IAM and STS Support
  • 02 Feb 2023
  • PDF

IAM and STS Support

  • PDF

Wasabi supports the following subset of the AWS S3 IAM:

AddUserToGroupDeleteUserListEntitiesForPolicy
AttachGroupPolicyDeleteUserPolicyListGroups
AttachRolePolicyDeletetVirtualMFADeviceListGroupPolicies
AttachUserPolicyDetachGroupPolicyListGroupsForUser
ChangePasswordDetachRolePolicyListMFADevices
CreateAccessKeyDetachUserPolicyListPolicies
CreateAccountAliasEnableMFADeviceListPolicyVersions
CreateGroupGetAccessKeyLastUsedListRolePolicies
CreateLoginProfileGetAccountAuthorizationDetailsListRoles
CreatePolicyGetAccountPasswordPolicyListUsers
CreatePolicyVersionGetAccountSummaryListUserPolicies
CreateRoleGetGroupListVirtualMFADevices
CreateUserGetGroupPolicyPutGroupPolicy
CreateVirtualMFADeviceGetLoginProfilePutUserPolicy
DeactivateMFADeviceGetPolicyPutRolePolicy
DeleteAccessKeyGetPolicyVersionRemoveUserFromGroup
DeleteAccountAliasGetRoleResyncMFADevice
DeleteAccountPasswordPolicyGetRolePolicySetDefaultPolicyVersion
DeleteGroupGetUserUpdateAccessKey
DeleteGroupPolicyGetUserPolicyUpdateAccountPasswordPolicy
DeleteLoginProfileListAccessKeysUpateAssumeRolePolicy
DeletePolicyListAccountAliasesUpdateLoginProfile
DeletePolicyVersionListAttachedGroupPoliciesUpdateGroup
DeleteRoleListAttachedRolePoliciesUpdateUser
DeleteRolePolicyListAttachedUserPolicies

Wasabi supports the following subset of the AWS S3 STS.

  • AssumeRole (Note: AssumeRole supports maximum session duration as 43200 secs (12 hrs).)
  • GetCallerIdentity
  • GetSessionToken

All other actions in AWS S3 not listed are not support by Wasabi. All actions listed above are supported fully compatible with AWS S3 unless otherwise noted.

Wasabi supports only IAM actions for version “2010-05-08”. The version value may be omitted from the call as well but, if given, it must be “2010-05-08”. Wasabi supports only STS actions for version “2011-06-15”. The version value may be omitted from the call as well but, if given, it must be “2011-06-15”.

FORM Requests

Wasabi supports the use of the HTTP method POST with the content type “application/x-www-form-urlencoded” for IAM operations. The key/value data in the POST body is equivalent to using the data as query string parameters. For IAM requests with over 8000 characters of data, the request must be provided as a POST using the form encoded data.

Policy Compatibility

Wasabi supports access policies that are compatible with AWS S3 in definition. However, policies usually cannot be copied directly from AWS S3 to Wasabi because the policies frequently contain identifiers specific to the system (such as the account identifier and canonical IDs). The policy can be copied and all identifiers updated to their specific Wasabi values.

Policy Variables

Wasabi supports the following policy variables used in access policies:

aws:CurrentTimeaws:accountid (Wasabi feature only; see details below*)s3:x-amz-content-sha256
aws:EpochTimes3:x-amz-copy-source
aws: MultiFactorAuthPresentiam:PolicyArns3:x-amz-grant-read
aws: MultiFactorAuthAges3:authtypes3:x-amz-grant-write
aws:principaltypes3:delimiters3:x-amz-grant-read-acp
aws:Referers3:max-keyss3:x-amz-grant-write-acp
aws:SecureTransports3:prefixs3:x-amz-grant-full-control
aws:SourceIps3:signatureAges3:x-amz-metadata-directive
aws:UserAgents3:signatureversions3:x-amz-server-side-encryption
aws:userids3:VersionIds3:x-amz-storage-class
aws:usernames3:x-amz-aclsts:ExternalId

* AWS S3 does not support a variable to return the account identification for the current users. Wasabi supports the additional policy variable “aws:accountid”, which returns the account identification for the current user.

