Yarkon Cloud
Quick start guide
In the following, we show the quickest way to get started with Yarkon Cloud. Once you get Yarkon to work, you can revisit the steps in this quick-start guide, and make the proper adjustments to get the best fit for your particular situation.
1. FREE Sign up
You should always start with the FREE Tier, so you can experience the product and ensure it is a good fit for your use case.
Use the Sign Up page to get started. When the one step sign up process is done, you should see the the overview page of the Yarkon Admin Console application.
2. Create test S3 buckets
For the purpose of this quick start guide, let's create a couple of test buckets. We want to create two of them, so we can later show you how to control bucket visibility for different users. So head on to your AWS Console and create the two test buckets.
We named our buckets:
- yarkon-quick-start-bucket-a
- yarkon-quick-start-bucket-b
Note that buckets names in S3 are globally unique, so you'd need to come up with your own bucket names. We suggest you'd simply use your company name as a prefix. Later, we will show you how you can use Yarkon to change the display name of your buckets.
3. Add a IAM policy
From the AWS Admin Console, go to the IAM service and create a policy, using the JSON code below for the permissions. Just make sure to replace our sample bucket names with yours. We named the policy yarkon-admin-policy.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowServerToIterateBuckets",
"Effect": "Allow",
"Action": "s3:ListAllMyBuckets",
"Resource": "arn:aws:s3:::*"
}, {
"Sid": "AllowServerToAccessSpecificBuckets",
"Effect": "Allow",
"Action": [
"s3:ListBucket",
"s3:GetBucketLocation",
"s3:GetBucketCORS",
"s3:PutBucketCORS"
],
"Resource": [
"arn:aws:s3:::yarkon-quick-start-bucket-a",
"arn:aws:s3:::yarkon-quick-start-bucket-b"
]
}, {
"Sid": "AllowUserActionsLimitedToSpecificBuckets",
"Effect": "Allow",
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::yarkon-quick-start-bucket-a/*",
"arn:aws:s3:::yarkon-quick-start-bucket-b/*"
]
}
]
}
The policy explained:
- AllowServerToIterateBuckets - allow the Yarkon server to see the buckets in the account. If you prefer, you can also specify the buckets.
- AllowServerToAccessSpecificBuckets - allow Yarkon to list the contents of the specific listed bucket. The CORS related permissions are optional, but they make the next steps simpler.
- AllowUserActionsLimitedToSpecificBuckets - allow the user to interact with the bucket. In this Getting Started Guide we give the user full permissions, but we will show you later how to limit that if you want.
4. Add a user
From the AWS Admin Console, using the IAM service, create a user. We named ours yarkon-admin-user. Do not provide this user access to the AWS Management Console. For the user's permissions, directly attach the policy we created in the previous step, named yarkon-admin-policy.
Once the user is created, create an access key. The use case is "Application running on an AWS compute service". Keep the Access key and Secret access key generated, or download the csv file to a safe location.
5. Setup the keys
We are done with the AWS prep work. Go back to the Yarkon Admin Console, and in the Administration page, Access tab, enter the keys you just got. For now, keep the security model as Shared, we will get to other security models later. When done, click the Validate button. If all is well, you'd be able to save the keys and continue to the next step.
6. Update CORS
Before we can use Yarkon to access S3, we'd need to update CORS for the bucket. For more on CORS and why it is needed, read this guide.
From the Buckets page, select the test buckets you created before, then click the Update CORS button in the toolbar. Review and confirm the change.
7. Log in as a User
Browse to https://app.yarkons3.com/ to log in, using the username and password you created during set up. If all goes well, You should now see the client application, with the two bucket you created, ready for action.
8. Upload a file
To check out Yarkon, upload a test file. Simply click the Upload button, choose any file, and see that it is uploaded. Once the file is successfully uploaded, you can see it in the main view, as well as its content in the preview pane.
You can use Yarkon like any familiar file explorer interface.
9. Add test users
Go back to Yarkon Admin Console, using the URL https://app.yarkons3.com/console/, and add a couple of test users.
From the Users page, click Add and fill in the details. You don't need to use real emails for these test users, but make sure to specify the password so that you can log in as these users in the next steps. We named our test users:
- Yarkon Test A, with the email: yarkon.test.a@yarkons3.com
- Yarkon Test B, with the email: yarkon.test.b@yarkons3.com
Of course, use your domain name instead of yarkons3.com.
