ContextQMD
Back to Ceph

Ceph Object Gateway IAM API

doc/radosgw/iam.rst

21.0.010.9 KB
Original Source

.. _radosgw-iam:

============================= Ceph Object Gateway IAM API

.. versionadded:: Squid

The Ceph Object Gateway supports a subset of the Amazon IAM API_ for the RESTful management of account users, roles, and associated policies.

This REST API is served by the same HTTP endpoint as the :ref:radosgw s3.

Authorization

By default, only :ref:Account Root Users <radosgw-account-root-user> are authorized to use the IAM API, and can only see the resources under their own account. The account root user can use policies to delegate these permissions to other users or roles in the account.

Feature Support

The following tables describe the currently supported IAM actions.

Users

+------------------------------+---------------------------------------------+ | Action | Remarks | +==============================+=============================================+ | CreateUser | | +------------------------------+---------------------------------------------+ | GetUser | | +------------------------------+---------------------------------------------+ | UpdateUser | | +------------------------------+---------------------------------------------+ | DeleteUser | | +------------------------------+---------------------------------------------+ | ListUsers | | +------------------------------+---------------------------------------------+ | CreateAccessKey | | +------------------------------+---------------------------------------------+ | UpdateAccessKey | | +------------------------------+---------------------------------------------+ | DeleteAccessKey | | +------------------------------+---------------------------------------------+ | ListAccessKeys | | +------------------------------+---------------------------------------------+ | PutUserPolicy | | +------------------------------+---------------------------------------------+ | GetUserPolicy | | +------------------------------+---------------------------------------------+ | DeleteUserPolicy | | +------------------------------+---------------------------------------------+ | ListUserPolicies | | +------------------------------+---------------------------------------------+ | AttachUserPolicies | | +------------------------------+---------------------------------------------+ | DetachUserPolicy | | +------------------------------+---------------------------------------------+ | ListAttachedUserPolicies | | +------------------------------+---------------------------------------------+

Groups

+-------------------------------+--------------------------------------------+ | Action | Remarks | +===============================+============================================+ | CreateGroup | | +-------------------------------+--------------------------------------------+ | GetGroup | | +-------------------------------+--------------------------------------------+ | UpdateGroup | | +-------------------------------+--------------------------------------------+ | DeleteGroup | | +-------------------------------+--------------------------------------------+ | ListGroups | | +-------------------------------+--------------------------------------------+ | AddUserToGroup | | +-------------------------------+--------------------------------------------+ | RemoveUserFromGroup | | +-------------------------------+--------------------------------------------+ | ListGroupsForUser | | +-------------------------------+--------------------------------------------+ | PutGroupPolicy | | +-------------------------------+--------------------------------------------+ | GetGroupPolicy | | +-------------------------------+--------------------------------------------+ | DeleteGroupPolicy | | +-------------------------------+--------------------------------------------+ | ListGroupPolicies | | +-------------------------------+--------------------------------------------+ | AttachGroupPolicies | | +-------------------------------+--------------------------------------------+ | DetachGroupPolicy | | +-------------------------------+--------------------------------------------+ | ListAttachedGroupPolicies | | +-------------------------------+--------------------------------------------+

Roles

+------------------------------+---------------------------------------------+ | Action | Remarks | +==============================+=============================================+ | CreateRole | | +------------------------------+---------------------------------------------+ | GetRole | | +------------------------------+---------------------------------------------+ | UpdateRole | | +------------------------------+---------------------------------------------+ | UpdateAssumeRolePolicy | | +------------------------------+---------------------------------------------+ | DeleteRole | | +------------------------------+---------------------------------------------+ | ListRoles | | +------------------------------+---------------------------------------------+ | TagRole | | +------------------------------+---------------------------------------------+ | UntagRole | | +------------------------------+---------------------------------------------+ | ListRoleTags | | +------------------------------+---------------------------------------------+ | PutRolePolicy | | +------------------------------+---------------------------------------------+ | GetRolePolicy | | +------------------------------+---------------------------------------------+ | DeleteRolePolicy | | +------------------------------+---------------------------------------------+ | ListRolePolicies | | +------------------------------+---------------------------------------------+ | AttachRolePolicies | | +------------------------------+---------------------------------------------+ | DetachRolePolicy | | +------------------------------+---------------------------------------------+ | ListAttachedRolePolicies | | +------------------------------+---------------------------------------------+

OpenIDConnectProvider

+---------------------------------+------------------------------------------+ | Action | Remarks | +=================================+==========================================+ | CreateOpenIDConnectProvider | | +---------------------------------+------------------------------------------+ | GetOpenIDConnectProvider | | +---------------------------------+------------------------------------------+ | DeleteOpenIDConnectProvider | | +---------------------------------+------------------------------------------+ | ListOpenIDConnectProviders | | +---------------------------------+------------------------------------------+

Accounts

+---------------------------------+------------------------------------------+ | Action | Remarks | +=================================+==========================================+ | GetAccountSummary | | +---------------------------------+------------------------------------------+

Managed Policies

The following managed policies are available for use with AttachGroupPolicy, AttachRolePolicy and AttachUserPolicy:

IAMFullAccess :Arn: arn:aws:iam::aws:policy/IAMFullAccess :Version: v2 (default)

IAMReadOnlyAccess :Arn: arn:aws:iam::aws:policy/IAMReadOnlyAccess :Version: v4 (default)

AmazonSNSFullAccess :Arn: arn:aws:iam::aws:policy/AmazonSNSFullAccess :Version: v1 (default)

AmazonSNSReadOnlyAccess :Arn: arn:aws:iam::aws:policy/AmazonSNSReadOnlyAccess :Version: v1 (default)

AmazonS3FullAccess :Arn: arn:aws:iam::aws:policy/AmazonS3FullAccess :Version: v2 (default)

AmazonS3ReadOnlyAccess :Arn: arn:aws:iam::aws:policy/AmazonS3ReadOnlyAccess :Version: v3 (default)

.. _Amazon IAM API: https://docs.aws.amazon.com/IAM/latest/APIReference/welcome.html