Relayer-UI Identity & Access Management (IAM)

Identity & Access Management is an important component in controlling access to Relayer resources. IAM dictates who is authenticated (Users) and what resources they have permissions to use (Policy).

IAM Tab Overview

The IAM tab is found along the top section of the Relayer-UI. Within this tab there are pages for Users, Groups, and Policies.

Naming Conventions & Requirements

You will be expected to generate various names, titles, access keys, and secret keys within the IAM tab. Many of these have implicit character and length requirements that must be adhered to – consider the following a brief primer on some of these conventions:

• Group and Policy names must avoid spaces (reference document)
• Access and Secret Keys must be at least 3 and 8 characters in length respectively
• Buckets must be at least 3 characters in length, avoiding spaces, uppercase letters, and most special characters (except hyphens and dots) (reference document)

Users can be created and given a unique Access Key and Secret Key; these can be thought of like a username and password.

The Policy tab can make relatively simple policies with the bucket-permission builder:

As well as “Manual” AWS policies:

These Manual policies can be aided by an AWS Policy Generator, or following an example guide. The AWS docs “IAM JSON policy elements reference”, “Bucket policies and user policies”, and MinIO “IAM-Access Management” are useful references.

Policy Example

Below is a sample policy, which does the following:

• Each user gets their own bucket that matches their Access Key (username). They have exclusive read/write to this bucket.
  • No other users can access this bucket (except the main admin keys)
• Each user gets access to a bucket shared. Inside shared they have read/write to a folder matching their Access Key (username).
  • No other users can write to this folder (except the main admin keys)
  • Every user has read access to all folders/files within the shared bucket

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "AllowUsersOwnBucketAccess",
      "Effect": "Allow",
      "Action": [
        "s3:PutObject",
        "s3:DeleteObject",
        "s3:GetObject",
        "s3:ListBucket"
      ],
      "Resource": [
        "arn:aws:s3:::${aws:username}/*"
      ]
    },
    {
      "Sid": "AllowGroupToSeeBucketListInTheConsole",
      "Effect": "Allow",
      "Action": [
        "s3:GetBucketLocation",
        "s3:ListAllMyBuckets"
      ],
      "Resource": [
        "arn:aws:s3:::*"
      ]
    },
    {
      "Sid": "AllowRootLevelListingOfTheBucket",
      "Effect": "Allow",
      "Action": [
        "s3:ListBucket"
      ],
      "Resource": [
        "arn:aws:s3:::shared"
      ],
      "Condition": {
        "StringEquals": {
          "s3:delimiter": [
            "/"
          ],
          "s3:prefix": [
            ""
          ]
        }
      }
    },
    {
      "Sid": "AllowListBucketOfASpecificUserPrefix",
      "Effect": "Allow",
      "Action": [
        "s3:ListBucket"
      ],
      "Resource": [
        "arn:aws:s3:::shared"
      ],
      "Condition": {
        "StringLike": {
          "s3:prefix": [
            "${aws:username}/*"
          ]
        }
      }
    },
    {
      "Sid": "AllowReadAccessToOtherSharedFolders",
      "Effect": "Allow",
      "Action": [
        "s3:GetObject",
        "s3:ListBucket"
      ],
      "Resource": [
        "arn:aws:s3:::shared/*"
      ]
    },
    {
      "Sid": "AllowUserSpecificActionsOnlyInTheSpecificUserPrefix",
      "Effect": "Allow",
      "Action": [
        "s3:DeleteObject",
        "s3:GetObject",
        "s3:PutObject"
      ],
      "Resource": [
        "arn:aws:s3:::shared/${aws:username}/*"
      ]
    }
  ]
}

Note that the buckets and folders themselves are not auto generated, and must be manually created. When created they will adhere to the policy outlined.

After creation, apply a Policy to a User or a Group.

Groups can be used to apply Policies to sets of Users, as well as enable/disable these sets.

Limitations

Some IAM limitations are inherent to the AWS/S3 ecosystem (such as a 20 KB policy size limit), and others can stem from varying implementations of S3 protocol support.

S3 has become a “de facto” protocol with many extensions and additions over the years, not all of which are implemented (or make sense to implement) in all S3 ecosystem components. If using a tool like the AWS Policy Generator it is likely some of the items from the Actions dropdown (namely Version tags) are not supported in current Relayer versions.

We take great effort to support many commonly used S3 methods, and indeed have the most powerful and broad S3 App support within distributed cloud. If unsupported Policy Actions are blocking any workflows or use cases, contact us.