diff --git a/content/docs/object-storage-s3/s3-features.mdx b/content/docs/object-storage-s3/s3-features.mdx index 960b66f0..68184357 100644 --- a/content/docs/object-storage-s3/s3-features.mdx +++ b/content/docs/object-storage-s3/s3-features.mdx @@ -456,4 +456,199 @@ aws s3api list-object-versions --bucket "bucket name" --profile "profil name" -- ``` ## Set Up Bucket Policies for Sharing (AWS-CLI S3 plugin) -Coming soon... + +The **[aws-plugin-bucket-policy](https://github.com/CESNET/aws-plugin-bucket-policy)** plugin is a cli tool for generating and setting bucket policies. + + +Before installing the plugin, install and configure the **[AWS tool](https://docs.du.cesnet.cz/en/docs/object-storage-s3/aws-cli)**. + + +### Plugin installation aws-plugin-bucket-policy + +```bash +pip install --upgrade pip setuptools awscli aws-plugin-bucket-policy awscli_plugin_endpoint +``` + +### Plugin and endpoint configuration + +In the configuration file `/home/your-username/.aws/config`, add the missing settings to the profile + +```bash +[profile test_user] +output = text +s3 = +endpoint_url = https://s3.cl4.du.cesnet.cz +s3api = +endpoint_url = https://s3.cl4.du.cesnet.cz +s3bucket-policy = +endpoint_url = https://s3.cl4.du.cesnet.cz + +[plugins] +s3bucket-policy = aws_plugin_bucket_policy +endpoint = awscli_plugin_endpoint +``` + +### Creating a bucket policy for sharing a bucket + +Only the bucket owner can modify policies! + + + +The group identifier can be obtained from the Gatekeeper service: **https://access.du.cesnet.cz/**. +In the following image: +A – Group/Tenant ID +B – User ID + +If access credentials were provided to you, the Tenant ID is included in the user field before the dollar sign ($). + + +![GK-group_info](/img/data-care/s3-features/GK-group_info.jpg) + +Before modifying the bucket policy settings, check whether a policy is already configured + +```bash +aws s3bucket-policy --profile test_user get-policy --bucket your-bucket +``` + + +If a bucket policy already exists, it will be overwritten. + + +Creating a shared folder for a tenant + +```bash +aws s3bucket-policy --profile test_user new-policy --bucket your-bucket --newpol-type share-w-tenant --newpol-spec tenant=c6efffff_1581_hhhh_879d_1616agtgtgtg,action=rw +``` + +Command output: + +```bash +Bucket "your-bucket" old policy: No policy defined +--- +Bucket "your-bucket" new policy: +{ + "Id": "policy-260115-150636-1111", + "Version": "2012-10-17", + "Statement": [ + { + "Sid": "statement-260114-150636-6251", + "Effect": "Allow", + "Principal": { + "AWS": [ + "c6efffff_1581_hhhh_879d_1616agtgtgtg" + ] + }, + "Action": [ + "s3:ListBucket", + "s3:GetObject", + "s3:PutObject", + "s3:DeleteObject" + ], + "Resource": [ + "arn:aws:s3:::your-bucket", + "arn:aws:s3:::your-bucket/*" + ] + } + ] +} +.... +``` + +Creating a shared folder with a user + +```bash +aws s3bucket-policy --profile test_user new-policy --bucket your-bucket --newpol-type share-w-user --newpol-spec tenant=c6efffff_1581_hhhh_879d_1616agtgtgtg,user=62cbgbgbgbgbg03aa144c327279eenhnhnhnhnhe,action=rw +``` + +Command output: + +```bash +Bucket "your-bucket" old policy: No policy defined +--- +Bucket "your-bucket" new policy: +{ + "Id": "policy-260114-151333-4614", + "Version": "2012-10-17", + "Statement": [ + { + "Sid": "statement-260114-151333-1193", + "Effect": "Allow", + "Principal": { + "AWS": [ + "arn:aws:iam::c6efffff_1581_hhhh_879d_1616agtgtgtg:user/ahhhhhhhhhha554c0206319caa7mnmnmnmnmn0ea", + "arn:aws:iam::c6efffff_1581_hhhh_879d_1616agtgtgtg:user/62cbgbgbgbgbg03aa144c327279eenhnhnhnhnhe" + ] + }, + "Action": [ + "s3:ListBucket", + "s3:GetObject", + "s3:PutObject", + "s3:DeleteObject" + ], + "Resource": [ + "arn:aws:s3:::your-bucket", + "arn:aws:s3:::your-bucket/*" + ] + } + ] +} +``` + +Creating a shared folder with a user who has write permissions, while also configuring sharing for a second user with read-only access. + +```bash +aws s3bucket-policy --profile test_user new-policy --bucket your-bucket --newpol-type share-w-user --newpol-spec tenant=5fd7687c_9874_497d_bb99_6ebb56987e23,user=62bgtsrdjhrd203aa144c32725dr9v3fldtds79e,action=rw user=62c159778887203rt144c327279ee0854f96d79f,action=ro +``` + +```bash +Bucket "your-bucket" new policy: +{ + "Id": "policy-260128-134711-5519", + "Version": "2012-10-17", + "Statement": [ + { + "Sid": "statement-260128-134711-7294", + "Effect": "Allow", + "Principal": { + "AWS": [ + "arn:aws:iam::5fd7687c_9874_497d_bb99_6ebb56987e23:user/62bgtsrdjhrd203aa144c32725dr9v3fldtds79e", + "arn:aws:iam::5fd7687c_9874_497d_bb99_6ebb56987e23:user/62c159778887203rt144c327279ee0854f96d79e" + ] + }, + "Action": [ + "s3:ListBucket", + "s3:GetObject", + "s3:PutObject", + "s3:DeleteObject" + ], + "Resource": [ + "arn:aws:s3:::your-bucket", + "arn:aws:s3:::your-bucket/*" + ] + }, + { + "Sid": "statement-260128-134711-6339", + "Effect": "Allow", + "Principal": { + "AWS": [ + "arn:aws:iam::5fd7687c_9874_497d_bb99_6ebb56987e23:user/62c159778887203aa144c327279ee0854f96d79f" + ] + }, + "Action": [ + "s3:ListBucket", + "s3:GetObject" + ], + "Resource": [ + "arn:aws:s3:::your-bucket", + "arn:aws:s3:::your-bucket/*" + ] + } + ] +} +``` + +For creating more complex bucket policies, the `--dryrun` switch can be used. It outputs the configuration without applying it. The resulting summarized bucket policy configuration can then be created and applied using JSON. + +Additional **[examples](https://github.com/CESNET/aws-plugin-bucket-policy/blob/main/README.md##examples)** and **[command reference](https://github.com/CESNET/aws-plugin-bucket-policy/blob/main/docs/commands.md)** + +If more advanced bucket policy configuration is required, please contact `du-support@cesnet.cz`. diff --git a/public/img/data-care/s3-features/GK-group_info.jpg b/public/img/data-care/s3-features/GK-group_info.jpg new file mode 100644 index 00000000..5d8d3c86 Binary files /dev/null and b/public/img/data-care/s3-features/GK-group_info.jpg differ