Verify that the test users can log in, by browsing to https://app.yarkons3.com/ and using the credentials of one of them. When you log in as a test user, you should be able to see both buckets.
10. Limit access
In most cases, you would want to limit the buckets a user can access. In this tutorial, we will allow the user named Yarkon Test A to access only the bucket yarkon-quick-start-bucket-a, and similarly, the user named Yarkon Test B to access only the bucket yarkon-quick-start-bucket-b.
To make that happen, we need to create a couple of IAM groups, a IAM role, and update the IAM policy.
Head back to the AWS Console, and from the IAM service, create a group named yarkon-group-bucket-a, and use the following policy for it (you can either create the policy and attach it, or inline it in the group):
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowServerToAccessSpecificBuckets",
"Effect": "Allow",
"Action": [
"s3:ListBucket",
"s3:GetBucketLocation"
],
"Resource": "arn:aws:s3:::yarkon-quick-start-bucket-a"
}, {
"Sid": "AllowUserActionsLimitedToSpecificBuckets",
"Effect": "Allow",
"Action": "s3:*",
"Resource": "arn:aws:s3:::yarkon-quick-start-bucket-a/*"
}
]
}
Repeat the same steps for the other test bucket.
Edit the policy yarkon-admin-policy, adding the required IAM permissions. Use the following JSON, the difference is the two top statements. Make sure to replace the placeholders with your AWS account ID (you can get it from the top level menu).
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowServerToIterateIAMEntities",
"Effect": "Allow",
"Action": [
"iam:Get*",
"iam:List*"
],
"Resource": "arn:aws:iam::<aws-account-id>:*"
}, {
"Sid": "AllowServerToAssumeRole",
"Effect": "Allow",
"Action": "sts:AssumeRole",
"Resource": "arn:aws:iam::<aws-account-id>:role/yarkon-admin-role"
}, {
"Sid": "AllowServerToIterateBuckets",
"Effect": "Allow",
"Action": "s3:ListAllMyBuckets",
"Resource": "arn:aws:s3:::*"
}, {
"Sid": "AllowServerToAccessSpecificBuckets",
"Effect": "Allow",
"Action": [
"s3:ListBucket",
"s3:GetBucketLocation",
"s3:GetBucketCORS",
"s3:PutBucketCORS"
],
"Resource": [
"arn:aws:s3:::yarkon-quick-start-bucket-a",
"arn:aws:s3:::yarkon-quick-start-bucket-b"
]
}, {
"Sid": "AllowUserActionsLimitedToSpecificBuckets",
"Effect": "Allow",
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::yarkon-quick-start-bucket-a/*",
"arn:aws:s3:::yarkon-quick-start-bucket-b/*"
]
}
]
}
Proceed to create the IAM role. The "Trusted entity type" is "AWS account". For the permissions, use the policy we just created, yarkon-admin-policy. Name your role yarkon-admin-role.
The Trust Relationship should be properly generated for you, but make sure that it looks like so:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "ec2.amazonaws.com"
},
"Action": "sts:AssumeRole"
},
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::<aws-account-number>:root"
},
"Action": "sts:AssumeRole"
}
]
}
Next, we need to update the security model in Yarkon, and tell Yarkon which user should belong to which IAM group.
Go back to Yarkon Admin Console, and open the Administration page, Access tab. You might need to re-enter your Secret Access Key. Change the Security Model to integrated and select the role you created before, yarkon-admin-role. Then click the Validate button to make sure all is in order.
Go to the Users page. For the user named Yarkon Test A, click the Edit menu option (you can see it if you click the down arrow Actions button next to the user's name), and in the Details form, choose the IAM type "Group" and pick the group yarkon-group-bucket-a from the drop down list. Save your changes and dismiss the form. You can use the Action menu View Buckets to verify which buckets this user can access. Repeat for the user Yarkon Test B, using the respective IAM group.
Finally, log in to Yarkon as this user - browse to https://app.yarkons3.com/ and use the credentials of Yarkon Test A to login. You should only see the bucket Yarkon Test A.
Mission accomplished.
Next Steps
Now that you have your Yarkon running, you can proceed to check out the following topics:
-
Customize the look and feel of Yarkon to match your brand, and control which Features are available to the end users.
Once you are ready to take it to the next level, read all about Yarkon's Security models and then apply that to address different permission scenarios.
Start with the guide detailing how to update the IAM policies to support more advanced use cases. Then, check out any of the following that might apply to your use case: