IAM and STS Support With the Wasabi S3 API
    • 06 Jun 2024
    • 6 Minutes to read
    • PDF

    IAM and STS Support With the Wasabi S3 API

    • PDF

    Article summary

    Wasabi supports the following subset of the AWS S3 IAM:

    AddUserToGroupDeleteUserListEntitiesForPolicy
    AttachGroupPolicyDeleteUserPolicyListGroups
    AttachRolePolicyDeletetVirtualMFADeviceListGroupPolicies
    AttachUserPolicyDetachGroupPolicyListGroupsForUser
    ChangePasswordDetachRolePolicyListMFADevices
    CreateAccessKeyDetachUserPolicyListPolicies
    CreateAccountAliasEnableMFADeviceListPolicyVersions
    CreateGroupGetAccessKeyLastUsedListRolePolicies
    CreateLoginProfileGetAccountAuthorizationDetailsListRoles
    CreatePolicyGetAccountPasswordPolicyListUsers
    CreatePolicyVersionGetAccountSummaryListUserPolicies
    CreateRoleGetGroupListVirtualMFADevices
    CreateUserGetGroupPolicyPutGroupPolicy
    CreateVirtualMFADeviceGetLoginProfilePutUserPolicy
    DeactivateMFADeviceGetPolicyPutRolePolicy
    DeleteAccessKeyGetPolicyVersionRemoveUserFromGroup
    DeleteAccountAliasGetRoleResyncMFADevice
    DeleteAccountPasswordPolicyGetRolePolicySetDefaultPolicyVersion
    DeleteGroupGetUserUpdateAccessKey
    DeleteGroupPolicyGetUserPolicyUpdateAccountPasswordPolicy
    DeleteLoginProfileListAccessKeysUpateAssumeRolePolicy
    DeletePolicyListAccountAliasesUpdateLoginProfile
    DeletePolicyVersionListAttachedGroupPoliciesUpdateGroup
    DeleteRoleListAttachedRolePoliciesUpdateUser
    DeleteRolePolicyListAttachedUserPolicies

    Wasabi supports the following subset of the AWS S3 STS.

    • AssumeRole (Note: AssumeRole supports maximum session duration as 43200 secs (12 hrs).)
    • GetCallerIdentity
    • GetSessionToken

    All other actions in AWS S3 not listed are not support by Wasabi. All actions listed above are supported fully compatible with AWS S3 unless otherwise noted.

    Wasabi supports only IAM actions for version “2010-05-08”. The version value may be omitted from the call as well but, if given, it must be “2010-05-08”. Wasabi supports only STS actions for version “2011-06-15”. The version value may be omitted from the call as well but, if given, it must be “2011-06-15”.

    FORM Requests

    Wasabi supports the use of the HTTP method POST with the content type “application/x-www-form-urlencoded” for IAM operations. The key/value data in the POST body is equivalent to using the data as query string parameters. For IAM requests with over 8000 characters of data, the request must be provided as a POST using the form encoded data.

    Policy Compatibility

    Wasabi supports access policies that are compatible with AWS S3 in definition. However, policies usually cannot be copied directly from AWS S3 to Wasabi because the policies frequently contain identifiers specific to the system (such as the account identifier and canonical IDs). The policy can be copied and all identifiers updated to their specific Wasabi values.

    Policy Variables

    Wasabi supports the following policy variables used in access policies:

    aws:CurrentTimeaws:accountid (Wasabi feature only; see details below*)s3:x-amz-content-sha256
    aws:EpochTimes3:x-amz-copy-source
    aws: MultiFactorAuthPresentiam:PolicyArns3:x-amz-grant-read
    aws: MultiFactorAuthAges3:authtypes3:x-amz-grant-write
    aws:principaltypes3:delimiters3:x-amz-grant-read-acp
    aws:Referers3:max-keyss3:x-amz-grant-write-acp
    aws:SecureTransports3:prefixs3:x-amz-grant-full-control
    aws:SourceIps3:signatureAges3:x-amz-metadata-directive
    aws:UserAgents3:signatureversions3:x-amz-server-side-encryption
    aws:userids3:VersionIds3:x-amz-storage-class
    aws:usernames3:x-amz-aclsts:ExternalId

    * AWS S3 does not support a variable to return the account identification for the current users. Wasabi supports the additional policy variable “aws:accountid”, which returns the account identification for the current user.

