IAM and STS Support With the Wasabi S3 API

Prev Next

Wasabi supports the following subset of the AWS S3 IAM:

AddUserToGroup

DeleteUser

ListEntitiesForPolicy

AttachGroupPolicy

DeleteUserPolicy

ListGroups

AttachRolePolicy

DeletetVirtualMFADevice

ListGroupPolicies

AttachUserPolicy

DetachGroupPolicy

ListGroupsForUser

ChangePassword

DetachRolePolicy

ListMFADevices

CreateAccessKey

DetachUserPolicy

ListPolicies

CreateAccountAlias

EnableMFADevice

ListPolicyVersions

CreateGroup

GetAccessKeyLastUsed

ListRolePolicies

CreateLoginProfile

GetAccountAuthorizationDetails

ListRoles

CreatePolicy

GetAccountPasswordPolicy

ListUsers

CreatePolicyVersion

GetAccountSummary

ListUserPolicies

CreateRole

GetGroup

ListVirtualMFADevices

CreateUser

GetGroupPolicy

PutGroupPolicy

CreateVirtualMFADevice

GetLoginProfile

PutUserPolicy

DeactivateMFADevice

GetPolicy

PutRolePolicy

DeleteAccessKey

GetPolicyVersion

RemoveUserFromGroup

DeleteAccountAlias

GetRole

ResyncMFADevice

DeleteAccountPasswordPolicy

GetRolePolicy

SetDefaultPolicyVersion

DeleteGroup

GetUser

UpdateAccessKey

DeleteGroupPolicy

GetUserPolicy

UpdateAccountPasswordPolicy

DeleteLoginProfile

ListAccessKeys

UpateAssumeRolePolicy

DeletePolicy

ListAccountAliases

UpdateLoginProfile

DeletePolicyVersion

ListAttachedGroupPolicies

UpdateGroup

DeleteRole

ListAttachedRolePolicies

UpdateUser

DeleteRolePolicy

ListAttachedUserPolicies


Wasabi supports the following subset of the AWS S3 STS.

  • AssumeRole (Note: AssumeRole supports a maximum session duration of 43200 secs (12 hrs).)

  • GetCallerIdentity

  • GetSessionToken

All other actions in AWS S3 not listed are not supported by Wasabi. All actions listed above are fully supported and compatible with AWS S3 unless otherwise noted.

Wasabi supports only IAM actions for version “2010-05-08”. The version value may be omitted from the call as well, but if given, it must be “2010-05-08”. Wasabi supports only STS actions for version “2011-06-15”. The version value may be omitted from the call as well, but if given, it must be “2011-06-15”.

FORM Requests

Wasabi supports the use of the HTTP method POST with the content type “application/x-www-form-urlencoded” for IAM operations. The key/value data in the POST body is equivalent to using the data as query string parameters. For IAM requests with over 8000 characters of data, the request must be provided as a POST using the form-encoded data.

Policy Compatibility

Wasabi supports access policies that are compatible with AWS S3 in definition. However, policies usually cannot be copied directly from AWS S3 to Wasabi because the policies frequently contain identifiers specific to the system (such as the account identifier and canonical IDs). The policy can be copied and all identifiers updated to their specific Wasabi values.

Policy Variables

Wasabi supports the following policy variables and headers under the Principal and Condition elements in access policies:

aws:CurrentTime

aws:accountid (Wasabi feature only; see details below*)

s3:x-amz-content-sha256

aws:EpochTime

s3:x-amz-copy-source

aws: MultiFactorAuthPresent

iam:PolicyArn

s3:x-amz-grant-read

aws: MultiFactorAuthAge

s3:authtype

s3:x-amz-grant-write

aws:principaltype

s3:delimiter

s3:x-amz-grant-read-acp

aws:Referer

s3:max-keys

s3:x-amz-grant-write-acp

aws:SecureTransport

s3:prefix

s3:x-amz-grant-full-control

aws:SourceIp

s3:signatureAge

s3:x-amz-metadata-directive

aws:UserAgent

s3:signatureversion

s3:x-amz-server-side-encryption

aws:userid

s3:VersionId

s3:x-amz-storage-class

aws:username

s3:x-amz-acl

sts:ExternalId

* AWS S3 does not support a variable to return the account identification for the current user. Wasabi supports the additional policy variable “aws:accountid”, which returns the account identification for the current user.

