Contents x
      IAM and STS Support
      • 02 Feb 2023
      • Print
      • PDF
      Contents

      IAM and STS Support

      • Updated on 02 Feb 2023
      • Print
      • PDF
      Article Summary

      Wasabi supports the following subset of the AWS S3 IAM:

      AddUserToGroupDeleteUserListEntitiesForPolicy
      AttachGroupPolicyDeleteUserPolicyListGroups
      AttachRolePolicyDeletetVirtualMFADeviceListGroupPolicies
      AttachUserPolicyDetachGroupPolicyListGroupsForUser
      ChangePasswordDetachRolePolicyListMFADevices
      CreateAccessKeyDetachUserPolicyListPolicies
      CreateAccountAliasEnableMFADeviceListPolicyVersions
      CreateGroupGetAccessKeyLastUsedListRolePolicies
      CreateLoginProfileGetAccountAuthorizationDetailsListRoles
      CreatePolicyGetAccountPasswordPolicyListUsers
      CreatePolicyVersionGetAccountSummaryListUserPolicies
      CreateRoleGetGroupListVirtualMFADevices
      CreateUserGetGroupPolicyPutGroupPolicy
      CreateVirtualMFADeviceGetLoginProfilePutUserPolicy
      DeactivateMFADeviceGetPolicyPutRolePolicy
      DeleteAccessKeyGetPolicyVersionRemoveUserFromGroup
      DeleteAccountAliasGetRoleResyncMFADevice
      DeleteAccountPasswordPolicyGetRolePolicySetDefaultPolicyVersion
      DeleteGroupGetUserUpdateAccessKey
      DeleteGroupPolicyGetUserPolicyUpdateAccountPasswordPolicy
      DeleteLoginProfileListAccessKeysUpateAssumeRolePolicy
      DeletePolicyListAccountAliasesUpdateLoginProfile
      DeletePolicyVersionListAttachedGroupPoliciesUpdateGroup
      DeleteRoleListAttachedRolePoliciesUpdateUser
      DeleteRolePolicyListAttachedUserPolicies

      Wasabi supports the following subset of the AWS S3 STS.

      • AssumeRole (Note: AssumeRole supports maximum session duration as 43200 secs (12 hrs).)
      • GetCallerIdentity
      • GetSessionToken

      All other actions in AWS S3 not listed are not support by Wasabi. All actions listed above are supported fully compatible with AWS S3 unless otherwise noted.

      Wasabi supports only IAM actions for version “2010-05-08”. The version value may be omitted from the call as well but, if given, it must be “2010-05-08”. Wasabi supports only STS actions for version “2011-06-15”. The version value may be omitted from the call as well but, if given, it must be “2011-06-15”.

      FORM Requests

      Wasabi supports the use of the HTTP method POST with the content type “application/x-www-form-urlencoded” for IAM operations. The key/value data in the POST body is equivalent to using the data as query string parameters. For IAM requests with over 8000 characters of data, the request must be provided as a POST using the form encoded data.

      Policy Compatibility

      Wasabi supports access policies that are compatible with AWS S3 in definition. However, policies usually cannot be copied directly from AWS S3 to Wasabi because the policies frequently contain identifiers specific to the system (such as the account identifier and canonical IDs). The policy can be copied and all identifiers updated to their specific Wasabi values.

      Policy Variables

      Wasabi supports the following policy variables used in access policies:

      aws:CurrentTimeaws:accountid (Wasabi feature only; see details below*)s3:x-amz-content-sha256
      aws:EpochTimes3:x-amz-copy-source
      aws: MultiFactorAuthPresentiam:PolicyArns3:x-amz-grant-read
      aws: MultiFactorAuthAges3:authtypes3:x-amz-grant-write
      aws:principaltypes3:delimiters3:x-amz-grant-read-acp
      aws:Referers3:max-keyss3:x-amz-grant-write-acp
      aws:SecureTransports3:prefixs3:x-amz-grant-full-control
      aws:SourceIps3:signatureAges3:x-amz-metadata-directive
      aws:UserAgents3:signatureversions3:x-amz-server-side-encryption
      aws:userids3:VersionIds3:x-amz-storage-class
      aws:usernames3:x-amz-aclsts:ExternalId

      * AWS S3 does not support a variable to return the account identification for the current users. Wasabi supports the additional policy variable “aws:accountid”, which returns the account identification for the current user.

