3—Creating a User Account and Access Key

A user is an individual for whom you create Wasabi authentication, giving that person permission to perform actions in Wasabi.

A group is a set of users that you can manage collectively.

Each user and group can be associated with one or more policies to define the actions that a user or group member can perform and the conditions under which those actions can take place.

Because you assign a user to a group when you create a user account, you will begin the procedures below by defining a group. Then, you will work through a procedure for creating a user, during which you will assign the user to the group and attach a policy. Finally, you will a ssign an access key to a user. An access key is for use with third-party applications.

Objectives

	Sign up for Wasabi and sign in.
	Work with buckets and objects.
	Create a user account and access key.

Creating a Group

1. Click Groups in the Wasabi menu on the left of the screen.

   

2. Click CREATE GROUP.
3. Enter a name for the new group (such as “test-engineers” in the example below).

   

4. Click SAVE. The new group is displayed on the Groups panel. For example:

   

The group is displayed with this information:

• Group name
• Path for the group
• An Amazon Resource Name (ARN) for the group
• Date when the group was created

You can click on a group name and then add users or permissions (policies) to the group. But, for this exercise, you will continue by Creating a User.

Creating a User

When you first created a Wasabi account, you created a “Root User.” But, the Root User should be reserved for specific account and service management tasks. It is not good practice for the Root User to perform routine tasks. Instead, it is best to create a new user for each person, even for those who require administrative access.

To create a user:

1. Click Users in the Wasabi menu on the left of the screen.

   

2. Click CREATE USER.
3. Enter a name for the user. It can contain only alphanumeric characters and the following special characters: plus sign (+), equal sign (=), period (.), ampersand (@), dash (-), underscore (_). In the example below, Arthur is entered as the user name.

   

4. Specify user access as:

   Programmatic (the user can create an API key)
   AND/OR
   Wasabi Management Console access

   By enabling programmatic access, the user gets an access key and secret key at the end of the procedure to create a user. The access key and secret key are used to access the two resources (IAM and Storage, based on the policies assigned to the user) via means other than the Wasabi Console (such as AWS CLI, CloudBerry, Cyberduck, or any other S3 application).

   In this example, Arthur has Console access only.

5. When you select the Console option, you must enter a password with which the user must sign in to Wasabi. (For an experienced user, note that this password should follow the password policy settings.)

   Optionally, you can select Require Password Reset, which indicates the user must reset this credential. In this case, the user will be prompted for a new password the first time he/she signs in to Wasabi.

   

6. Click NEXT.
7. It is best practice to assign the user to a group. You can do so in two ways:

   Creating a new group by clicking CREATE A NEW GROUP (as described in Creating a Group)
   OR
   Assigning the user to a group, as described in this step.

   Click in the Add User To Group area.

   

8. Start typing to find the group in which to add the user. For this example, enter “c” and find the “consultants” group. The group is displayed in the Add User To Group area, as shown below.

   

   You could add the user to additional groups and those groups would appear in this area.
9. Click NEXT.
10. Now you are ready to associate a policy with the user. You can do so in two ways:

    (Experienced Users) Select one of the predefined policies listed in the middle of the panel. Simply click on + to the right of the policy name. (Refer to Policies for a description of each policy.)
    OR
    Attach an existing policy, as describe din this step.

    For this example, click in the "Attach Policy To User" area (at the top of the panel) and start to enter “con” to find the “ConsultantPolicy” policy.

    

11. Click on ConsultantPolicy to add this policy for the user. Notice that the group is displayed in the “Policies that will be attached” area, as shown below. You could add additional policies and they would appear in this area. You can add a maximum of 10 policies per user.

    

12. Click NEXT. 
13. Review the settings for the new user. For example:

    

14. Click CREATE USER to continue. A checklist indicates that Arthur is successfully added as a new user.

    

15. You could add another user at this time. But, for this exercise, close the Add User window by clicking and return to the console.

When you return to the Users panel, the new user is displayed. For example:

After creating a user, you might want to assign an access key to the user, as described below.

Assigning an Access Key

An access key is used to make programmatic calls to AWS API actions. There are two types of access keys:

• Access Key ID
• Secret Access Key

For your protection, you should never share your secret keys with anyone. In addition, industry best practice recommends frequent key rotation.

Access keys are used to make secure REST or Query protocol requests to the Wasabi service API. The Wasabi S3 endpoint is s3.wasabisys.com. (See also the Wasabi Knowledge Base for service URLs for different regions.) If using Cyberduck, for example as shown below, you would need to enter the appropriate keys in the “Access Key ID” and “Secret Access Key” fields. This is an example of one of many applications that can connect to the Wasabi endpoint.

To assign an access key and secret key to a user:

1. On the Users panel, click on the user name (Arthur, in this example). The User panel is displayed. For example:

   

2. Notice that several tools are provided at the bottom of the panel to modify the user account. Select User Access Keys.

   

3. Click CREATE NEW ACCESS KEY. A unique access key for the user is displayed. For example:

   

   To show the Secret Key, click the Show link. For example:

   

   Be sure to copy these keys and store them in a safe place. Notice that two buttons are provided to conveniently download the key as a CSV file or copy the key to the clipboard (and then paste it into a file to save).

4. After saving the keys, click X. The access key is displayed. For example:

   

Signing in as a New User

Now that you have created a new user, let’s log out of the root account and log in as that user.

1. In the upper right of the window, open the account sign-in drop-down.
2. Select the Logout option. The Wasabi login screen is displayed:

   

3. Click Sign In As Subuser at the bottom left of the screen. The Sign In screen changes to the following.

   

4. Enter the user account (for example, development@wasabi.com).
5. Enter the user name (Arthur) and password.
   Note that this is the password assigned to the user (Arthur). It is not the Wasabi account password (for development@wasabi.com).
6. Click SIGN IN. If the subuser (Arthur, in this example) is not required to reset the password, the Object Storage panel is displayed and Arthur is ready to use Wasabi.

   When the account was set up for Arthur in our example, we indicated that he would be required to reset the password when he signed in for the first time. In this case, Wasabi prompts for a new password:

   

   1. Enter the password assigned when the user was created. Then, enter and confirm a new password. This is the credential that will be required for future sign-ins.
   2. Click SAVE.
   3. Repeat Steps 3 through 6. After you click SIGN IN, the Object Storage panel is displayed and Arthur is ready to use Wasabi.

Objectives Met!

	Sign up for Wasabi and sign in.
	Work with buckets and objects.
	Create a user account and access key.

You are ready to explore Wasabi Management Console Features.