    Multi-Factor Authentication (MFA) Support

    Wasabi strongly encourages the use of an MFA device for additional security on your account. Wasabi supports virtual MFA devices, but not hardware MFA devices. Wasabi has been tested with Google Authenticator and Authy 2-Factor Authentication. However, Wasabi should operate with any application that supports the open TOTP standard.

    System-Wide Policies

    Wasabi provides some additional commonly used system-wide policies. The following are the standard system-wide policies and their meaning.

    PolicyDescription
    WasabiS3FullAccessSame as that defined by AWS, allowing full access to any AWS S3 resource.
    WasabiS3ReadOnlyAccessSame as that defined by AWS, allowing read only access to any AWS S3 resource.
    AdministratorAccessSame as that defined by AWS S3, allowing full administrator access to the account.
    WasabiReadOnlyAccessAllows read only access to any account, user, and AWS S3 data in the account. This policy also allows the user to change the password and use MFA.
    WasabiWriteOnlyAccessAllows the user to write objects to an AWS S3 bucket.
    WasabiFullAccessAllows the user full access to AWS S3 buckets and to modify their own user IAM parameters.

    Policy Wildcard Matching

    Wasabi supports these wildcard characters:

    * can match zero or more characters.
    ? matches any one character.

    Wildcards can match in the principal, action, resource, or conditions parts of the policy statement. These characters may be used anywhere in a string, but may not cross the colon (:) separator in an ARN. Prefixing the asterisk (*) and question mark (?) with a backslash (\) overrides the wildcard meaning of the characters and forces a match to the literal character.

    When matching an ARN for an IAM resource or principal containing a path, matching is allowed either with or without the path given. However, if the policy ARN name contains a path, it must match the entity path.

    Temporary Access Keys

    Similar to AWS S3, Wasabi supports both permanent and temporary access credentials. Wasabi provides the action “CreateTemporaryAccessCredentials” for creation of temporary access credentials. Unlike other IAM actions, this action is not signed by credentials since it is used to obtain temporary credentials based on the user password. However, it must be protected using a secure HTTPS connection.

    The action takes the following input parameters:

    ParameterDescription
    AccountA string that identifies the account using the account ID (with or without hyphens), account name (usually the email), or account alias. This parameter must be provided.
    UserNameA string that identifies the user within the account. If no value is given, the user is assumed to be the root user for the account.
    PasswordA string that provides the password for the given user.
    MFATokenA string that provides the MFA token from the MFA device to authenticate the request when the user is required to use multi-factor authentication. This value may be omitted if no MFA token is required for the user. The authentication credentials retain the MFA authorization and can be used to avoid MFA authorization in other operations such as deleting objects.
    ExpiresAn integer that provides the number of seconds until the access key expires. The maximum allowed is 129600 (which is 36 hours). If no value is provided, the default expiration time is 12 hours.
    SecurityTokenA string that provides the security token to be used with the credentials. AWS S3 allows an optional security token that functions like a password to be used with the access key. If not provided, no security token is associated with the access keys.

    The action returns in an XML body the access key ID, create time, expiration time, and the secret key for the access credential.

    Below is an example call to the action “CreateTemporaryAccessCredentials”:

    GET https://iam.wasabisys.com/
    ?Action=CreateTemporaryAccessCredentials&AccountId=100000000100
    &UserName=test-user&Password=my-passwordHTTP/1.1

    Response body:

