Dell ObjectScale 1.3 Administration Guide

Create and configure an account and an IAM role

About this task

NOTE:The $OSR_ROLE_ARN in replication configuration can take any valid service role ARN. Create an IAM role and give permission to enable replication.

Steps

Create a global account.

Set the environment variables and display the Account ID:

IAMSVC_ENDPOINT=$(kubectl get svc | awk '/-iam\s/{print $3}' )

FEDSVC_ENDPOINT=$(kubectl get svc | awk '/fedsvc\s/{print $3}' )

TOKEN=$(curl -ik -u root:ChangeMe http://$FEDSVC_ENDPOINT:9500/mgmt/login  | awk '/X-SDS-AUTH-TOKEN/{print $2; exit}')

TOKEN=${TOKEN//[$'\r\n']}

Create the account and display the Account ID.

ACCOUNT_ID=$(curl -X POST http://${IAMSVC_ENDPOINT}:9400/iam?'Action=CreateAccount' -H "X-SDS-AUTH-TOKEN:$TOKEN" -v | xmllint --format -  | grep 'AccountId' | sed 's/<AccountId>\(.*\)<\/AccountId>/\1/g' |sed -e 's/^[ \t]*//')

# output: ACCOUNT_ID="a7bf6bfe35ac4277a1a8857da98b3226"

Add the new account to the object store.

 
ENDPOINT=$(kubectl get svc | awk '/-management-gateway/{print $3}' )
cat >> $HOME/tenant_creation.xml << EOF
<?xml version="1.0" encoding="UTF-8"?>
<tenant_create>
   <account_id>$ACCOUNT_ID</account_id>
   <is_encryption_enabled>$ENCRYPTION</is_encryption_enabled>
   <is_compliance_enabled>$COMPLIANCE</is_compliance_enabled>
   <alias>test</alias>
</tenant_create>

EOF
curl -vks \
     -X POST \
     -H "X-SDS-AUTH-TOKEN:$TOKEN" \
     -H "Content-Type: application/xml" \
     -H "X-EMC-Override: true" \
     -T $HOME/tenant_creation.xml \
https://${ENDPOINT}:4443/object/tenants/tenant |xmllint --format -; echo

Create an IAM role under the global account.

Set the environment variables for the new role name:
```
OSR_ROLE_NAME="osrRole2"
```

Create an IAM role under the global account.

OSR_ROLE_ARN=$(curl http://${IAMSVC_ENDPOINT}:9400/iam?'Action=CreateRole&RoleName='$OSR_ROLE_NAME'&MaxSessionDuration=43200&AssumeRolePolicyDocument=%7B%22Version%22%3A%222012-10-17%22%2C%22Statement%22%3A%5B%7B%22Effect%22%3A%22Allow%22%2C%22Principal%22%3A%7B%22Service%22%3A%22crr.objscale.dell.com%22%7D%2C%22Action%22%3A%22sts%3AAssumeRole%22%7D%5D%7D' -H "x-emc-namespace:$ACCOUNT_ID" -H "X-SDS-AUTH-TOKEN:$TOKEN" -v | xmllint --format - | grep 'Arn' | sed 's/<Arn>\(.*\)<\/Arn>/\1/g' |sed -e 's/^[ \t]*//')

# output: OSR_ROLE_ARN="urn:osc:iam::a7bf6bfe35ac4277a1a8857da98b3226:role/osrRole2"

The AssumeRolePolicyDocument is URL encoded JSON.
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Service": "crr.objscale.dell.com"
      },
      "Action": "sts:AssumeRole"
    }
  ]
}
This policy allow ObjectScale Replication services to assume this role.

Create a policy to attach to a role.

Set the environment variables for the new policy name:
```
OSR_POLICY_NAME="osrPolicy"
```

Create a policy to attach to a role.

OSR_POLICY_ARN=$(curl http://${IAMSVC_ENDPOINT}:9400/iam?'Action=CreatePolicy&PolicyName='$OSR_POLICY_NAME'&PolicyDocument=%7B%22Version%22%3A%222012-10-17%22%2C%22Statement%22%3A%5B%7B%22Effect%22%3A%22Allow%22%2C%22Action%22%3A%22s3%3A*%22%2C%22Resource%22%3A%5B%22*%22%5D%7D%5D%7D' -H "x-emc-namespace:$ACCOUNT_ID" -H "X-SDS-AUTH-TOKEN:$TOKEN" -v | xmllint --format - | grep 'Arn' | sed 's/<Arn>\(.*\)<\/Arn>/\1/g' |sed -e 's/^[ \t]*//')

The policy allows permissions on all S3 actions:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "s3:*",
      "Resource": [
        "*"
      ]
    }
  ]
}

Attach the policy to a role.

NOTE:The role will have the permission only after you have attached the policy to it.

curl http://${IAMSVC_ENDPOINT}:9400/iam?'Action=AttachRolePolicy&RoleName='$OSR_ROLE_NAME'&PolicyArn='$OSR_POLICY_ARN -H "x-emc-namespace:$ACCOUNT_ID" -H "X-SDS-AUTH-TOKEN:$TOKEN" -v | xmllint --format

The role can now be used as a replication role in replication configuration.

Welcome

Welcome to Dell

Dell ObjectScale 1.3 Administration Guide

Create and configure an account and an IAM role

About this task

Steps

Rate this content