How do I create a sub-user with Console access and Access and Secret Keys?
    • 28 Aug 2024
    • 3 Minutes to read
    • PDF

    How do I create a sub-user with Console access and Access and Secret Keys?

    • PDF

    Article summary

    If you are the root user on an account, it is not a good practice to use your root account for general access to buckets. Creating a sub-user for this activity is recommended. Also, if you have other people that you want to have access the buckets but do not want to share the root access/secret key pair, you want to create a sub-user or sub-users for them. Then you can also create a separate access key/secret key pair for each sub-user for them to access the system and grant them console access too. 

    Here are the steps. 

    1. First, from the Wasabi Management Console at https://console.wasabisys.com/, log in as your ROOT user.

    2. From the Left Frame, choose the Users Icon

    3. From the Users Menu, choose the CREATE USER button

    4. Give your user a name and select the Console box to allow them to log into the console and Programmatic (create API key) for a key to be generated for whatever application they'll use. Put in the password you want them to use (you can check the box to have them change the password to something they choose if you like) 

    5. When prompted you can add this user to a Group (if you intend to set up others with similar privileges, for instance), or you can skip this. You may always go back and create and assign groups later. We will skip this for now, just hit NEXT to continue. 

    6. Next you will select one of the preconfigured Policies for this user. There are a number of preconfigured policies that you can choose from. Choose from one of these:

    • AmazonS3Full Access—Gives full access to all S3 resources, but no IAM access.

    • AmazonS3ReadOnlyAccess—Gives just the Get and List permissions on any S3 resource/bucket, but no IAM access.

    • AdministratorAccess—Gives full access to all resources (IAM and S3) with no limitation whatsoever.

    • WasabiReadOnlyAccess—Gives just the Get and List permissions to all S3 resources and login permis­sions to users.

    • WasabiWriteOnlyAccess—Gives just the Put and MultipartAbort permissions to all S3 resources, but no IAM access. The user cannot sign in with just this policy attached.

    • WasabiFullAccess—Gives full permissions to all S3 resources and sign in permissions to users.

    • WasabiAdministratorAccess—Gives full access to all resources (IAM and S3) with no limitation whatso­ever. This is similar to AdministratorAccess, above.

    • IAMUserChangePassword—Gives the user permission to change his/her password upon initial sign in.

    • WasabiViewBillingAccess—Gives the user permission to view the billing access portal.

    • WasabiModifyBillingAccess—Gives the user permission to modify the billing access portal.

    Give them WasabiAdministratorAccess if you want to give them full access including creating/deleting users and policies and press RETURN: 

    {
      "Version": "2012-10-17",
      "Statement": [
        {
          "Effect": "Allow",
          "Action": "*",
          "Resource": "*"
        }
      ]
    }

    • When you are ready, you should see the user along with the Groups and the Policies that are associated with that account: 

      Click the CREATE USER button to continue.

    • When complete, you'll see a box that looks like this showing the Access Key. Make sure you get a copy of both the Access Key AND the Secret Key. If you don't record it here, you cannot obtain it elsewhere. You can always generate a new key pair, but save it here to make sure you have both of these keys.  

    • Now, to get into the console, the user will go to the same https://console.wasabisys.com to log in. But...be sure that they select Sign in as a sub-user:

    That login screen is SLIGHTLY different. They'll enter the root login ID in the first line, but then they'll enter THEIR subuser login id in the second line and THEIR password.

    It will look something like this:

    The rest will look like any other console session. 

    Depending on the Application you are using, you will use the access key/secret key pair to authenticate yourself. As a test, use Wasabi Explorer (How do I use Wasabi Explorer for Windows with Wasabi?) to make sure you can log in with the keys and see any buckets, make new ones, or copy objects up/down.