    <CreateTemporaryAccessCredentialsResponse xmlns="https://iam.amazonaws.com/doc/2010-05-08/">   
         <CreateTemporaryAccessCredentialsResult>
         <AccessKey>
         <AccessKeyId>AITXP7RW3QXQPXJ0XC9A</AccessKeyId>
         <CreateDate>2017-06-07T16:39:11.274Z</CreateDate>
         <Expires>2017-06-08T04:39:11.273Z</Expires>
         <SecretAccessKey>pKSYVSDH2aac1LVE8m4a6L070NA0Mz0nTqWHzD2F</SecretAccessKey>
         </AccessKey>
         <User>
         <Path>/</Path>
         <PasswordLastUsed>2017-06-07T16:38:48.000Z</PasswordLastUsed>
         <Arn>arn:aws:iam::100000000103:root</Arn>
         <UserId>ADC37066E05B318487B6AEF5542E9C78FACC77A67CAD6B2FDC3990C430D15591</UserId>
         <CreateDate>2017-06-07T16:38:48.000Z</CreateDate>
         </User>
         <LoginProfile>
         <UserName />
         <CreateDate>2017-06-07T16:38:48.000Z</CreateDate>
         <PasswordResetRequired>false</PasswordResetRequired>
         </LoginProfile>
         <AccountPlan>
         <BillingPlanName>trial-premium</BillingPlanName>
         <Standing>ok</Standing>
         </AccountPlan>
         </CreateTemporaryAccessCredentialsResult>
         <ResponseMetadata>
         <RequestId>08a3add0-7ebc-903c-a9c6-23dccfeef920</RequestId>
         </ResponseMetadata>
    </CreateTemporaryAccessCredentialsResponse>

    Change Password for Root User

    Wasabi allows the root user to change the password using the action “ChangePassword”. The access credentials identify the user and may include the account root user.

    Create User Allows Setting Password

    Wasabi allows the user password to be set with the action “CreateUser”. The caller can provide the additional parameters “Password” and “PasswordResetRequired”, which are the same as given for the “SetLoginProfile” action.

    Getting User MFA Status

    Wasabi returns more data about MFA status for an access key with the new action “GetUserMFA”. The response data includes the MFA device data for the access key including the MFA device data for the user and the authorization date and age (in seconds) of the credentials. Note that the action may be called for roles in which case only the authorization date and age are returned. Below is an example call and response for the “GetUserMFA” action:

    GET https://iam.wasabisys.com/?Action=GetUserMFA&UserName=user1

    Response body:

    <GetUserMFAResponse xmlns="https://iam.amazonaws.com/doc/2010-05-08/">
         <GetUserMFAResult>
         <UserName>user1</UserName>
         <SerialNumber>arn:aws:iam::100000113772:mfa/user1-45104489812</SerialNumber>
         <CreateDate>2020-02-10T11:59:47.000Z</CreateDate>
         <EnableDate>2020-02-10T12:01:02.000Z</EnableDate>
         <AuthenticateDate>2020-02-10T12:23:03.000Z</AuthenticateDate>
         <AuthenticateAge>638</AuthenticateAge>
         </GetUserMFAResult>
         <ResponseMetadata>
         <RequestId>9bbb7eae-4432-9f33-3fd9-fdb0556d3eca</RequestId>
         </ResponseMetadata>
    </GetUserMFAResponse>

    Feature: Listing All Access Keys for Account

    Wasabi allows the action “ListAccessKeys” to list all the access keys for the given account. If the username parameter is an asterisk (*), access keys are given for all the users, including the root user, in the account. The returned value of the username for the root user is blank.

    Validating Policies

    Wasabi supports the action “ValidatePolicy” to debug and test IAM policies. The action will return error information about any problems in the policy, such as incorrect structure and unrecognized identifiers. If there are no errors in the policy, the system will evaluate the policy for either an ALLOW, DENY, or no return status. The evaluation is done assuming the principal (account, user, or role) that signed the request.

    The action takes the following input parameters:

    ParameterDescription

    PolicyDocument

    The text of the policy document to evaluate. The text should be formatted as JSON.

    IsPrincipal

    The Boolean value “true” if this policy is applied to a principle element (a user, role, or group). Otherwise, the policy is assumed to apply to a specific resource (most often a bucket). AWS S3 differentiates from these two types of policies.

    UseAction

    The string giving the action for evaluating the policy. Example actions include s3:PutObject and iam:ChangePassword.

    UseResource

    The string giving the resource for evaluating the policy. Note that the resource should be expressed as an ARN (for example, arn:aws:s3:::my-bucket/my-object).

    UseService

    The service associated with the request: iam, sts, or s3. The default is iam.



    ESC

    Eddy AI, facilitating knowledge discovery through conversational intelligence