One of the cool new features in Eucalyptus 4.0 is support for IAM Roles. IAM roles let users define a way for applications to request temporary security credentials on the user's behalf. A role has a set of access control policies associated with it, so that an application only has access to the services and resources that are defined by the policy. Policies are defined as JSON documents.
For instance, the following IAM policy allows access to list a S3 bucket with the name "mybucket":
More information on IAM Roles can be found in Amazon's IAM documentation.
The service that is the equivalent of IAM in Eucalyptus is called Euare (I-am, Eu-are, get it?). The API calls we are interested in for IAM roles are:
CreateRoleType createRoleType = new CreateRoleType();
CreateRoleResponseType createRoleResponseType = AsyncRequests.sendSync(euare, createRoleType);
To use roles, the user that is trying to "assume" a role needs to be granted access to the AssumeRole API operation. Our assume role policy looks like:
Sts stands for Security Token Service. AsyncRequests.sendSync is the way to dispatch messages among components within Eucalyptus. It knows whether a service is local (i.e. on the same host as the client) or remote, but that is a topic for another day.
We then add an access policy for the role that was created earlier. For example,
"Resource" : "arn:aws:s3:::snapshots"
This policy allows access to the s3:CreateBucket, s3:CreateBucket and s3:DeleteBucket operations against the resource arn:aws:s3:::snapshots,which simply put, means that you can create, list or delete the bucket with the name "snapshots"
We can add other policies to this role to allow specific objects to be accessed. That's it.
To use this role, we use the AssumeRole operation. For example,
AssumeRoleType assumeRoleType = new AssumeRoleType();
AssumeRoleResponseType assumeRoleResponseType = AsyncRequests.sendSync(tokens, assumeRoleType);
CredentialsType credentials = assumeRoleResponseType.getAssumeRoleResult().getCredentials();
This gives us temporary credentials that the SC can now use to interact with the OSG to upload and download snapshots. Notice the call to setDurationSeconds. This means that the credentials will expire in a hour and will have to be renewed.
If you an end user, as opposed to a Eucalyptus component, you can use the Amazon AWS SDK to perform the same operations. You can use the CreateRole, PutRolePolicy and AssumeRole using the SDK, which works exactly the same against Eucalyptus as it does against Amazon IAM.
Enjoy and let us know what you think!