How do I use the AWS STS with Wasabi?

AWS STS (AWS Security Token Service) is a service which lets you create temporary credentials to access your AWS resources.  By merely changing the endpoint you can start using AWS STS with Wasabi.

Note that this example discusses the use of Wasabi's us-east-1 storage region. To use other Wasabi storage regions, please use the appropriate Wasabi service URL as described in this article

AWS STS can be used along with various AWS SDKs such as Java, .NET, Ruby. AWS STS has various APIs to generate temporary credentials.  At Wasabi we support the below API methods:

1.  GetSessionToken

Sample code to create bucket using AWS Java SDK and GetSessionToken:

    AWSSecurityTokenServiceClient sts_client = new AWSSecurityTokenServiceClient(new ProfileCredentialsProvider("default").getCredentials());
sts_client.setEndpoint("sts.wasabisys.com"); // Wasabi STS endpoint to generate temporary credentials
GetSessionTokenRequest session_token_request = new GetSessionTokenRequest();

session_token_request.setDurationSeconds(900); // Time in seconds till the credentials are valid

GetSessionTokenResult session_token_result = sts_client.getSessionToken(session_token_request);

Credentials session_creds = session_token_result.getCredentials();

BasicSessionCredentials sessionCredentials = new BasicSessionCredentials(
session_creds.getAccessKeyId(),
session_creds.getSecretAccessKey(),
session_creds.getSessionToken());

AmazonS3 s3 = AmazonS3ClientBuilder.standard()
.withCredentials(new AWSStaticCredentialsProvider(sessionCredentials))
.withEndpointConfiguration( new AwsClientBuilder.EndpointConfiguration("s3.wasabisys.com", "us-east-1") )
.build();

String bucketName = "<bucket-name>";
System.out.println("Creating bucket " + bucketName + "\n");
s3.createBucket(bucketName);

2.  AssumeRole

AssumeRole allows the STS client to create temporary credentials by assuming an existing Wasabi role.  This allows you to restrict the access of the temporary credentials prior to creating them.  It is also required that the AssumeRole STS client should be created with the credentials of sub-user and cannot be done with the root credentials. 

Steps to create STS credentials using AssumeRole:

1) Create a role and put the ARN of the sub user in the Principal of the policy document

Sample Trust Document for the role which would be assumed:

{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "<ARN-OF-THE-USER>"
},
"Action": "sts:AssumeRole"
}
]
}

 

2) Attach a policy to the newly created role

Sample policy for the role which allows List, Get and Put for the specified bucket:

{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "s3:ListBucket",
"Resource": "arn:aws:s3:::<BUCKETNAME>"
},
{
"Effect": "Allow",
"Action": [ "s3:GetObject", "s3:PutObject" ],
"Resource": "arn:aws:s3:::<BUCKETNAME>/*"
}
]
}

 

3) Assume the role to create STS credentials   

Sample code to list number of objects in a bucket using AWS Java SDK and AssumeRole:

public class sts_creds {

public static void main(String[] args) throws IOException {

//Assume a role to create the STS temp credentials
AssumeRoleRequest assume_role = new AssumeRoleRequest()
.withRoleArn("<ARN-OF-THE-ROLE-TO-BE-ASSUMED>").withRoleSessionName("test-session").withDurationSeconds(900);
AWSSecurityTokenServiceClient sts_client = new AWSSecurityTokenServiceClient(new ProfileCredentialsProvider("<YOURPROFILECREDENTIALS>").getCredentials());

//Point it to STS Wasabi endpoint
sts_client.setEndpoint("sts.wasabisys.com");

//Get the credentials and session token
Credentials session_creds = sts_client.assumeRole(assume_role).getCredentials();

BasicSessionCredentials sessionCredentials = new BasicSessionCredentials(
session_creds.getAccessKeyId(),
session_creds.getSecretAccessKey(),
session_creds.getSessionToken());

//Create S3 object with temp creds
AmazonS3 s3 = AmazonS3ClientBuilder.standard()
.withCredentials(new AWSStaticCredentialsProvider(sessionCredentials))
.withEndpointConfiguration( new AwsClientBuilder.EndpointConfiguration("s3.wasabisys.com", "us-east-1") )
.build();

//Perform bucket list operation
String bucketName = "<BUCKETNAME>";
System.out.println("Listing bucket contents " + bucketName + "\n");
ObjectListing objects = s3.listObjects(bucketName);
System.out.println("list begin");
System.out.println("No. of Objects = " + objects.getObjectSummaries().size());

}
}

 

 

Note: You can further narrow down the permissions by attaching a policy to the assume role. This is an optional step and kindly follow only if you want to provide a subset of the permissions of the original policy. In this example the policy attached to the role allows to perform List, Get and Put operations on the specified bucket. In the below example we restrict access to List and Get operations and thus cannot perform Put operation

public class sts_creds {

public static void main(String[] args) throws IOException {
//Create a policy to restrict the temp credentials
final String policy =
"{" +
" \"Version\": \"2012-10-17\"," +
" \"Statement\": [" +
" {" +
" \"Effect\": \"Allow\"," +
" \"Action\": \"s3:ListBucket\"," +
" \"Resource\": \"arn:aws:s3:::<BUCKETNAME>\"" +
" }," +
" {" +
" \"Effect\": \"Allow\"," +
" \"Action\": [" +
" \"s3:GetObject\"" +
" ]," +
" \"Resource\": \"arn:aws:s3:::<BUCKETNAME>/*\"" +
" }" +
" ]" +
"}";

//Assume a role to create the STS temp credentials
AssumeRoleRequest assume_role = new AssumeRoleRequest()
.withRoleArn("<ARN-OF-THE-ROLE-TO-BE-ASSUMED>").withRoleSessionName("test-session").withDurationSeconds(900);
assume_role.setPolicy(policy); //Optionally you can attach a policy to enforce additional restrictions on your temp credentials
AWSSecurityTokenServiceClient sts_client = new AWSSecurityTokenServiceClient(new ProfileCredentialsProvider("<YOURPROFILECREDENTIALS>").getCredentials());

//Point it to STS Wasabi endpoint
sts_client.setEndpoint("sts.wasabisys.com");

//Get the credentials and session token
Credentials session_creds = sts_client.assumeRole(assume_role).getCredentials();


BasicSessionCredentials sessionCredentials = new BasicSessionCredentials(
session_creds.getAccessKeyId(),
session_creds.getSecretAccessKey(),
session_creds.getSessionToken());

//Create S3 object with temp creds
AmazonS3 s3 = AmazonS3ClientBuilder.standard()
.withCredentials(new AWSStaticCredentialsProvider(sessionCredentials))
.withEndpointConfiguration( new AwsClientBuilder.EndpointConfiguration("s3.wasabisys.com", "us-east-1") )
.build();

//Perform bucket list operation
String bucketName = "<BUCKETNAME>";
System.out.println("Listing bucket contents " + bucketName + "\n");
ObjectListing objects = s3.listObjects(bucketName);
System.out.println("list begin");
System.out.println("No. of Objects = " + objects.getObjectSummaries().size());

}
}
Have more questions? Submit a request