Multi-Factor Authentication (MFA) Support

Wasabi strongly encourages the use of an MFA device for additional security on your account. Wasabi supports virtual MFA devices, but not hardware MFA devices. Wasabi has been tested with Google Authenticator and Authy 2-Factor Authentication. However, Wasabi should operate with any application that supports the open TOTP standard.

System-Wide Policies

Wasabi provides some additional commonly used system-wide policies. The following are the standard system-wide policies and their meaning.

PolicyDescription
WasabiS3FullAccessSame as that defined by AWS, allowing full access to any AWS S3 resource.
WasabiS3ReadOnlyAccessSame as that defined by AWS, allowing read only access to any AWS S3 resource.
AdministratorAccessSame as that defined by AWS S3, allowing full administrator access to the account.
WasabiReadOnlyAccessAllows read only access to any account, user, and AWS S3 data in the account. This policy also allows the user to change the password and use MFA.
WasabiWriteOnlyAccessAllows the user to write objects to an AWS S3 bucket.
WasabiFullAccessAllows the user full access to AWS S3 buckets and to modify their own user IAM parameters.

Policy Wildcard Matching

Wasabi supports these wildcard characters:

* can match zero or more characters.
? matches any one character.

Wildcards can match in the principal, action, resource, or conditions parts of the policy statement. These characters may be used anywhere in a string, but may not cross the colon (:) separator in an ARN. Prefixing the asterisk (*) and question mark (?) with a backslash (\) overrides the wildcard meaning of the characters and forces a match to the literal character.

When matching an ARN for an IAM resource or principal containing a path, matching is allowed either with or without the path given. However, if the policy ARN name contains a path, it must match the entity path.

Temporary Access Keys

Similar to AWS S3, Wasabi supports both permanent and temporary access credentials. Wasabi provides the action “CreateTemporaryAccessCredentials” for creation of temporary access credentials. Unlike other IAM actions, this action is not signed by credentials since it is used to obtain temporary credentials based on the user password. However, it must be protected using a secure HTTPS connection.

The action takes the following input parameters:

ParameterDescription
AccountA string that identifies the account using the account ID (with or without hyphens), account name (usually the email), or account alias. This parameter must be provided.
UserNameA string that identifies the user within the account. If no value is given, the user is assumed to be the root user for the account.
PasswordA string that provides the password for the given user.
MFATokenA string that provides the MFA token from the MFA device to authenticate the request when the user is required to use multi-factor authentication. This value may be omitted if no MFA token is required for the user. The authentication credentials retain the MFA authorization and can be used to avoid MFA authorization in other operations such as deleting objects.
ExpiresAn integer that provides the number of seconds until the access key expires. The maximum allowed is 129600 (which is 36 hours). If no value is provided, the default expiration time is 12 hours.
SecurityTokenA string that provides the security token to be used with the credentials. AWS S3 allows an optional security token that functions like a password to be used with the access key. If not provided, no security token is associated with the access keys.

The action returns in an XML body the access key ID, create time, expiration time, and the secret key for the access credential.

Below is an example call to the action “CreateTemporaryAccessCredentials”:

GET https://iam.wasabisys.com/

?Action=CreateTemporaryAccessCredentials&AccountId=100000000100
&UserName=test-user&Password=my-passwordHTTP/1.1

Response body:

<CreateTemporaryAccessCredentialsResponse xmlns="https://iam.amazonaws.com/doc/2010-05-08/">   

