W E K A
3.14
3.14
  • WEKA v3.14 Documentation
  • Weka System Overview
    • About the WEKA System
    • SSD Capacity Management
    • Filesystems, Object Stores & Filesystem Groups
    • Weka Networking
    • Data Lifecycle Management
    • Weka Client & Mount Modes
    • Glossary
  • Getting Started with Weka
    • Quick Install Guide
    • Managing the Weka System
    • CLI Overview
    • GUI Overview
    • Serving IOs with WekaFS
  • Planning & Installation
    • Prerequisites for Installation
    • Bare Metal Installation
      • Planning a Weka System Installation
      • Setting Up the Hosts
        • SR-IOV Enablement
      • Obtaining the Weka Install File
      • Weka System Installation Process Using the CLI
      • Adding Clients
    • AWS Installation
      • Self-Service Portal
      • CloudFormation Template Generator
      • Deployment Types
      • AWS Outposts Deployment
      • Supported EC2 Instance Types
      • Adding Clients
      • Auto Scaling Group
      • Troubleshooting
  • Performance
    • Testing Weka Performance
      • Test Environment Details
  • WekaFS Filesystems
    • Managing Filesystems, Object Stores & Filesystem Groups
      • Managing Object Stores
      • Managing Filesystem Groups
      • Managing Filesystems
      • Attaching/Detaching Object Stores to/from Filesystems
      • KMS Management
    • Advanced Data Lifecycle Management
      • Advanced Time-based Policies for Data Storage Location
      • Data Management in Tiered Filesystems
      • Transition Between Tiered and SSD-Only Filesystems
      • Manual fetch and release of data
    • Mounting Filesystems
    • Snapshots
    • Snap-To-Object
    • Quota Management
  • Additional Protocols
    • NFS
    • SMB
      • SMB Management Using CLIs
      • SMB Management Using the GUI
    • S3
      • S3 Cluster Management
      • S3 Buckets Management
      • S3 Users and Authentication
      • S3 Information Lifecycle Management
      • Audit S3 APIs
      • S3 Limitations
      • S3 Examples using boto3
  • Operation Guide
    • Alerts
      • List of Alerts
    • Events
      • List of Events
    • Statistics
      • List of Statistics
    • System Congestion
    • Security
      • User Management
      • Organizations
    • Expanding & Shrinking Cluster Resources
      • Expand & Shrink Overview
      • Stages in Adding a Backend Host
      • Expansion of Specific Resources
      • Shrinking a Cluster
    • Background Tasks
    • Upgrading Weka Versions
  • Billing & Licensing
    • License Overview
    • Classic License
    • Pay-As-You-Go License
  • Support
    • Prerequisites and Compatibility
    • Getting Support for Your Weka System
    • The Weka Support Cloud
    • Diagnostics CLI Command
  • Appendix
    • Weka CSI Plugin
    • External Monitoring
    • Snapshot Management
  • REST API
Powered by GitBook
On this page
  • Overview
  • S3 User Role
  • IAM Policy
  • IAM Temporary Credentials (STS) - Assume Role
  • Manage Users and Authentication
  • Viewing Existing IAM Policies
  • Creating an IAM Policy
  • Deleting an IAM Policy
  • Attaching a Policy to an S3 User
  • Detaching a Policy to an S3 User
  • Generating a Temporary Security Token
  1. Additional Protocols
  2. S3

S3 Users and Authentication

This page describes how to gain and obtain access permissions to the S3 protocol.

PreviousS3 Buckets ManagementNextS3 Information Lifecycle Management

Last updated 3 years ago

Overview

S3 User Role

To access the Weka cluster through the S3 protocol, a user with an S3 user role must be created (see for details on creating users in Weka).

Note: The S3 user name and password will serve as the S3 access key and secret key, respectively.

When accessing data with S3 and other protocols (e.g., POSIX), it is possible to control the POSIX UID/GID of the underlying file representation of objects created with a specific S3 user access/secret keys. Use --posix-uid and --posix-gid flags for a local user with an S3 user role.

IAM Policy

Once an S3 user has been created, it cannot run any S3 command or API. The Cluster Admin must attach an IAM policy to allow this user to operate (within the policy limits).

A set of pre-defined policies can be attached to an S3 user, or new custom policies can be created and attached to an S3 user. To create a custom policy you can use , and select IAM Policy as the policy type and Amazon S3 as the AWS service.

Note: The IAM policy size is limited to 2KB. In case a larger policy is required, please contact the Weka Support Team.

