- 06 Jun 2024
- 6 Minutes to read
- Print
- PDF
IAM and STS Support With the Wasabi S3 API
- Updated on 06 Jun 2024
- 6 Minutes to read
- Print
- PDF
Wasabi supports the following subset of the AWS S3 IAM:
AddUserToGroup | DeleteUser | ListEntitiesForPolicy |
AttachGroupPolicy | DeleteUserPolicy | ListGroups |
AttachRolePolicy | DeletetVirtualMFADevice | ListGroupPolicies |
AttachUserPolicy | DetachGroupPolicy | ListGroupsForUser |
ChangePassword | DetachRolePolicy | ListMFADevices |
CreateAccessKey | DetachUserPolicy | ListPolicies |
CreateAccountAlias | EnableMFADevice | ListPolicyVersions |
CreateGroup | GetAccessKeyLastUsed | ListRolePolicies |
CreateLoginProfile | GetAccountAuthorizationDetails | ListRoles |
CreatePolicy | GetAccountPasswordPolicy | ListUsers |
CreatePolicyVersion | GetAccountSummary | ListUserPolicies |
CreateRole | GetGroup | ListVirtualMFADevices |
CreateUser | GetGroupPolicy | PutGroupPolicy |
CreateVirtualMFADevice | GetLoginProfile | PutUserPolicy |
DeactivateMFADevice | GetPolicy | PutRolePolicy |
DeleteAccessKey | GetPolicyVersion | RemoveUserFromGroup |
DeleteAccountAlias | GetRole | ResyncMFADevice |
DeleteAccountPasswordPolicy | GetRolePolicy | SetDefaultPolicyVersion |
DeleteGroup | GetUser | UpdateAccessKey |
DeleteGroupPolicy | GetUserPolicy | UpdateAccountPasswordPolicy |
DeleteLoginProfile | ListAccessKeys | UpateAssumeRolePolicy |
DeletePolicy | ListAccountAliases | UpdateLoginProfile |
DeletePolicyVersion | ListAttachedGroupPolicies | UpdateGroup |
DeleteRole | ListAttachedRolePolicies | UpdateUser |
DeleteRolePolicy | ListAttachedUserPolicies |
Wasabi supports the following subset of the AWS S3 STS.
- AssumeRole (Note: AssumeRole supports maximum session duration as 43200 secs (12 hrs).)
- GetCallerIdentity
- GetSessionToken
All other actions in AWS S3 not listed are not support by Wasabi. All actions listed above are supported fully compatible with AWS S3 unless otherwise noted.
Wasabi supports only IAM actions for version “2010-05-08”. The version value may be omitted from the call as well but, if given, it must be “2010-05-08”. Wasabi supports only STS actions for version “2011-06-15”. The version value may be omitted from the call as well but, if given, it must be “2011-06-15”.
FORM Requests
Wasabi supports the use of the HTTP method POST with the content type “application/x-www-form-urlencoded” for IAM operations. The key/value data in the POST body is equivalent to using the data as query string parameters. For IAM requests with over 8000 characters of data, the request must be provided as a POST using the form encoded data.
Policy Compatibility
Wasabi supports access policies that are compatible with AWS S3 in definition. However, policies usually cannot be copied directly from AWS S3 to Wasabi because the policies frequently contain identifiers specific to the system (such as the account identifier and canonical IDs). The policy can be copied and all identifiers updated to their specific Wasabi values.
Policy Variables
Wasabi supports the following policy variables used in access policies:
aws:CurrentTime | aws:accountid (Wasabi feature only; see details below*) | s3:x-amz-content-sha256 |
aws:EpochTime | s3:x-amz-copy-source | |
aws: MultiFactorAuthPresent | iam:PolicyArn | s3:x-amz-grant-read |
aws: MultiFactorAuthAge | s3:authtype | s3:x-amz-grant-write |
aws:principaltype | s3:delimiter | s3:x-amz-grant-read-acp |
aws:Referer | s3:max-keys | s3:x-amz-grant-write-acp |
aws:SecureTransport | s3:prefix | s3:x-amz-grant-full-control |
aws:SourceIp | s3:signatureAge | s3:x-amz-metadata-directive |
aws:UserAgent | s3:signatureversion | s3:x-amz-server-side-encryption |
aws:userid | s3:VersionId | s3:x-amz-storage-class |
aws:username | s3:x-amz-acl | sts:ExternalId |
* AWS S3 does not support a variable to return the account identification for the current users. Wasabi supports the additional policy variable “aws:accountid”, which returns the account identification for the current user.