      Multi-Factor Authentication (MFA) Support

      Wasabi strongly encourages the use of an MFA device for additional security on your account. Wasabi supports virtual MFA devices, but not hardware MFA devices. Wasabi has been tested with Google Authenticator and Authy 2-Factor Authentication. However, Wasabi should operate with any application that supports the open TOTP standard.

      System-Wide Policies

      Wasabi provides some additional commonly used system-wide policies. The following are the standard system-wide policies and their meaning.

      PolicyDescription
      WasabiS3FullAccessSame as that defined by AWS, allowing full access to any AWS S3 resource.
      WasabiS3ReadOnlyAccessSame as that defined by AWS, allowing read only access to any AWS S3 resource.
      AdministratorAccessSame as that defined by AWS S3, allowing full administrator access to the account.
      WasabiReadOnlyAccessAllows read only access to any account, user, and AWS S3 data in the account. This policy also allows the user to change the password and use MFA.
      WasabiWriteOnlyAccessAllows the user to write objects to an AWS S3 bucket.
      WasabiFullAccessAllows the user full access to AWS S3 buckets and to modify their own user IAM parameters.

      Policy Wildcard Matching

      Wasabi supports these wildcard characters:

      * can match zero or more characters.
      ? matches any one character.

      Wildcards can match in the principal, action, resource, or conditions parts of the policy statement. These characters may be used anywhere in a string, but may not cross the colon (:) separator in an ARN. Prefixing the asterisk (*) and question mark (?) with a backslash (\) overrides the wildcard meaning of the characters and forces a match to the literal character.

      When matching an ARN for an IAM resource or principal containing a path, matching is allowed either with or without the path given. However, if the policy ARN name contains a path, it must match the entity path.

      Temporary Access Keys

      Similar to AWS S3, Wasabi supports both permanent and temporary access credentials. Wasabi provides the action “CreateTemporaryAccessCredentials” for creation of temporary access credentials. Unlike other IAM actions, this action is not signed by credentials since it is used to obtain temporary credentials based on the user password. However, it must be protected using a secure HTTPS connection.

      The action takes the following input parameters:

      ParameterDescription
      AccountA string that identifies the account using the account ID (with or without hyphens), account name (usually the email), or account alias. This parameter must be provided.
      UserNameA string that identifies the user within the account. If no value is given, the user is assumed to be the root user for the account.
      PasswordA string that provides the password for the given user.
      MFATokenA string that provides the MFA token from the MFA device to authenticate the request when the user is required to use multi-factor authentication. This value may be omitted if no MFA token is required for the user. The authentication credentials retain the MFA authorization and can be used to avoid MFA authorization in other operations such as deleting objects.
      ExpiresAn integer that provides the number of seconds until the access key expires. The maximum allowed is 129600 (which is 36 hours). If no value is provided, the default expiration time is 12 hours.
      SecurityTokenA string that provides the security token to be used with the credentials. AWS S3 allows an optional security token that functions like a password to be used with the access key. If not provided, no security token is associated with the access keys.

      The action returns in an XML body the access key ID, create time, expiration time, and the secret key for the access credential.

      Below is an example call to the action “CreateTemporaryAccessCredentials”:

      GET https://iam.wasabisys.com/

      ?Action=CreateTemporaryAccessCredentials&AccountId=100000000100
      &UserName=test-user&Password=my-passwordHTTP/1.1

      Response body:

      <CreateTemporaryAccessCredentialsResponse xmlns="https://iam.amazonaws.com/doc/2010-05-08/">   

           <CreateTemporaryAccessCredentialsResult>
           <AccessKey>
           <AccessKeyId>AITXP7RW3QXQPXJ0XC9A</AccessKeyId>
           <CreateDate>2017-06-07T16:39:11.274Z</CreateDate>
           <Expires>2017-06-08T04:39:11.273Z</Expires>
           <SecretAccessKey>pKSYVSDH2aac1LVE8m4a6L070NA0Mz0nTqWHzD2F</SecretAccessKey>
           </AccessKey>
           <User>
           <Path>/</Path>
           <PasswordLastUsed>2017-06-07T16:38:48.000Z</PasswordLastUsed>
           <Arn>arn:aws:iam::100000000103:root</Arn>
           <UserId>ADC37066E05B318487B6AEF5542E9C78FACC77A67CAD6B2FDC3990C430D15591</UserId>
           <CreateDate>2017-06-07T16:38:48.000Z</CreateDate>
           </User>
           <LoginProfile>
           <UserName />
           <CreateDate>2017-06-07T16:38:48.000Z</CreateDate>
           <PasswordResetRequired>false</PasswordResetRequired>
           </LoginProfile>
           <AccountPlan>
           <BillingPlanName>trial-premium</BillingPlanName>
           <Standing>ok</Standing>
           </AccountPlan>
           </CreateTemporaryAccessCredentialsResult>
           <ResponseMetadata>
           <RequestId>08a3add0-7ebc-903c-a9c6-23dccfeef920</RequestId>
           </ResponseMetadata>
      </CreateTemporaryAccessCredentialsResponse>

