Manage S3 users and authentication using the CLI

With the CLI, you can:

• View existing IAM policies

• Add an IAM policy

• Delete an IAM policy

• Attach a policy to an S3 user

• Detach a policy from an S3 user

• Manage S3 credentials

• Generate a temporary security token

View existing IAM policies

Command: weka s3 policy list

Use this command to list the existing IAM policies.

The command lists the pre-defined and custom policies the Cluster Admin has added.

Command: weka s3 policy show <policy-name>

Use this command to see the JSON definition of the selected IAM policy.

The pre-defined policy values are:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "s3:ListAllMyBuckets",
        "s3:ListBucket",
        "s3:ListBucketMultipartUploads",
        "s3:ListMultipartUploadParts",
        "s3:GetBucketLocation",
        "s3:GetBucketPolicy",
        "s3:GetBucketTagging",
        "s3:GetObject"
      ],
      "Resource": [
        "arn:aws:s3:::*"
      ]
    }
  ]
}

Add an IAM policy

Command: weka s3 policy add

Use the following command line to add an S3 IAM policy:

weka s3 policy add <policy-name> <policy-file>

Parameters

Delete an IAM policy

Command: weka s3 policy remove

Use the following command line to delete an S3 IAM policy:‌

weka s3 policy remove <policy-name>‌

Parameters

Attach a policy to an S3 user

Command: weka s3 policy attach

Use the following command line to attach an IAM policy to an S3 user:‌

weka s3 policy attach <policy> <user>‌

Parameters

If the user does not already have S3 credentials, the system creates them automatically when the policy is attached. The secret key is displayed once and must be saved immediately.

Example

Detach a policy from an S3 user

Command: weka s3 policy detach

Use the following command line to detach an IAM policy from an S3 user:‌‌

weka s3 policy detach <policy> <user>‌‌

Parameters

Detaching a policy removes S3 data access, but keeps the existing S3 access key and secret key. If you later attach any S3 policy again, the same key pair is used.

Example

Manage S3 credentials

Manage S3 API credentials separately from the WEKA account password.

Regenerate your own S3 credentials

Command: weka s3 user keys-generate

Use this command to regenerate your own S3 access key and secret key.

Regenerate S3 credentials for another user

Command: weka s3 user keys-generate --user <username>

Use this command as an administrator to regenerate credentials for a specific user.

Behavioral notes:

• Attaching an S3 policy grants S3 access and auto-creates credentials if needed.

• Detaching an S3 policy removes S3 access, but preserves the credentials.

• Each S3 access key includes the tenant identifier for correct multi-tenant routing.

If the user has no attached S3 policy, the command fails:

Generate a temporary security token

Command: weka s3 sts assume-role

Use the following command line to generate a temporary security token:

weka s3 sts assume-role <--access-key access-key> [--secret-key secret-key] [--policy-file policy-file] <--duration duration>

Parameters

An example response: