Solution

Identity and Access Management (IAM)

Tip

IAM is part of our paid plans.

Get in touch with the team or visit the page describing our plans.

Introduction
User management
Supported actions

Introduction

OpenIO SDS 20.04 implements a subset of AWS Identity and Access Management for its S3 gateway. This allows platform administrators to control which user has access to which resource. Only user policies are supported at the moment.

User management

A CLI allows to set IAM rules for each user. Here is an example giving full S3 access to the “demo” user:

> openio-admin iam set-user-policy AUTH_demo demo:demo '{"Statement":[{"Sid":"FullAccess","Action":["s3:*"],"Effect":"Allow","Resource":["*"]}]}'
+---------+---------------------------------+
| Field   | Value                           |
+---------+---------------------------------+
| account | AUTH_demo                       |
| user    | demo:demo                       |
| policy  | {                               |
|         |     "Statement": [              |
|         |         {                       |
|         |             "Action": [         |
|         |                 "s3:*"          |
|         |             ],                  |
|         |             "Effect": "Allow",  |
|         |             "Resource": [       |
|         |                 "*"             |
|         |             ],                  |
|         |             "Sid": "FullAccess" |
|         |         }                       |
|         |     ]                           |
|         | }                               |
+---------+---------------------------------+

Here is another example, giving user1 access only to its own bucket:

> openio-admin iam set-user-policy AUTH_demo demo:user1 --from-file objects_only.json
+---------+----------------------------------------------+
| Field   | Value                                        |
+---------+----------------------------------------------+
| account | AUTH_demo                                    |
| user    | demo:user1                                   |
| policy  | {                                            |
|         |     "Statement": [                           |
|         |         {                                    |
|         |             "Action": [                      |
|         |                 "s3:ListBucket",             |
|         |                 "s3:GetObject",              |
|         |                 "s3:PutObject",              |
|         |                 "s3:DeleteObject"            |
|         |             ],                               |
|         |             "Effect": "Allow",               |
|         |             "Resource": [                    |
|         |                 "arn:aws:s3:::user1bucket",  |
|         |                 "arn:aws:s3:::user1bucket/*" |
|         |             ],                               |
|         |             "Sid": "User1BucketAllObjects"   |
|         |         }                                    |
|         |     ]                                        |
|         | }                                            |
+---------+----------------------------------------------+

Supported actions

Here is the detail of supported actions and conditions.

Actions
s3:AbortMultipartUpload	Object	✅
s3:CreateBucket	Bucket	✅
s3:DeleteBucket	Bucket	✅
s3:DeleteObject	Object	✅
s3:GetBucketLocation	Bucket	✅
s3:GetObject	Object	✅
s3:ListBucket	Bucket	✅
s3:ListBucketMultipartUploads	Bucket	✅
s3:ListMultipartUploadParts	Object	✅
s3:PutObject	Object	✅

Condition keys
aws:CurrentTime
aws:EpochTime
aws:SourceIp
aws:UserAgent
aws:userid
s3:VersionId
s3:delimiter	✅
s3:max-keys	✅
s3:prefix	✅
s3:x-amz-acl
s3:x-amz-copy-source
s3:x-amz-metadata-directive

Condition operators
IpAddress
NotIpAddress
StringEquals	✅
StringEqualsIgnoreCase
StringLike	✅
StringNotEquals	✅
StringNotEqualsIgnoreCase
StringNotLike	✅