IAM Temporary Credentials (STS) - Assume Role

Once an S3 user is created and an IAM policy is attached, it is possible to gain temporary credentials to access the S3 API. This is done by calling the Assume Role command.

The result of calling the API is an access key, secret key, and session token tuple that can be used to access S3 APIs. The permissions for the temporary credentials will be the permissions induced by the user's IAM policy. Furthermore, it is possible to supply a different (with reduced capabilities only) IAM policy for the temporary credentials request.

Note: some S3 clients and SDKs (e.g., ) support using the AssumeRole API automatically when provided with an access key and secret key pair. They will automatically generate and use new temporary credentials tuple when the previous one expires.

Manage Users and Authentication

Viewing Existing IAM Policies

Command: weka s3 policy list

Use this command to list the existing IAM policies.

The command lists both the pre-defined policies and custom policies that the Cluster Admin has added.

Command: weka s3 policy show <policy-name>

Use this command to see the JSON definition of the selected IAM policy.

The pre-defined policies value are:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "s3:GetBucketLocation",
        "s3:GetObject"
      ],
      "Resource": [
        "arn:aws:s3:::*"
      ]
    }
  ]
}
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "s3:PutObject"
      ],
      "Resource": [
        "arn:aws:s3:::*"
      ]
    }
  ]
}
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "s3:*"
      ],
      "Resource": [
        "arn:aws:s3:::*"
      ]
    }
  ]
}

Creating an IAM Policy

Command: weka s3 policy create

Use the following command line to create an S3 IAM policy:

weka s3 policy create <policy-name> <policy-file>

Parameters in Command Line

Name

Type

Value

Limitations

Mandatory

Default

policy-name

String

The name of the new IAM policy

Yes

policy-file

String

A path to a custom policy JSON file for anonymous access.

A JSON file representing an IAM policy.

Yes

Deleting an IAM Policy

Command: weka s3 policy remove

Use the following command line to delete an S3 IAM policy:‌

weka s3 policy remove <policy-name>‌

Parameters in Command Line

Name

Type

Value

Limitations

Mandatory

Default

policy-name

String

The name of the IAM policy to remove

​

Yes

​

Attaching a Policy to an S3 User

Command: weka s3 policy attach

Use the following command line to attach an IAM policy to an S3 user:‌

weka s3 policy attach <policy> <user>‌

Parameters in Command Line

Name

Type

Value

Limitations

Mandatory

Default

policy

String

The name of an existing IAM policy

​

Yes

​

user

String

The name of an existing S3 user

Yes

​

Detaching a Policy to an S3 User

Command: weka s3 policy detach

Use the following command line to detach an IAM policy from an S3 user:‌‌

weka s3 policy detach <user>‌‌

Parameters in Command Line

Name

Type

Value

Limitations

Mandatory

Default

user

String

The name of an existing S3 user

​

Yes

​

Generating a Temporary Security Token

Command: weka s3 sts assume-role

Use the following command line to generate a temporary security token:

weka s3 sts assume-role <--access-key access-key> [--secret-key secret-key] [--policy-file policy-file] <--duration duration>

Parameters in Command Line

Name

Type

Value

Limitations

Mandatory

Default

access-key

String

An S3 user access key

Yes

secret-key

String

An S3 user secret key

No

If not supplied, the command will prompt to supply the secret-key

policy-file

String

A path to a custom policy JSON file for anonymous access.

A JSON file representing an IAM policy.

No

​

duration

String

Duration for the token validity

Between 15 minutes and 1 week. Format: 900s, 60m, 2d, 1w

Yes

​

An example response:

Access-Key: JR9O0U6V42KLPFQDO2Z3
Secret-Key: wM0QMWuQ04WHlByj2SlEyuNrWoliMaCoVPmRsKbH
Session-Token: eyJhbGciOiJIUzUxMiIsInR5cCI6IkpXVCJ9.eyJhY2Nlc3NLZXkiOiJKUjlPMFU2VjQyS0xQRlFETzJaMyIsImV4cCI6NjA0ODAwMDAwMDAwMDAwLCJwb2xpY3kiOiJyZWFkd3JpdGUifQ.-rzf78OHdKv-25NFls1SaUvNKST5SoVSG8iR2hQrTQC1K05ZZlHBFfU-6N3_boF9c5P70y5Pa10YBHseh4DkVA

For supported actions, refer to the section.

For supported actions, refer to the section. You cannot gain additional capabilities to the IAM policy attached to this S3 user.

AWS Policy Generator
boto3
Managing Users
Supported Policy Actions
Supported Policy Actions