Yarkon Docker with Wasabi
A common use case for running Yarkon Server in docker is when working in a non-EC2 environment, with an S3 compatible storage. The following example shows the docker-compose file used for Yarkon Server as a front end to Wasabi, but it should be similar for other S3 compatible storage providers.
Permissions
Follow the instructions provided by your provider to set up the access policies. At the very least, the access policy must be similar to this generic one used with AWS S3:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowAllS3Actions",
"Effect": "Allow",
"Action": "s3:*",
"Resource": "arn:aws:s3:::*"
},
{
"Sid": "AllowUIToDisplayIAMOptions",
"Effect": "Allow",
"Action": [
"iam:List*",
"iam:Get*"
],
"Resource": "arn:aws:iam::<account-number>:*"
},
{
"Sid": "AllowTheRoleToGetPermissions",
"Effect": "Allow",
"Action": "sts:AssumeRole",
"Resource": "arn:aws:iam::<account-number>:role/yarkon-console-role"
},
{
"Sid": "AllowTheRoleToFederate",
"Effect": "Allow",
"Action": [
"sts:GetFederationToken"
],
"Resource": "arn:aws:sts::<account-number>:*"
}]
}
Make sure to replace the <account-number> with your account number.
Details (see the Sid attributes for reference):
AllowAllS3Actions - allows the Yarkon full access to S3. If you want to limit the usage of Yarkon in your organization to a predefined set of buckets, replace the statement with the below:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowServerToIterateBuckets",
"Effect": "Allow",
"Action": "s3:ListAllMyBuckets",
"Resource": "arn:aws:s3:::*"
},
{
"Sid": "AllowServerToAccessSpecificBuckets",
"Effect": "Allow",
"Action": [
"s3:ListBucket",
"s3:GetBucketLocation"
],
"Resource": [
"arn:aws:s3:::yarkons3-finance",
"arn:aws:s3:::yarkons3-sales"
]
},
{
"Sid": "AllowUserActionsLimitedToSpecificBuckets",
"Effect": "Allow",
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::yarkons3-finance/*",
"arn:aws:s3:::yarkons3-sales/*"
]
}
]
}
AllowUIToDisplayIAMOptions - only required when using Federated or Integrated security models.
Yarkon does not need IAM access when set to use the Shared security model. This setting has no impact on the permissions granted to end users. If you only intend to use the Shared model, you should remove it.
AllowTheRoleToGetPermissions - only required when using the Integrated security model. You can remove it if using any of the other models. Also, the role name specified, yarkon-console-role assumes this is the name you'd be using for the IAM role required (see below). If you choose a different name, make sure to update here.
AllowTheRoleToFederate - only required when using the Federated security model. You can remove it if using any of the other models.
For more information about the access policies used by Yarkon, please review this document Set up the IAM role and policies.
The most generic policy - that is, one that would work for all security models - is:
{
"Version": "2012-10-17",
"Statement": [{
"Sid": "AllowAllS3Actions",
"Effect": "Allow",
"Action": "s3:*",
"Resource": "arn:aws:s3:::*"
}, {
"Sid": "AllowUIToDisplayIAMOptions",
"Effect": "Allow",
"Action": [
"iam:List*",
"iam:Get*"
],
"Resource": "*"
}, {
"Sid": "AllowTheRoleToGetPermissions",
"Effect": "Allow",
"Action": "sts:AssumeRole",
"Resource": "arn:aws:iam::<account-number>:role/yarkon-console-role"
}
]
}
Trust Policy
When using the Integrated Security model, a Trust Policy is required. For more details, review the policies document. The Trust Policy for Wasabi should be set like this:
{
"Version": "2012-10-17",
"Statement": [{
"Sid": "AllowAssumeRole",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::<account-number>:root"
},
"Action": "sts:AssumeRole"
}]
}
Access Key
Follow the instructions provided by Wasabi to get the API Access Key. Keep it for the next step in the set up.
Docker Setup
Use the following docker compose configuration to run Yarkon Docker with Wasabi:
version: "3.2"
# We use "xyz" to denote the version number used. For instance, if you are using
# yarkon version 4.5.1, "xyz" would be "451". You can use another naming convention
# if you prefer. Explicitely definding the version number in the image tag and
# volumes ensures that upgrades can be done sequentially and you can always restore
# to a previous version.
services:
server:
image: "yarkon/server:x.y.z" # Use the correct tag here (or latest)
ports:
# Map the port of the host to the one used by Yarkon
- "80:8000"
environment:
# If using an S3 compatible provider, these variables should be provided.
# In this example, showing Wasabi
PROVIDER_END_POINT: "https://s3.wasabisys.com"
PROVIDER_STS_END_POINT: "https://iam.wasabisys.com" # Will default to PROVIDER_END_POINT if not specified
PROVIDER_IAM_END_POINT: "https://iam.wasabisys.com" # Will default to PROVIDER_END_POINT if not specified
PROVIDER_NAME: "Wasabi"
PROVIDER_IMAGE: "data:image/svg+xml;base64,PHN2ZyB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciIHdpZHRoPSIxMzciIGhlaWdodD0iMTM2IiB2aWV3Qm94PSIwIDAgMTM3IDEzNiI+CiAgPHBhdGggZmlsbD0iIzAzQzczNiIgZmlsbC1ydWxlPSJldmVub2RkIiBkPSJNMTAwLjc3NjQsMTEzLjMzNSBMMTAwLjc3NjQsOTUuNzUzIEwxMTAuNDY5NCwxMDQuNTQxIEMxMDcuNTk1NCwxMDcuODM1IDEwNC4zNDI0LDExMC43OSAxMDAuNzc2NCwxMTMuMzM1IEwxMDAuNzc2NCwxMTMuMzM1IFogTTYwLjE1NzQsMTIzLjAzMiBMODguNTk3NCw5Ni4xNDggTDg4LjU5NzQsMTE5LjkxMSBDODIuMzY1NCwxMjIuMzMgNzUuNTk0NCwxMjMuNjYgNjguNTE4NCwxMjMuNjYgQzY1LjY3NjQsMTIzLjY2IDYyLjg4NTQsMTIzLjQ0NSA2MC4xNTc0LDEyMy4wMzIgTDYwLjE1NzQsMTIzLjAzMiBaIE0xMy4xNjM0LDczLjg0IEw0My4wNDU0LDEwMC42MzcgTDczLjA4NzQsNzIuNDI1IEw4OC41OTc0LDU3Ljc2NCBMODguNTk3NCw3OS4zODkgTDQ2LjU0OTQsMTE5LjEzNyBDMjguNDU3NCwxMTEuMzM1IDE1LjI5NzQsOTQuMjA2IDEzLjE2MzQsNzMuODQgTDEzLjE2MzQsNzMuODQgWiBNMzYuNzg4NCwyMi4yOTYgTDM2LjgwNzQsMzkuOTY4IEwyNi45MDA0LDMxLjA4NCBDMjkuODM0NCwyNy43OCAzMy4xNTM0LDI0LjgyOCAzNi43ODg0LDIyLjI5NiBMMzYuNzg4NCwyMi4yOTYgWiBNMzYuODQ4NCw3OC43MjEgTDEzLjc1NjQsNTguMDE0IEMxNC44NTU0LDUxLjk3OCAxNi45MzE0LDQ2LjI3OSAxOS44MTI0LDQxLjA4NiBMMzYuODI0NCw1Ni4zNDIgTDM2Ljg0ODQsNzguNzIxIFogTTc3LjAyMTQsMTIuOTg5IEw2NC40NTc0LDI0Ljg2NSBMNDguOTg1NCwzOS41MzkgTDQ4Ljk2MTQsMTUuODkgQzU1LjA0ODQsMTMuNTk4IDYxLjYzODQsMTIuMzQgNjguNTE4NCwxMi4zNCBDNzEuNDA4NCwxMi4zNCA3NC4yNDg0LDEyLjU2MiA3Ny4wMjE0LDEyLjk4OSBMNzcuMDIxNCwxMi45ODkgWiBNMTIzLjMxNDQsNzcuODAxIEMxMjIuMjU2NCw4My43MjkgMTIwLjI1NzQsODkuMzM0IDExNy40Nzg0LDk0LjQ1NyBMMTAwLjc3NjQsNzkuMzE0IEwxMDAuNzc2NCw1Ny4zNjggTDEyMy4zMTQ0LDc3LjgwMSBaIE0xMjMuODM1NCw2MS44MzUgTDk0LjYwMDQsMzUuMzMgTDY0LjczNTQsNjMuNTYxIEw0OS4wMjY0LDc4LjMxMyBMNDkuMDAzNCw1Ni4zMDggTDcyLjgzMTQsMzMuNzA5IEw5MC42MDA0LDE2LjkxMiBDMTA4LjUzNzQsMjQuNjk1IDEyMS42MDE0LDQxLjY1NSAxMjMuODM1NCw2MS44MzUgTDEyMy44MzU0LDYxLjgzNSBaIE0xMTYuNDg3NCwyMC4wMyBDMTAzLjY3NDQsNy4yMTcgODYuNjM4NCwwLjE2MSA2OC41MTg0LDAuMTYxIEM1MC4zOTc0LDAuMTYxIDMzLjM2MTQsNy4yMTcgMjAuNTQ4NCwyMC4wMyBDNy43MzU0LDMyLjg0MyAwLjY3OTQsNDkuODc5IDAuNjc5NCw2OCBDMC42Nzk0LDg2LjEyMSA3LjczNTQsMTAzLjE1NyAyMC41NDg0LDExNS45NyBDMzMuMzYxNCwxMjguNzgzIDUwLjM5NzQsMTM1LjgzOSA2OC41MTg0LDEzNS44MzkgQzg2LjYzODQsMTM1LjgzOSAxMDMuNjc0NCwxMjguNzgzIDExNi40ODc0LDExNS45NyBDMTI5LjMwMDQsMTAzLjE1NyAxMzYuMzU3NCw4Ni4xMjEgMTM2LjM1NzQsNjggQzEzNi4zNTc0LDQ5Ljg3OSAxMjkuMzAwNCwzMi44NDMgMTE2LjQ4NzQsMjAuMDMgTDExNi40ODc0LDIwLjAzIFoiLz4KPC9zdmc+Cg=="
# Sample Wasabi credentials
AWS_ACCESS_KEY_ID: "EXAMPLE30JHVFEXAMPLE"
AWS_SECRET_ACCESS_KEY: "exampleMfEP1yElpH9kWEUmSVdbDcyl5Wexample"
AWS_REGION: "us-east-1"
volumes:
- dbdata_xyz:/var/app/current/database
- yarkon_xyz:/var/app/current/public/yarkon
- license:/var/app/current/.lic
- /var/log:/var/app/current/log # Map the /var/log folder on the host to the log folder
volumes:
dbdata_xyz:
yarkon_xyz:
license:
Features
As mentioned before, some of the features available to users of AWS S3, might not be available when using other storage providers. Use the Features page of the Yarkon Admin Console to turn off features that are not supported.