     <CreateTemporaryAccessCredentialsResult>
     <AccessKey>
     <AccessKeyId>AITXP7RW3QXQPXJ0XC9A</AccessKeyId>
     <CreateDate>2017-06-07T16:39:11.274Z</CreateDate>
     <Expires>2017-06-08T04:39:11.273Z</Expires>
     <SecretAccessKey>pKSYVSDH2aac1LVE8m4a6L070NA0Mz0nTqWHzD2F</SecretAccessKey>
     </AccessKey>
     <User>
     <Path>/</Path>
     <PasswordLastUsed>2017-06-07T16:38:48.000Z</PasswordLastUsed>
     <Arn>arn:aws:iam::100000000103:root</Arn>
     <UserId>ADC37066E05B318487B6AEF5542E9C78FACC77A67CAD6B2FDC3990C430D15591</UserId>
     <CreateDate>2017-06-07T16:38:48.000Z</CreateDate>
     </User>
     <LoginProfile>
     <UserName />
     <CreateDate>2017-06-07T16:38:48.000Z</CreateDate>
     <PasswordResetRequired>false</PasswordResetRequired>
     </LoginProfile>
     <AccountPlan>
     <BillingPlanName>trial-premium</BillingPlanName>
     <Standing>ok</Standing>
     </AccountPlan>
     </CreateTemporaryAccessCredentialsResult>
     <ResponseMetadata>
     <RequestId>08a3add0-7ebc-903c-a9c6-23dccfeef920</RequestId>
     </ResponseMetadata>
</CreateTemporaryAccessCredentialsResponse>

Change Password for Root User

Wasabi allows the root user to change the password using the action “ChangePassword”. The access credentials identify the user and may include the account root user.

Create User Allows Setting Password

Wasabi allows the user password to be set with the action “CreateUser”. The caller can provide the additional parameters “Password” and “PasswordResetRequired”, which are the same as given for the “SetLoginProfile” action.

Getting User MFA Status

Wasabi returns more data about MFA status for an access key with the new action “GetUserMFA”. The response data includes the MFA device data for the access key including the MFA device data for the user and the authorization date and age (in seconds) of the credentials. Note that the action may be called for roles in which case only the authorization date and age are returned. Below is an example call and response for the “GetUserMFA” action:

GET https://iam.wasabisys.com/?Action=GetUserMFA&UserName=user1

Response body:

<GetUserMFAResponse xmlns="https://iam.amazonaws.com/doc/2010-05-08/">
     <GetUserMFAResult>
     <UserName>user1</UserName>
     <SerialNumber>arn:aws:iam::100000113772:mfa/user1-45104489812</SerialNumber>
     <CreateDate>2020-02-10T11:59:47.000Z</CreateDate>
     <EnableDate>2020-02-10T12:01:02.000Z</EnableDate>
     <AuthenticateDate>2020-02-10T12:23:03.000Z</AuthenticateDate>
     <AuthenticateAge>638</AuthenticateAge>
     </GetUserMFAResult>
     <ResponseMetadata>
     <RequestId>9bbb7eae-4432-9f33-3fd9-fdb0556d3eca</RequestId>
     </ResponseMetadata>
</GetUserMFAResponse>

Feature: Listing All Access Keys for Account

Wasabi allows the action “ListAccessKeys” to list all the access keys for the given account. If the username parameter is an asterisk (*), access keys are given for all the users, including the root user, in the account. The returned value of the username for the root user is blank.

Validating Policies

Wasabi supports the action “ValidatePolicy” to debug and test IAM policies. The action will return error information about any problems in the policy, such as incorrect structure and unrecognized identifiers. If there are no errors in the policy, the system will evaluate the policy for either an ALLOW, DENY, or no return status. The evaluation is done assuming the principal (account, user, or role) that signed the request.

The action takes the following input parameters:

ParameterDescription

PolicyDocument

The text of the policy document to evaluate. The text should be formatted as JSON.

IsPrincipal

The Boolean value “true” if this policy is applied to a principle element (a user, role, or group). Otherwise, the policy is assumed to apply to a specific resource (most often a bucket). AWS S3 differentiates from these two types of policies.

UseAction

The string giving the action for evaluating the policy. Example actions include s3:PutObject and iam:ChangePassword.

UseResource

The string giving the resource for evaluating the policy. Note that the resource should be expressed as an ARN (for example, arn:aws:s3:::my-bucket/my-object).

UseService

The service associated with the request: iam, sts, or s3. The default is iam.



Was this article helpful?