3—Creating a User Account and Access Key

A user is an individual for whom you create Wasabi authentication, giving that person permission to perform actions in Wasabi.

A group is a set of users that you can manage collectively.

Each user and group can be associated with one or more policies to define the actions that a user or group member can perform and the conditions under which those actions can take place.

Because you assign a user to a group when you create a user account, you will begin the instructions below by defining a group. Then, you will work through an instruction for creating a user, during which you will assign the user to the group and attach a policy. Finally, you will a ssign an access key to a user. An access key is for use with third-party applications.

Objectives

	Sign up for Wasabi and sign in.
	Work with buckets and objects.
	Create a user account and access key.

Creating a Group

1. Click Groups in the Wasabi menu on the left of the screen.

   

2. Click Create Group.

   

3. Enter a name for the new group (such as “test-engineers” in the example below).

   

4. Click Save. The new group is displayed in the Groups List. For example:

   

The group is displayed with this information:

• Group name
• Path for the group
• An Amazon Resource Name (ARN) for the group
• Date and time when the group was created

You can click on a group name and then add users or permissions (policies) to the group. But, for this exercise, you will continue by Creating a User (below). Groups are described in detail in the Wasabi Cloud Storage: Advanced Usage Product Guide.

Creating a User

When you first created a Wasabi account, you created a “Root User.” But, the Root User should be reserved for specific account and service management tasks. It is not good practice for the Root User to perform routine tasks. Instead, it is best to create a new user for each person, even for those who require administrative access.

To create a user:

1. Click Users in the Wasabi menu on the left of the screen.

   

2. Click Create User.

   

3. Enter a name for the user. It can contain only alphanumeric characters and the following special characters: plus sign (+), equal sign (=), period (.), ampersand (@), dash (-), underscore (_). In the example below, Arthur is entered as the user name.

   

4. Specify user access as:

   Programmatic (the user can create an API key)
   AND/OR
   Wasabi Management Console access

   By enabling programmatic access, the user gets an access key and secret key at the end of the instruction to create a user. The access key and secret key are used to access the two resources (IAM and Storage, based on the policies assigned to the user) via means other than the Wasabi Console (such as AWS CLI, CloudBerry, Cyberduck, or any other S3 application).

   In this example, Arthur has Console access only.

   

5. When you select the Console option, you must enter a password (at least 8 characters) with which the user must sign in to Wasabi. (For an experienced user, note that this password should follow the password policy settings.)

   Optionally, you can select Require Password Reset, which indicates the user must reset this credential and the user will be prompted for a new password the first time he/she signs in to Wasabi.

   

6. Click Next.
7. It is best practice to assign the user to a group. You can do so in two ways:

   Creating a new group by clicking Create Group (as described in Creating a Group above)
   OR
   Assigning the user to a group, as described in this step.

   Click in the Add User To Group area. A list of groups is displayed. For example:

   

8. Select test-engineers for this exercise. If the list is long, you can start typing to find the group in which to add the user.

   Notice that the selected group is displayed in gray. You can add multiple groups and each will be displayed in this area.

   

   You can remove a group by clicking.
9. Click Next.
10. Now you are ready to associate a policy with the user. You can do so in two ways:

    Select one of the predefined policies listed. Simply click on + to the right of the policy name. (Refer to Policies for a description of each policy.)
    OR
    (Experienced Users) Click in the "Attach Policy To User" area and attach an existing policy defined for your account. You can enter text to find a specific policy.

    For this example, click + to select the WasabiFullAccess policy.

    

11. You can add additional policies (up to 10 per user) but, for this exercise, scroll down to see that WasabiFullAccess appears in gray as a policy that will be attached.

    

    You can remove a policy by clicking.
12. Click Next. 
13. Review the settings for the new user. For example:

    

14. Click Create User to continue. A checklist indicates that Arthur is successfully added as a new user.

    

15. You could add another user at this time. But, for this exercise, click Close.

When you return to the Users panel, the new user (Arthur) is displayed. For example:

Users are described in detail in the Wasabi Cloud Storage: Advanced Usage Product Guide.

After creating a user, you might want to assign an access key to the user, as described below.

Assigning an Access Key

An access key is used to make programmatic calls to AWS API actions. When using the S3 API, you must have an API access key set to exchange storage files between your application and the Wasabi service. There are two types of access keys:

• Access Key ID
• Secret Access Key

Each key is a text string that you will cut/paste into your storage application. For your protection, you should never share your secret keys with anyone. In addition, industry best practice recommends frequent key rotation.

Access keys are used to make secure REST or Query protocol requests to the Wasabi service API. The Wasabi S3 endpoint is s3.wasabisys.com. (See also the Wasabi Knowledge Base for service URLs for different regions.) If using Cyberduck, for example as shown below, you would need to enter the appropriate keys in the “Access Key ID” and “Secret Access Key” fields. This is an example of one of many applications that can connect to the Wasabi endpoint.

To assign an access key and secret key to a user:

1. On the Users panel, click on the user name (Arthur, in this example). The User panel is displayed. For example:

   

   Notice that several tools are provided at the bottom of the panel to modify the user account. Select User Access Keys.

2. Click Create Access Key. 

   

3. A unique access key for the user is displayed. For example (the access key is blurred for security):

   

4. To show the Secret Key, click the Show link. For example (both keys are blurred for security):

   

   Be sure to copy these keys and store them in a safe place. Notice that two buttons are provided to conveniently download the keys in a CSV file or copy the keys to the clipboard (and then paste them into a file to save).

   If you do not download or copy and save these keys now, you will not be able to retrieve them later. When using the access keys for API access to the Wasabi service, the service endpoint address is s3.wasabisys.com.
5. After saving the keys, click X. The access key is displayed. For example:

   

Objectives Met!

	Sign up for Wasabi and sign in.
	Work with buckets and objects.
	Create a user account and access key.

You are ready to explore Wasabi Management Console Features.