[
https://issues.apache.org/jira/browse/HDDS-13323?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Fabian Morgan updated HDDS-13323:
---------------------------------
Description:
With Amazon AWS, there is a central service called Security Token Service (STS)
which has the ability to generate short-lived token to access some resources
([https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp.html)|https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp.html].
STS service can be used through REST APIs.
{code:java}
ozonesecure % docker compose exec scm bash
bash-4.4$ aws sts assume-role --role-arn
arn:aws:iam::123456789012:role/MyTempAccessRole --role-session-name
MyTempSession --duration-seconds 3600 --endpoint-url http://s3g:9878
{
"Credentials":{
"AccessKeyId": "ASIAXRQR8WNR5SO4HQTD",
"SecretAccessKey": "DB0uN5ZM4STSmLbhq34soncmmvauLyexEjsM7psP",
"SessionToken":
"H5L1Wd8+tOlttTOVBZ8PAW/kgltpFjHyhn9DKSMB1fhCs//A+bqhWiHfNSWgWbZYaXtvCeZfPxX3EV+nLH9TJRw75isDGKiA8swvQNke+QK3eVZQ/3oWuhe9PpB3IP2ydsmP61tpf+2mtfJoxHA/x5tKGZJ8dxv+9RceA/icTfw=",
"Expiration": "2025-06-20T11:34:29.841476383Z"
},
"AssumedRoleUser":{
"AssumedRoleId": "AROAVXJFKO2HQBF1E4Z0:MyTempSession",
"Arn": "arn:aws:iam::123456789012:role/MyTempAccessRole"
}
}
{code}
{code:java}
ozonesecure % docker compose exec scm bash
bash-5.1$ aws sts assume-role --role-arn
arn:aws:iam::123456789012:role/iceberg-data-all-access --role-session-name
"iceberg-session-with-policy" --policy
"{\"Version\":\"2012-10-17\",\"Statement\":[{\"Effect\":\"Allow\",\"Action\":\"s3:GetObject\",\"Resource\":\"arn:aws:s3:::iceberg\/*\"}]}"
--duration-seconds 1800 --endpoint-url http://s3g:9880/sts
{
"Credentials": {
"AccessKeyId": "ASIAJQAUS29ZJBFI7FMHJ0ZA",
"SecretAccessKey": "AGiBdW9ezwAzI6cY3WimEIgAe+uavFpdhyEWMRwy",
"SessionToken":
"jgI8CAMaGEFTSUFKUUFVUzI5WkpCRkk3Rk1ISjBaQTjm1-7NxDNiGEFTSUFKUUFVUzI5WkpCRkk3Rk1ISjBaQYIBJDgyY2MwMjA1LTg3NWQtNDI2Ny05ZjNmLTIzNzhhMDY5MDIwNooBNmFybjphd3M6aWFtOjoxMjM0NTY3ODkwMTI6cm9sZS9pY2ViZXJnLWRhdGEtYWxsLWFjY2Vzc5IBMnN2Yy1pY2ViZXJnLXJlc3QtY2F0YWxvZy9pY2ViZXJnY2xpZW50QEVYQU1QTEUuQ09NmgFwcDFjNXVFMEVqY3lkbm95UUJsbG1KbXdvWFk2UFBEQ3ZUcytBK1MzallYVTVBWEtFSG9ETXhtYWEyS0xzYWdVNFd6eUNqUktIVXZkeVdLSFRtbk9EM2ZTNWd3dVRuOWkySXBHNFVjNGhBSTJZclFYbKIB8wF7ImdyYW50b3IiOiJyOmljZWJlcmctZGF0YS1hbGwtYWNjZXNzIiwibW9kZSI6IklOTElORSIsImdyYW50cyI6W3sicHJpbmNpcGFscyI6bnVsbCwicmVzb3VyY2VzIjpbImtleTpzM3YvaWNlYmVyZy8qIiwiYnVja2V0OnMzdi9pY2ViZXJnIiwidm9sdW1lOnMzdiJdLCJwZXJtaXNzaW9ucyI6WyJyZWFkIl19XSwiY3JlYXRlZEJ5Ijoic3ZjLWljZWJlcmctcmVzdC1jYXRhbG9nIiwiY3JlYXRlVGltZSI6MTc3MDc2MTc2MTk0OH0gZvh7ERi72EAGDpzFYK4hNN6kdP4REbsuHh7pqYtM0qgIU1RTVG9rZW4DU1RT",
"Expiration": "2026-02-10T22:46:01Z"
},
"AssumedRoleUser": {
"AssumedRoleId": "AROAG7DON49097XT1AOY:iceberg-session-with-policy",
"Arn":
"arn:aws:sts::123456789012:assumed-role/iceberg-data-all-access/iceberg-session-with-policy"
}
} {code}
was:
With Amazon AWS, there is a central service called Security Token Service (STS)
which has the ability to generate short-lived token to access some resources
([https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp.html)|https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp.html].
STS service can be used through REST APIs.
