Skip to content

img0

IAM API

Using CMC IAM Client

Instructions

  1. Login as engineer1
    Ensure Engineering is selected
    User ID: engineer1
    Password: @Engineer1

Instructions

  1. Select IAM
  2. Select IAM User
  3. Click + ADD NEW USER

Instructions

  1. Type reado in User Name
  2. Click SAVE

Instructions

  1. Click IAM Policy tab
  2. Click + Add new Policy
  3. Type read in Policy Name
  4. Type Grant all read permissions in Description
  5. Click in the Policy Document Area

Instructions

  1. A Visual Editor should appear
  2. Expand the List and Read sections
  3. Click Select all in each section
  4. Click Save

Instructions

The policy document has been populated as JSON from the Visual Editor On the manage IAM policy page, click ADD to add the policy

Instructions

  1. Click Back on IAM User Tab
  2. Click reado

Instructions

  1. Click + CREATE NEW KEY

Instructions

  1. A New Access Key ID will be created.
  2. Ensure you take a copy of the Secret Key.

Warning

Unlike HyperStore User Keys, Secret Access Keys for IAM users are NOT stored. You cannot go back later to get the Secret Key.

Instructions

  1. Click IAM POLICIES Tab
  2. Select readonly policy
  3. Ensure the Policy Document Area is populated with the policy details
  4. Click Add

Instructions

  1. Login to the Host Server
  2. Create new s3cmd profile using IAM user reado access key / secret key 
    s3cmd --configure -c reado
  3. Use the reado Access Key and Secret Key you copied when creating the reado user.
  4. Enter region1 for the Default Region
  5. Use the S3 Endpoint from the Student Assignment page
  6. Use %(buckets)s.your.S3Endpoint
  7. Select defaults for Encryption Password and Path to GPG
  8. Choose no for HTTPS protocol
  9. Choose default for HTTP Proxy
  10. Test Access (Y)
  11. Save config (Y)

Testing the IAM credentials

Instructions

  1. Test new profile and IAM policy for reado and see if reado can list buckets / items in a bucket 
    s3cmd -c reado ls s3://

    s3cmd -c reado ls s3://engineerbucket

Instructions

  1. Test read access to objects by downloading the 5mb object as new5mb 
    s3cmd -c reado get s3://engineerbucket/5mb new5mb

Instructions

Ensure you cannot write any data to the bucket 

s3cmd -c reado put new5mb s3://engineerbucket

Using CLI for IAM API

Instructions

  1. First set the IAM endpoint in the .bash_profile on the Host Server. Ensure that you replace studentX, where X is your student number. 
    echo "export iam_endpoint=iam.studentX.cloudian.tech" >> ~/.bash_profile && source ~/.bash_profile

Instructions

  1. We will use the IAM API to create a second user and policy but need to use the AWS CLI for this, so lets setup a profile for the root aws account engineer1.
aws configure --profile engineer1

Note

Use the Access Key and Secret key for the engineer1 account.
Use region1 for the Default Region name
Type json as output format

Instructions

  1. Create a new IAM user awsuser using the aws command below: 
    aws --profile engineer1 iam create-user --user-name awsuser --endpoint-url http://$iam_endpoint:16080
  2. Create S3 Access Key and Secret Key for new awsuser user 
    aws --profile engineer1 iam create-access-key --user-name awsuser --endpoint-url http://$iam_endpoint:16080

Warning

Ensure you take a copy of the SecretAccessKey and AccessKeyID !!

Instructions

  1. Create a new JSON file to give full permissions 
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "s3:ListAllMyBuckets",
                "s3:HeadObject",
                "s3:ListBucket",
                "s3:GetBucketAcl",
                "s3:GetBucketCORS",
                "s3:GetBucketLocation",
                "s3:GetBucketLogging",
                "s3:GetBucketNotification",
                "s3:GetBucketObjectLockConfiguration",
                "s3:GetBucketPolicy",
                "s3:GetBucketRequestPayment",
                "s3:GetBucketTagging",
                "s3:GetBucketVersioning",
                "s3:GetBucketWebsite",
                "s3:GetEncryptionConfiguration",
                "s3:GetLifecycleConfiguration",
                "s3:GetObject",
                "s3:GetObjectAcl",
                "s3:GetObjectLegalHold",
                "s3:GetObjectRetention",
                "s3:GetObjectTagging",
                "s3:GetObjectTorrent",
                "s3:GetObjectVersion",
                "s3:GetObjectVersionAcl",
                "s3:GetObjectVersionTagging",
                "s3:GetReplicationConfiguration",
                "s3:ListBucketMultipartUploads",
                "s3:ListBucketVersions",
                "s3:ListMultipartUploadParts",
                "s3:AbortMultipartUpload",
                "s3:CreateBucket",
                "s3:DeleteBucket",
                "s3:DeleteBucketWebsite",
                "s3:DeleteObject",
                "s3:DeleteObjectTagging",
                "s3:DeleteObjectVersion",
                "s3:DeleteObjectVersionTagging",
                "s3:PutBucketCORS",
                "s3:PutBucketLogging",
                "s3:PutBucketNotification",
                "s3:PutBucketObjectLockConfiguration",
                "s3:PutBucketRequestPayment",
                "s3:PutBucketTagging",
                "s3:PutBucketVersioning",
                "s3:PutBucketWebsite",
                "s3:PutEncryptionConfiguration",
                "s3:PutLifecycleConfiguration",
                "s3:PutObject",
                "s3:PutObjectLegalHold",
                "s3:PutObjectRetention",
                "s3:PutObjectTagging",
                "s3:PutObjectVersionTagging",
                "s3:PutReplicationConfiguration",
                "s3:RestoreObject"
            ],
            "Resource": "*"
        }
    ]
}

Instructions

  1. Lets now create a new IAM Policy allowing read & write access to buckets and objects. The json policy is provided for you as file full_policy.json 
    aws --profile engineer1 iam create-policy --policy-name  full --description "Full Access" --policy-document file://full_policy.json --endpoint-url http://$iam_endpoint:16080

Important

Copy the Arn: in the output / you will need this to attach the policy to the awsuser user.

Instrutions

  1. Attach the Full Access policy to the awsuser account. Paste the ARN you copied above in the --policy-arn parameter 
    aws --profile engineer1 iam attach-user-policy --policy-arn < ARN copied from previous step > --user-name awsuser --endpoint-url http://$iam_endpoint:16080

Instructions

  1. Login to the Host Server via SSH
  2. Create new s3cmd profile using IAM user awsuser access key / secret key 
    s3cmd --configure -c awsuser
  3. Use the awsuser Access Key and Secret Key you copied when creating the awsuser user.
  4. Use the region1 endpoint on your Student worksheet when asked for S3 Endpoint.
  5. Use %(buckets)s.your.S3Endpoint
  6. Select defaults for Encryption Password and Path to GPG
  7. Choose no for HTTPS protocol
  8. Choose default for HTTP Proxy
  9. Test Access (Y)
  10. Save config (Y)

Instructions

  1. Test new profile and IAM policy for awsuser 
    s3cmd ls s3:// -c awsuser

    s3cmd ls s3://engineerbucket -c awsuser

Instructions

  1. Test read access to objects by downloading the 5mb object as new5mb 
    s3cmd get s3://engineerbucket/5mb aws5mb -c awsuser

Instructions

  1. Ensure you CAN write data to the bucket 
    s3cmd put new5mb s3://engineerbucket/aws5mb -c awsuser