Multi-Factor Authentication (MFA) Support
Wasabi strongly encourages the use of an MFA device for additional security on your account. Wasabi supports virtual MFA devices, but not hardware MFA devices. Wasabi has been tested with Google Authenticator and Authy 2-Factor Authentication. However, Wasabi should operate with any application that supports the open TOTP standard.
System-Wide Policies
Wasabi provides some additional commonly used system-wide policies. The following are the standard system-wide policies and their meaning.
Policy | Description |
---|---|
WasabiS3FullAccess | Same as that defined by AWS, allowing full access to any AWS S3 resource. |
WasabiS3ReadOnlyAccess | Same as that defined by AWS, allowing read only access to any AWS S3 resource. |
AdministratorAccess | Same as that defined by AWS S3, allowing full administrator access to the account. |
WasabiReadOnlyAccess | Allows read only access to any account, user, and AWS S3 data in the account. This policy also allows the user to change the password and use MFA. |
WasabiWriteOnlyAccess | Allows the user to write objects to an AWS S3 bucket. |
WasabiFullAccess | Allows the user full access to AWS S3 buckets and to modify their own user IAM parameters. |
Policy Wildcard Matching
Wasabi supports these wildcard characters:
* can match zero or more characters.
? matches any one character.
Wildcards can match in the principal, action, resource, or conditions parts of the policy statement. These characters may be used anywhere in a string, but may not cross the colon (:) separator in an ARN. Prefixing the asterisk (*) and question mark (?) with a backslash (\) overrides the wildcard meaning of the characters and forces a match to the literal character.
When matching an ARN for an IAM resource or principal containing a path, matching is allowed either with or without the path given. However, if the policy ARN name contains a path, it must match the entity path.
Temporary Access Keys
Similar to AWS S3, Wasabi supports both permanent and temporary access credentials. Wasabi provides the action “CreateTemporaryAccessCredentials” for creation of temporary access credentials. Unlike other IAM actions, this action is not signed by credentials since it is used to obtain temporary credentials based on the user password. However, it must be protected using a secure HTTPS connection.
The action takes the following input parameters:
Parameter | Description |
---|---|
Account | A string that identifies the account using the account ID (with or without hyphens), account name (usually the email), or account alias. This parameter must be provided. |
UserName | A string that identifies the user within the account. If no value is given, the user is assumed to be the root user for the account. |
Password | A string that provides the password for the given user. |
MFAToken | A string that provides the MFA token from the MFA device to authenticate the request when the user is required to use multi-factor authentication. This value may be omitted if no MFA token is required for the user. The authentication credentials retain the MFA authorization and can be used to avoid MFA authorization in other operations such as deleting objects. |
Expires | An integer that provides the number of seconds until the access key expires. The maximum allowed is 129600 (which is 36 hours). If no value is provided, the default expiration time is 12 hours. |
SecurityToken | A string that provides the security token to be used with the credentials. AWS S3 allows an optional security token that functions like a password to be used with the access key. If not provided, no security token is associated with the access keys. |
The action returns in an XML body the access key ID, create time, expiration time, and the secret key for the access credential.