{code:java}
ozonesecure % docker compose exec scm bash
bash-4.4$ aws sts assume-role --role-arn
arn:aws:iam::123456789012:role/MyTempAccessRole --role-session-name
MyTempSession --duration-seconds 3600 --endpoint-url http://s3g:9878
{
"Credentials":{
"AccessKeyId": "ASIAXRQR8WNR5SO4HQTD",
"SecretAccessKey": "DB0uN5ZM4STSmLbhq34soncmmvauLyexEjsM7psP",
"SessionToken":
"H5L1Wd8+tOlttTOVBZ8PAW/kgltpFjHyhn9DKSMB1fhCs//A+bqhWiHfNSWgWbZYaXtvCeZfPxX3EV+nLH9TJRw75isDGKiA8swvQNke+QK3eVZQ/3oWuhe9PpB3IP2ydsmP61tpf+2mtfJoxHA/x5tKGZJ8dxv+9RceA/icTfw=",
"Expiration": "2025-06-20T11:34:29.841476383Z"
},
"AssumedRoleUser":{
"AssumedRoleId": "AROAVXJFKO2HQBF1E4Z0:MyTempSession",
"Arn": "arn:aws:iam::123456789012:role/MyTempAccessRole"
}
}
{code}
> STS - temporary, limited-privilege credentials service
> ------------------------------------------------------
>
> Key: HDDS-13323
> URL: https://issues.apache.org/jira/browse/HDDS-13323
> Project: Apache Ozone
> Issue Type: Epic
> Reporter: Ren Koike
> Assignee: Fabian Morgan
> Priority: Major
> Labels: pull-request-available
> Attachments: sts.md
>
>
> With Amazon AWS, there is a central service called Security Token Service
> (STS) which has the ability to generate short-lived token to access some
> resources
> ([https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp.html)|https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp.html].
> STS service can be used through REST APIs.
>
> {code:java}
> ozonesecure % docker compose exec scm bash
> bash-4.4$ aws sts assume-role --role-arn
> arn:aws:iam::123456789012:role/MyTempAccessRole --role-session-name
> MyTempSession --duration-seconds 3600 --endpoint-url http://s3g:9878
>
> {
> "Credentials":{
> "AccessKeyId": "ASIAXRQR8WNR5SO4HQTD",
> "SecretAccessKey": "DB0uN5ZM4STSmLbhq34soncmmvauLyexEjsM7psP",
> "SessionToken":
> "H5L1Wd8+tOlttTOVBZ8PAW/kgltpFjHyhn9DKSMB1fhCs//A+bqhWiHfNSWgWbZYaXtvCeZfPxX3EV+nLH9TJRw75isDGKiA8swvQNke+QK3eVZQ/3oWuhe9PpB3IP2ydsmP61tpf+2mtfJoxHA/x5tKGZJ8dxv+9RceA/icTfw=",
> "Expiration": "2025-06-20T11:34:29.841476383Z"
> },
> "AssumedRoleUser":{
> "AssumedRoleId": "AROAVXJFKO2HQBF1E4Z0:MyTempSession",
> "Arn": "arn:aws:iam::123456789012:role/MyTempAccessRole"
> }
> }
> {code}
> {code:java}
> ozonesecure % docker compose exec scm bash
> bash-5.1$ aws sts assume-role --role-arn
> arn:aws:iam::123456789012:role/iceberg-data-all-access --role-session-name
> "iceberg-session-with-policy" --policy
> "{\"Version\":\"2012-10-17\",\"Statement\":[{\"Effect\":\"Allow\",\"Action\":\"s3:GetObject\",\"Resource\":\"arn:aws:s3:::iceberg\/*\"}]}"
> --duration-seconds 1800 --endpoint-url http://s3g:9880/sts
> {
> "Credentials": {
> "AccessKeyId": "ASIAJQAUS29ZJBFI7FMHJ0ZA",
> "SecretAccessKey": "AGiBdW9ezwAzI6cY3WimEIgAe+uavFpdhyEWMRwy",
> "SessionToken":
> "jgI8CAMaGEFTSUFKUUFVUzI5WkpCRkk3Rk1ISjBaQTjm1-7NxDNiGEFTSUFKUUFVUzI5WkpCRkk3Rk1ISjBaQYIBJDgyY2MwMjA1LTg3NWQtNDI2Ny05ZjNmLTIzNzhhMDY5MDIwNooBNmFybjphd3M6aWFtOjoxMjM0NTY3ODkwMTI6cm9sZS9pY2ViZXJnLWRhdGEtYWxsLWFjY2Vzc5IBMnN2Yy1pY2ViZXJnLXJlc3QtY2F0YWxvZy9pY2ViZXJnY2xpZW50QEVYQU1QTEUuQ09NmgFwcDFjNXVFMEVqY3lkbm95UUJsbG1KbXdvWFk2UFBEQ3ZUcytBK1MzallYVTVBWEtFSG9ETXhtYWEyS0xzYWdVNFd6eUNqUktIVXZkeVdLSFRtbk9EM2ZTNWd3dVRuOWkySXBHNFVjNGhBSTJZclFYbKIB8wF7ImdyYW50b3IiOiJyOmljZWJlcmctZGF0YS1hbGwtYWNjZXNzIiwibW9kZSI6IklOTElORSIsImdyYW50cyI6W3sicHJpbmNpcGFscyI6bnVsbCwicmVzb3VyY2VzIjpbImtleTpzM3YvaWNlYmVyZy8qIiwiYnVja2V0OnMzdi9pY2ViZXJnIiwidm9sdW1lOnMzdiJdLCJwZXJtaXNzaW9ucyI6WyJyZWFkIl19XSwiY3JlYXRlZEJ5Ijoic3ZjLWljZWJlcmctcmVzdC1jYXRhbG9nIiwiY3JlYXRlVGltZSI6MTc3MDc2MTc2MTk0OH0gZvh7ERi72EAGDpzFYK4hNN6kdP4REbsuHh7pqYtM0qgIU1RTVG9rZW4DU1RT",
> "Expiration": "2026-02-10T22:46:01Z"
> },
> "AssumedRoleUser": {
> "AssumedRoleId": "AROAG7DON49097XT1AOY:iceberg-session-with-policy",
> "Arn":
> "arn:aws:sts::123456789012:assumed-role/iceberg-data-all-access/iceberg-session-with-policy"
> }
> } {code}
>
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
