Skip to content

User Authentication and Authorization

Introduction

Authentication and authorization in Switch Cloud S3 (SCS3) ensure that only authorized users can access and manage data. This section covers configuring user access to SCS3 service through the AWS CLI and Rclone, along with examples.

Authorization

When the Switch Cloud Portal (SCP) creates an SCS3 instance, it automatically creates a corresponding S3 user in the backend. The user's UID can be found in the Details tab on the S3 service page.

  • All access keys created in an SCS3 instance identify that SCS3 instance and its associated S3 user, and provide the same read/write permissions. It is not possible to create "read-only" access keys.
  • By default, the S3 user that owns the bucket has unrestricted access to it, unless access is limited with a bucket policy.
  • If read-only access is required, you can create another SCS3 instance (and therefore another S3 user) and apply a bucket policy to grant that user read-only permissions.

Info

The Switch Cloud team is working on extending the SCS3 service with more granular IAM-like access control. Until then, fine-grained access can only be managed using bucket policies and separate SCS3 instances.

Prerequisites

  • Obtain S3 access keys through SCP. Remember that each project has it's own unique keys.
  • One of the S3 compatible CLI clients.

Tool Configuration

There are two options to configure your AWS CLI client with credentials obtained from SCP to your SCS3 project:

  1. AWS Configuration File

    By default AWS CLI uses a the $HOME/.aws/credentials configuration file. In this file you can create a profile with credentials. See the content of the example configuration file below.

    [my_s3_project_name]
endpoint_url = <endpoint_url_obtained_from_the_Switch_Cloud_Portal>
region = ch
aws_access_key_id = <your_s3_access_key_id_obtained_from_the_Switch_Cloud_Portal>
aws_secret_access_key = <your_s3_secret_access_key_obtained_from_the_Switch_Cloud_Portal>

    After creating a profile you will be able to perform actions on your SCS3 bucket using the --profile flag in your CLI commands.

    For example you may use the created profile my_s3_project_name in order to create a new bucket:

    aws --profile my_s3_project_name s3 mb s3://<your_bucket_name>

    You may also set an environment variable to skip the --profile flag:

    export AWS_PROFILE=my_s3_project_name

    Then you may directly do: 

    aws s3 mb s3://<your_bucket_name>

  2. Environment Variables

    Set the environment variables with credentials to your SCS3 project.

    export AWS_ENDPOINT_URL=<endpoint url obtained from the Switch Cloud Portal>
export AWS_REGION=ch
export AWS_ACCESS_KEY_ID=<your s3 access key id obtained from the Switch Cloud Portal>
export AWS_SECRET_ACCESS_KEY=<your s3 secret access key obtained from the Switch Cloud Portal>

    When configuration is set via environment variables, you can drop --profile flag in your CLI commands.

    Example:

    aws s3 mb s3://<your_bucket_name>

By default Rclone uses the $HOME/.config/rclone/rclone.conf configuration file. In this file you can create a profile with credentials which is similar to the AWS configuration. See the content of the example configuration file below.

[<s3_profile>]
type = s3
provider = Ceph
endpoint = <endpoint_url_obtained_from_the_Switch_Cloud_Portal>
access_key_id = <your_s3_access_key_id_obtained_from_the_Switch_Cloud_Portal>
secret_access_key = <your_s3_secret_access_key_obtained_from_the_Switch_Cloud_Portal>

Example CLI command:

rclone mkdir <s3_profile>:<your_bucket_name>