Multi-Factor Authentication (MFA) Support

Wasabi strongly encourages the use of an MFA device for additional security on your account. Wasabi supports virtual MFA devices, but not hardware MFA devices. Wasabi has been tested with Google Authenticator and Authy 2-Factor Authentication. However, Wasabi should operate with any application that supports the open TOTP standard.

System-Wide Policies

Wasabi provides additional commonly used system-wide policies. The following are the standard system-wide policies and their meaning.

Policy

Description

WasabiS3FullAccess

Same as that defined by AWS, allowing full access to any AWS S3 resource.

WasabiS3ReadOnlyAccess

Same as that defined by AWS, allowing read-only access to any AWS S3 resource.

AdministratorAccess

Same as that defined by AWS S3, allowing full administrator access to the account.

WasabiReadOnlyAccess

Allows read-only access to any account, user, and AWS S3 data in the account. This policy also allows the user to change the password and use MFA.

WasabiWriteOnlyAccess

Allows the user to write objects to an AWS S3 bucket.

WasabiFullAccess

Allows the user full access to AWS S3 buckets and to modify their own user IAM parameters.

Policy Wildcard Matching

Wasabi supports these wildcard characters:

* can match zero or more characters.
? matches any one character.

Wildcards can match in the principal, action, resource, or conditions parts of the policy statement. These characters may be used anywhere in a string, but may not cross the colon (:) separator in an ARN. Prefixing the asterisk (*) and question mark (?) with a backslash (\) overrides the wildcard meaning of the characters and forces a match to the literal character.

When matching an ARN for an IAM resource or principal containing a path, matching is allowed either with or without the path given. However, if the policy ARN name contains a path, it must match the entity path.

Temporary Access Keys

Similar to AWS S3, Wasabi supports both permanent and temporary access credentials. Wasabi provides the action “CreateTemporaryAccessCredentials” for the creation of temporary access credentials. Unlike other IAM actions, this action is not signed by credentials since it is used to obtain temporary credentials based on the user's password. However, it must be protected using a secure HTTPS connection.

The action takes the following input parameters:

Parameter

Description

Account

A string that identifies the account using the account ID (with or without hyphens), account name (usually the email), or account alias. This parameter must be provided.

UserName

A string that identifies the user within the account. If no value is given, the user is assumed to be the root user for the account.

Password

A string that provides the password for the given user.

MFAToken

A string that provides the MFA token from the MFA device to authenticate the request when the user is required to use multi-factor authentication. This value may be omitted if no MFA token is required for the user. The authentication credentials retain the MFA authorization and can be used to avoid MFA authorization in other operations, such as deleting objects.

Expires

An integer that provides the number of seconds until the access key expires. The maximum allowed is 129600 (which is 36 hours). If no value is provided, the default expiration time is 12 hours.

SecurityToken

A string that provides the security token to be used with the credentials. AWS S3 allows an optional security token that functions like a password to be used with the access key. If not provided, no security token is associated with the access keys.

The action returns in an XML body the access key ID, create time, expiration time, and the secret key for the access credential.

Below is an example call to the action “CreateTemporaryAccessCredentials”:

GET https://iam.wasabisys.com/
?Action=CreateTemporaryAccessCredentials&AccountId=100000000100
&UserName=test-user&Password=my-passwordHTTP/1.1

Response body:

<CreateTemporaryAccessCredentialsResponse xmlns="https://iam.amazonaws.com/doc/2010-05-08/">   
     <CreateTemporaryAccessCredentialsResult>
     <AccessKey>
     <AccessKeyId>AITXP7RW3QXQPXJ0XC9A</AccessKeyId>
     <CreateDate>2017-06-07T16:39:11.274Z</CreateDate>
     <Expires>2017-06-08T04:39:11.273Z</Expires>
     <SecretAccessKey>pKSYVSDH2aac1LVE8m4a6L070NA0Mz0nTqWHzD2F</SecretAccessKey>
     </AccessKey>
     <User>
     <Path>/</Path>
     <PasswordLastUsed>2017-06-07T16:38:48.000Z</PasswordLastUsed>
     <Arn>arn:aws:iam::100000000103:root</Arn>
     <UserId>ADC37066E05B318487B6AEF5542E9C78FACC77A67CAD6B2FDC3990C430D15591</UserId>
     <CreateDate>2017-06-07T16:38:48.000Z</CreateDate>
     </User>
     <LoginProfile>
     <UserName />
     <CreateDate>2017-06-07T16:38:48.000Z</CreateDate>
     <PasswordResetRequired>false</PasswordResetRequired>
     </LoginProfile>
     <AccountPlan>
     <BillingPlanName>trial-premium</BillingPlanName>
     <Standing>ok</Standing>
     </AccountPlan>
     </CreateTemporaryAccessCredentialsResult>
     <ResponseMetadata>
     <RequestId>08a3add0-7ebc-903c-a9c6-23dccfeef920</RequestId>
     </ResponseMetadata>
</CreateTemporaryAccessCredentialsResponse>

Change Password for Root User

Wasabi allows the root user to change the password using the action “ChangePassword”. The access credentials identify the user and may include the account root user.

Create User Allows Setting Password

Wasabi allows the user password to be set with the action “CreateUser”. The caller can provide the additional parameters “Password” and “PasswordResetRequired”, which are the same as given for the “SetLoginProfile” action.

Getting User MFA Status

Wasabi returns more data about MFA status for an access key with the new action “GetUserMFA”. The response data includes the MFA device data for the access key, including the MFA device data for the user and the authorization date and age (in seconds) of the credentials. Note that the action may be called for roles, in which case only the authorization date and age are returned. Below is an example call and response for the “GetUserMFA” action:

GET https://iam.wasabisys.com/?Action=GetUserMFA&UserName=user1

Response body:

<GetUserMFAResponse xmlns="https://iam.amazonaws.com/doc/2010-05-08/">
     <GetUserMFAResult>
     <UserName>user1</UserName>
     <SerialNumber>arn:aws:iam::100000113772:mfa/user1-45104489812</SerialNumber>
     <CreateDate>2020-02-10T11:59:47.000Z</CreateDate>
     <EnableDate>2020-02-10T12:01:02.000Z</EnableDate>
     <AuthenticateDate>2020-02-10T12:23:03.000Z</AuthenticateDate>
     <AuthenticateAge>638</AuthenticateAge>
     </GetUserMFAResult>
     <ResponseMetadata>
     <RequestId>9bbb7eae-4432-9f33-3fd9-fdb0556d3eca</RequestId>
     </ResponseMetadata>
</GetUserMFAResponse>

Feature: Listing All Access Keys for Account

Wasabi allows the action “ListAccessKeys” to list all the access keys for the given account. If the username parameter is an asterisk (*), access keys are given for all the users, including the root user, in the account. The returned value of the username for the root user is blank.

Validating Policies

Wasabi supports the action “ValidatePolicy” to debug and test IAM policies. The action will return error information about any problems in the policy, such as incorrect structure and unrecognized identifiers. If there are no errors in the policy, the system will evaluate the policy for either an ALLOW, DENY, or no return status. The evaluation is done assuming the principal (account, user, or role) that signed the request.

The action takes the following input parameters:

Parameter

Description

PolicyDocument

The text of the policy document to evaluate. The text should be formatted as JSON.

IsPrincipal

The Boolean value “true” if this policy is applied to a principal element (a user, role, or group). Otherwise, the policy is assumed to apply to a specific resource (most often a bucket). AWS S3 differentiates from these two types of policies.

UseAction

The string giving the action for evaluating the policy. Example actions include s3:PutObject and iam:ChangePassword.

UseResource

The string giving the resource for evaluating the policy. Note that the resource should be expressed as an ARN (for example, arn:aws:s3:::my-bucket/my-object).

UseService

The service associated with the request: iam, sts, or s3. The default is iam.