Below is an example call to the action “CreateTemporaryAccessCredentials”:
GET https://iam.wasabisys.com/
?Action=CreateTemporaryAccessCredentials&AccountId=100000000100
&UserName=test-user&Password=my-passwordHTTP/1.1
Response body:
<CreateTemporaryAccessCredentialsResponse xmlns="https://iam.amazonaws.com/doc/2010-05-08/">
<CreateTemporaryAccessCredentialsResult>
<AccessKey>
<AccessKeyId>AITXP7RW3QXQPXJ0XC9A</AccessKeyId>
<CreateDate>2017-06-07T16:39:11.274Z</CreateDate>
<Expires>2017-06-08T04:39:11.273Z</Expires>
<SecretAccessKey>pKSYVSDH2aac1LVE8m4a6L070NA0Mz0nTqWHzD2F</SecretAccessKey>
</AccessKey>
<User>
<Path>/</Path>
<PasswordLastUsed>2017-06-07T16:38:48.000Z</PasswordLastUsed>
<Arn>arn:aws:iam::100000000103:root</Arn>
<UserId>ADC37066E05B318487B6AEF5542E9C78FACC77A67CAD6B2FDC3990C430D15591</UserId>
<CreateDate>2017-06-07T16:38:48.000Z</CreateDate>
</User>
<LoginProfile>
<UserName />
<CreateDate>2017-06-07T16:38:48.000Z</CreateDate>
<PasswordResetRequired>false</PasswordResetRequired>
</LoginProfile>
<AccountPlan>
<BillingPlanName>trial-premium</BillingPlanName>
<Standing>ok</Standing>
</AccountPlan>
</CreateTemporaryAccessCredentialsResult>
<ResponseMetadata>
<RequestId>08a3add0-7ebc-903c-a9c6-23dccfeef920</RequestId>
</ResponseMetadata>
</CreateTemporaryAccessCredentialsResponse>
Change Password for Root User
Wasabi allows the root user to change the password using the action “ChangePassword”. The access credentials identify the user and may include the account root user.
Create User Allows Setting Password
Wasabi allows the user password to be set with the action “CreateUser”. The caller can provide the additional parameters “Password” and “PasswordResetRequired”, which are the same as given for the “SetLoginProfile” action.
Getting User MFA Status
Wasabi returns more data about MFA status for an access key with the new action “GetUserMFA”. The response data includes the MFA device data for the access key including the MFA device data for the user and the authorization date and age (in seconds) of the credentials. Note that the action may be called for roles in which case only the authorization date and age are returned. Below is an example call and response for the “GetUserMFA” action:
GET https://iam.wasabisys.com/?Action=GetUserMFA&UserName=user1
Response body:
<GetUserMFAResponse xmlns="https://iam.amazonaws.com/doc/2010-05-08/">
<GetUserMFAResult>
<UserName>user1</UserName>
<SerialNumber>arn:aws:iam::100000113772:mfa/user1-45104489812</SerialNumber>
<CreateDate>2020-02-10T11:59:47.000Z</CreateDate>
<EnableDate>2020-02-10T12:01:02.000Z</EnableDate>
<AuthenticateDate>2020-02-10T12:23:03.000Z</AuthenticateDate>
<AuthenticateAge>638</AuthenticateAge>
</GetUserMFAResult>
<ResponseMetadata>
<RequestId>9bbb7eae-4432-9f33-3fd9-fdb0556d3eca</RequestId>
</ResponseMetadata>
</GetUserMFAResponse>
Feature: Listing All Access Keys for Account
Wasabi allows the action “ListAccessKeys” to list all the access keys for the given account. If the username parameter is an asterisk (*), access keys are given for all the users, including the root user, in the account. The returned value of the username for the root user is blank.
Validating Policies
Wasabi supports the action “ValidatePolicy” to debug and test IAM policies. The action will return error information about any problems in the policy, such as incorrect structure and unrecognized identifiers. If there are no errors in the policy, the system will evaluate the policy for either an ALLOW, DENY, or no return status. The evaluation is done assuming the principal (account, user, or role) that signed the request.
The action takes the following input parameters:
Parameter | Description |
---|---|
PolicyDocument | The text of the policy document to evaluate. The text should be formatted as JSON. |
IsPrincipal | The Boolean value “true” if this policy is applied to a principle element (a user, role, or group). Otherwise, the policy is assumed to apply to a specific resource (most often a bucket). AWS S3 differentiates from these two types of policies. |
UseAction | The string giving the action for evaluating the policy. Example actions include s3:PutObject and iam:ChangePassword. |
UseResource | The string giving the resource for evaluating the policy. Note that the resource should be expressed as an ARN (for example, arn:aws:s3:::my-bucket/my-object). |
UseService | The service associated with the request: iam, sts, or s3. The default is iam. |