Friday, October 1, 2010

How to create subaccounts and share buckets using IAM and CloudBerry S3 Explorer

Note: this post applies to CloudBerry Explorer 2.4.2 and later.

As always we are trying to stay on top of the new functionality offered by Amazon S3  to offer the most compelling Amazon S3 and CloudFront client on Windows platform.
A few weeks ago Amazon introduced Identity and Access Management (IAM) Service. It is a new exciting service that allows creating user accounts inside the master account and grant those account a set of permissions. CloudBerry Explorer PRO 2.4 already comes with full support for IAM service and you can learn more about that in our previous blog post.
In this blog post we will look into the very common scenario of creating a subaccount within the master account and granting it permissions to a creation bucket.  This might be useful if you for instance work with freelancers and want them to be able to work with the content in their own bucket.

Creating a policy

Click Access Manager in the main menu to run IAM management tool from within CloudBerry Explorer.
image001
In the Access Manager click New User to open up a dialog. Name the user and click ok.
image003
The new user should show up on the list. Right click it and click Add Policy…
image005
Click New Statement and then <select actions> to choose the list of actions that your new users will be allowed to do. You can see below those the most common ones.
Click in: to specify the bucket name and the path. Make sure to add “/*” to the path to propagate the policy to the bucket content.
Click New Statement once again this time for the bucket itself. Choose S3:ListBucket for action and make sure that you don’t add “/*” at the end. This is because you are applying the statement to a bucket not to its contents.
You can optionally set a condition.  In our example it is valid only till Nov, 1 2010. After that time the user will not have access to the resource.
Click Ok to create the policy.
Designer


Here is the policy text cause you want to copy it



{
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "s3:GetObject",
        "s3:PutObject",
        "s3:GetObjectAcl",
        "s3:PutObjectAcl",
        "s3:DeleteObject"
      ],
      "Resource": "arn:aws:s3:::cloudberry.public/*",
      "Condition": {}
    },
    {
      "Effect": "Allow",
      "Action": [
        "s3:ListBucket",
        "s3:GetBucketAcl"
      ],
      "Resource": "arn:aws:s3:::cloudberry.public",
      "Condition": {}
    }
  ]
}





Last but not least, you have to generate an access/ secret key pair for your new user.  Click Generate Access Keys… in the user context menu.  Copy the keys so that you can hand them over to the user later.
image009

Working as a User

Register an account for the newly created user in CloudBerry Explorer console.  Use assess/ secret key created earlier.
Note: you can use CloudBerry Explorer freeware to register one bucket for IAM user. If you need to register more than one bucket you will have to turn to our pro version. 
image011
Now, select the newly created account in the drop down list. If you look at the list of buckets it will be empty. This is because we have not granted the user a right to list all buckets. You have to add a bucket as an external bucket manually. Click a green button on the tool bar and type the bucket name manually.
image013
Now you can see the bucket in the console. You can copy, move, delete files, create folders, etc.
image015
As always we would be happy to hear your feedback and you are welcome to post a comment.

CloudBerry S3 Explorer is a Windows freeware product that helps managing Amazon S3 storage and CloudFront . You can download it at http://cloudberrylab.com/

CloudBerry S3 Explorer PRO is a Windows program that helps managing Amazon S3 storage and CloudFront . You can download it at http://pro.cloudberrylab.com/ It is priced at $39.99  

Like our products? Please help us spread the word about them. Learn here how to do it.
Want to get CloudBerry Explorer PRO for FREE? Make a blog post about us!

16 comments:

  1. This is exactly the functionality I need. However, when I follow the directions and set this up, I am able to open the bucket, but not open, create, or delete any objects inside the bucket. Does this integrate with ACL's at all?

    ReplyDelete
  2. I'd suggest to make sure you added the star (*) after the bucket name in the policy

    arn:aws:s3:::bucketName/*

    ReplyDelete
  3. Andy, I had this same problem. I added /* at the end and now I get the alert, "Access desnied. You can try a Requester Pays call to this bucket. Note: YOU WILL PAY for your data transfers and request costs. Do you want to proceed?". Pressing 'Yes' kicks me out. Pressing 'No' just repeats the alert.