      Change Password for Root User

      Wasabi allows the root user to change the password using the action “ChangePassword”. The access credentials identify the user and may include the account root user.

      Create User Allows Setting Password

      Wasabi allows the user password to be set with the action “CreateUser”. The caller can provide the additional parameters “Password” and “PasswordResetRequired”, which are the same as given for the “SetLoginProfile” action.

      Getting User MFA Status

      Wasabi returns more data about MFA status for an access key with the new action “GetUserMFA”. The response data includes the MFA device data for the access key including the MFA device data for the user and the authorization date and age (in seconds) of the credentials. Note that the action may be called for roles in which case only the authorization date and age are returned. Below is an example call and response for the “GetUserMFA” action:

      GET https://iam.wasabisys.com/?Action=GetUserMFA&UserName=user1

      Response body:

      <GetUserMFAResponse xmlns="https://iam.amazonaws.com/doc/2010-05-08/">
           <GetUserMFAResult>
           <UserName>user1</UserName>
           <SerialNumber>arn:aws:iam::100000113772:mfa/user1-45104489812</SerialNumber>
           <CreateDate>2020-02-10T11:59:47.000Z</CreateDate>
           <EnableDate>2020-02-10T12:01:02.000Z</EnableDate>
           <AuthenticateDate>2020-02-10T12:23:03.000Z</AuthenticateDate>
           <AuthenticateAge>638</AuthenticateAge>
           </GetUserMFAResult>
           <ResponseMetadata>
           <RequestId>9bbb7eae-4432-9f33-3fd9-fdb0556d3eca</RequestId>
           </ResponseMetadata>
      </GetUserMFAResponse>

      Feature: Listing All Access Keys for Account

      Wasabi allows the action “ListAccessKeys” to list all the access keys for the given account. If the username parameter is an asterisk (*), access keys are given for all the users, including the root user, in the account. The returned value of the username for the root user is blank.

      Validating Policies

      Wasabi supports the action “ValidatePolicy” to debug and test IAM policies. The action will return error information about any problems in the policy, such as incorrect structure and unrecognized identifiers. If there are no errors in the policy, the system will evaluate the policy for either an ALLOW, DENY, or no return status. The evaluation is done assuming the principal (account, user, or role) that signed the request.

      The action takes the following input parameters:

      ParameterDescription

      PolicyDocument

      The text of the policy document to evaluate. The text should be formatted as JSON.

      IsPrincipal

      The Boolean value “true” if this policy is applied to a principle element (a user, role, or group). Otherwise, the policy is assumed to apply to a specific resource (most often a bucket). AWS S3 differentiates from these two types of policies.

      UseAction

      The string giving the action for evaluating the policy. Example actions include s3:PutObject and iam:ChangePassword.

      UseResource

      The string giving the resource for evaluating the policy. Note that the resource should be expressed as an ARN (for example, arn:aws:s3:::my-bucket/my-object).

      UseService

      The service associated with the request: iam, sts, or s3. The default is iam.


      What's Next
      Copyright © 2024 by Wasabi Technologies LLC
      75 Arlington Street, Suite 810, Boston, MA 02116 USA
      All Rights Reserved
      Visit us at https://wasabi.com
      WASABI and the WASABI logo are trademarks of Wasabi Technologies LLC and may not be used without permission of Wasabi Technologies. All other names are used for identification purposes only and are trademarks or registered trademarks of their respective companies.

      Information presented herein is subject to change without notice. Companies, names, and data used in examples are fictitious unless otherwise noted. No part of this information may be reproduced or transmitted in any form by means electronic or mechanical, for any purpose, without express written permission of Wasabi Technologies.