example giving full S3 access to the “demo” user:
> openio-admin iam set-user-policy AUTH_demo demo:demo '{"Statement":[{"Sid":"FullAccess","Action":["s3:*"],"Effect":"Allow","Resource":["*"]}]}'
+---------+---------------------------------+
| Field | Value |
+---------+---------------------------------+
| account | AUTH_demo |
| user | demo:demo |
| policy | { |
| | "Statement": [ |
| | { |
| | "Action": [ |
| | "s3:*" |
| | ], |
| | "Effect": "Allow", |
| | "Resource": [ |
| | "*" |
| | ], |
| | "Sid": "FullAccess" |
| | } |
| | ] |
| | } |
+---------+---------------------------------+
Here is another example, giving user1 access only to its own bucket:
> openio-admin iam set-user-policy AUTH_demo demo:user1 --from-file objects_only.json
+---------+----------------------------------------------+
| Field | Value |
+---------+----------------------------------------------+
| account | AUTH_demo |
| user | demo:user1 |
| policy | { |
| | "Statement": [ |
| | { |
| | "Action": [ |
| | "s3:ListBucket", |
| | "s3:GetObject", |
| | "s3:PutObject", |
| | "s3:DeleteObject" |
| | ], |
| | "Effect": "Allow", |
| | "Resource": [ |
| | "arn:aws:s3:::user1bucket", |
| | "arn:aws:s3:::user1bucket/*" |
| | ], |
| | "Sid": "User1BucketAllObjects" |
| | } |
| | ] |
| | } |
+---------+----------------------------------------------+
Supported actions
Here is the detail of supported actions and conditions.
s3:AbortMultipartUpload | Object | ✅ |
---|---|---|
s3:CreateBucket | Bucket | ✅ |
s3:DeleteBucket | Bucket | ✅ |
s3:DeleteObject | Object | ✅ |
s3:GetBucketLocation | Bucket | ✅ |
s3:GetObject | Object | ✅ |
s3:ListBucket | Bucket | ✅ |
s3:ListBucketMultipartUploads | Bucket | ✅ |
s3:ListMultipartUploadParts | Object | ✅ |
s3:PutObject | Object | ✅ |
aws:CurrentTime | |
---|---|
aws:EpochTime | |
aws:SourceIp | |
aws:UserAgent | |
aws:userid | |
s3:VersionId | |
s3:delimiter | ✅ |
s3:max-keys | ✅ |
s3:prefix | ✅ |
s3:x-amz-acl | |
s3:x-amz-copy-source | |
s3:x-amz-metadata-directive |
IpAddress | |
---|---|
NotIpAddress | |
StringEquals | ✅ |
StringEqualsIgnoreCase | |
StringLike | ✅ |
StringNotEquals | ✅ |
StringNotEqualsIgnoreCase | |
StringNotLike | ✅ |