OSN Bucket Read-only Keys

• Required tools

  • aws-cli - install v 2.13+

  • jq

Note

• Note that with the 2.13+ version of aws-cli, you can spec endpoint in config. If not using that, specify endpoint on command line i.e., –endpoint-url //endpoint//<code>

• Create aws profile with osnadmin site user (or equivalent priviged user) for <<site>>

  • if you’re wondering what the keys are just cephadm/radosgw-admin to the site and look at the user…

• Create new radosgw user == <<bucketname>>_readonly

ssh <<site>> 'sudo cephadm shell radosgw-admin user create --uid=<<bucketname>>_readonly --display-name="<<bucketname>> readonly user"'

• Record the keys for the new user

• Get current bucket policy (save the original in case you mess up)

aws s3api get-bucket-policy --profile <<site>> --bucket <<bucketname>> | jq '.Policy | fromjson' > <<bucketname>>-orig.json
cp <<bucketname>>-orig.json <<bucketname>>-readonly.json

• Remove the anon read policy stanza if one exists (will have a principal “AWS”: [“*”])

• Add the following stanza to the <<bucketname>>-readonly.json policy file

{
  "Sid":"bucket read-only policy",
  "Effect":"Allow",
  "Principal": {"AWS": ["arn:aws:iam:::user/<<bucketname>>_readonly"]},
  "Action":["s3:GetObject","s3:ListBucket"],
  "Resource":[
    "arn:aws:s3:::<<bucketname>>/*",
    "arn:aws:s3:::<<bucketname>>"
   ]
}

• Apply the updated policy

aws s3api put-bucket-policy --profile <<site>> --bucket <<bucketname>> --policy file://<<bucketname>>-readonly.json

• Test the new <<bucketname>>_readonly user keys however you like to test

• Goto OSN portal and find project

• “Magic Click” on project name

  • windows-key + alt (window/linux kbd)

  • option + command (mac)

• Click <<projectname>>_datamanagers link

• Click “Add new Read Only key” and add key information

Note

Note that we got rid of RO key support a while back so this just adds to the RW list. As a result, when specifying the bucket, use the bucket name suffixed with “(RO)” e.g.

• RW Bucket: “https://usgs.osn.mghpcc.org/mdmf-workspace”

• RO Bucket: “https://usgs.osn.mghpcc.org/mdmf-workspace (RO)”

The RO suffix approach may break some other functionality that expects the bucket to be a valid URI but it’s all we have for now.

• Visit project and verify that the keys are showing (may need to make yourself a datamanager…)