OSN Bucket Read-only Keys

  • Required tools

    • aws-cli - install v 2.13+

    • jq

Note

  • Note that with the 2.13+ version of aws-cli, you can spec endpoint in config. If not using that, specify endpoint on command line i.e., –endpoint-url //endpoint//<code>

  • Create aws profile with osnadmin site user (or equivalent priviged user) for <<site>>

    • if you’re wondering what the keys are just cephadm/radosgw-admin to the site and look at the user…

  • Create new radosgw user == <<bucketname>>_readonly

ssh <<site>> 'sudo cephadm shell radosgw-admin user create --uid=<<bucketname>>_readonly --display-name="<<bucketname>> readonly user"'
  • Record the keys for the new user

  • Get current bucket policy (save the original in case you mess up)

aws s3api get-bucket-policy --profile <<site>> --bucket <<bucketname>> | jq '.Policy | fromjson' > <<bucketname>>-orig.json
cp <<bucketname>>-orig.json <<bucketname>>-readonly.json
  • Remove the anon read policy stanza if one exists (will have a principal “AWS”: [“*”])

  • Add the following stanza to the <<bucketname>>-readonly.json policy file

{
  "Sid":"bucket read-only policy",
  "Effect":"Allow",
  "Principal": {"AWS": ["arn:aws:iam:::user/<<bucketname>>_readonly"]},
  "Action":["s3:GetObject","s3:ListBucket"],
  "Resource":[
    "arn:aws:s3:::<<bucketname>>/*",
    "arn:aws:s3:::<<bucketname>>"
   ]
}
  • Apply the updated policy

aws s3api put-bucket-policy --profile <<site>> --bucket <<bucketname>> --policy file://<<bucketname>>-readonly.json
  • Test the new <<bucketname>>_readonly user keys however you like to test

  • Goto OSN portal and find project

  • “Magic Click” on project name

    • windows-key + alt (window/linux kbd)

    • option + command (mac)

  • Click <<projectname>>_datamanagers link

  • Click “Add new Read Only key” and add key information

Note

Note that we got rid of RO key support a while back so this just adds to the RW list. As a result, when specifying the bucket, use the bucket name suffixed with “(RO)” e.g.

The RO suffix approach may break some other functionality that expects the bucket to be a valid URI but it’s all we have for now.

  • Visit project and verify that the keys are showing (may need to make yourself a datamanager…)