Sharing Objects data with anonymous/IAM users.

Anirudha | Sun, 11/24/2019 - 03:58

Few days back I came across a use case where user wanted to share some specific data with his team but he did not wanted to give any direct access to Objects cluster. In this series we will explore how can you share your data with anonymous and authenticated users.

Use Case :

User created bucket and uploaded few documents in the bucket. He wants to share those documents with his team but did not want to give access to Objects . i.e he did not want to create any IAM users for them, but still wants to share a few specific documents ( uploaded to Objects).

Interesting isn’t it, let's explore all the options.

Sharing Objects data:

By default only owner has full access to bucket or object. From Objects UI , admin can share any bucket with any valid IAM user. And based on the permissions, user can perform certain operations on given bucket. But here user needs to have IAM credentials to access Objects endpoint.

Sharing with anonymous user :

Objects also gives an API to generate pre-signed URL for the given object and you can then share that url with anyone. Any user (who has URL) can use curl or browser(or any other client), to access the data. Enduser doesn't need to have any direct access (i.e no IAM credentials) with Objects. Any user can open the pre-signed URL in browser and perform action.

What you need :

 

Using aws cli :
Configure your IAM credentials for aws cli : 
  • Create ~/.aws/credentials file and enter your IAM user access and secret key in below format.

$ cat ~/.aws/credentials
[default]
aws_access_key_id=dOdyYRzsV4Yc_xiXc9SDOIFIrqfzLBXJ
aws_secret_access_key=P6lBNCLrm0VR3yRw7HRMjlOvINpKotVO

Create Bucket : 

$aws s3 --endpoint-url http://objects007.scalcia.com mb s3://testbucket

Uploading local file (creating object) : 

$ aws s3 --endpoint-url http://objects007.scalcia.com cp linux_commands.txt s3://testbucket/linux_commands.txt

Creating Pre-signed URL

$ aws s3 --endpoint-url http://objects007.scalcia.com presign  s3://testbucket/linux_commands.txt --expires-in 60

--expires-in : This parameter will stamp expiry on the URL. You can set this from 0 to 7days (in seconds).

Above command will return URL similar to : http://objects007.scalcia.com/testbucket/linux_commands.txt?AWSAccessKe…

 

You can access this url from browser (or any other client) and this will show all the data from linux_commands.txt in the browser:

You can share the above URL with anyone and that person can access the data without any credentials.

If user’s IAM keys are revoked or changed, then this pre-signed URL will return access denied error.

 

Above URL is valid only for 60seconds. If you access after 60seconds, it will return :

Simple isn't it.

Let's take a quick look at this programatically.