    ReplyDelete
  4. Hey guys,

    the blog post is updated. You have to create an extra statement for a bucket itself. Thank you Skyler for the heads up!

    Andy

    ReplyDelete
  5. I know this works, but it's tedious. Can't you reduce this to a one button click action or wizard?

    If I have hundreds of subaccounts to create ...

    ReplyDelete
  6. I'm creating an extra policy for the bucket but it's asking for the user's canonical ID - where do I get that for the 'user' account I just set up?

    ReplyDelete
  7. The only way to know the canonical ID is to go to the AWS webpage at http://aws-portal.amazon.com/gp/aws/developer/account/index.html?action=access-key, enter email & password for that Amazon account.

    If you are using an IAM user, the IAM user does not have canonical ID. See details in AWS forum:
    https://forums.aws.amazon.com/thread.jspa?threadID=58155

    If it is an Amazon S3 account, you have to ask that user to tell you their canonical ID. Or you can get it from "Owner ID" if he has access to that Amazon S3 account and see properties of any of their files using CloudBerry Explorer properties tab. Look for the Owner ID property.

    ReplyDelete
  8. I was wondering what purpose the path has in this context. I've been setting up a IAM user for SQS and S3 with group policies. What does the path refer to? Not a bucket, I assume?

    ReplyDelete
  9. Well, path is exactly the path inside an S3 bucket. You may want to grant a certain user access to mybucket/myfolder/mysubfolder

    ReplyDelete
  10. I feel like I'm SO CLOSE! Everything is working properly for my newly created user in Cloudberry; all buckets visible and accessible, so I went to sign in as my user in Amazon to make sure they will be able to see content. I was able to sign in, however when I went to the S3 tab in the AWS management console,I got the message: "You don't have permissions to use the Amazon s3 console. If you need assistance, contact your system administrator." What am I missing here? If I sign in as myself (primary account), I have no problems.
    Thanks for all the help :)

    ReplyDelete
  11. Please check out our other blog on the subject
    How to log in to AWS Console with IAM accounts. Does it help?

    ReplyDelete
  12. No, I can get all the way to the bottom where I've signed in (as the user) but then I get the permissions message in the middle of the management console window. My user policy looks like this:
    {
    "Statement": [
    {
    "Effect": "Allow",
    "Action": [
    "s3:GetObject",
    "s3:PutObject"
    ],
    "Resource": "arn:aws:s3:::bucket-name/*",
    "Condition": {}
    },
    {
    "Effect": "Allow",
    "Action": "s3:ListBucket",
    "Resource": "arn:aws:s3:::bucket-name",
    "Condition": {}
    }
    ]
    }

    I don't have a policy on my bucket - should I? I only have the ACL settings as Read & Write for authenticated users (which seems like it wouldn't be very secure if someone knew my bucket name...)
    Thanks!

    ReplyDelete
  13. Upon further testing, not only can my 'user' not access my bucket through Amazon, but in Cloudberry, I can't 'open', 'get', or 'put' anything into the bucket that I gave permissions for. The only thing I can do as the user (not primary account), is delete files...

    ReplyDelete
  14. If you want to us to investigate the issue further go to tools | diagnostics in the program menu. In the opened windows click send button. The logs will be sent to our support team automatically. This will help us diagnose and troubleshoot the issue.


    Please DON'T send us the log file attached. The log file will be sent automatically.

    Here is some info on how to send the log file

    ReplyDelete
  15. I have a system with a folder within a bucket for each client. I want to give them an "external bucket" in cloudberry that goes directly to that bucket/folder. I can limit the permissions, but I simply can't have them seeing 500 other folders of other clients. Isn't there a way to make an external bucket/folder rather than just an external bucket?

    ReplyDelete
  16. I'm also getting the "Access Denied. You can register pay calls" error message on this. Can anyone please help?

    ReplyDelete