Yarkon Cloud with a Compatible S3 Provider

This document will walk you through the steps required to set up Yarkon Cloud with an S3 compatible storage provider, such as CEPH or Wasabi. The document highlights the differences in the set up compared to the generic AWS S3 set up. Make sure to review the Getting Started manual before proceeding with this document.

Depending on the capabilities of your storage provider, some of the features available to AWS S3 users may not be available when using a compatible provider.

Provider Details

The first step is to set up the proper connection information for your provider. Use the Yarkon Admin Console, Administration page, Provider tab to specify the below details:

  • Check the S3 Compatible radio option.
  • Enter a Name for your provider. It can be any name, and will be displayed to your end users in the client interface.
  • Select the Region from the drop down. If your provider does not require a region, use the default one, which is us-east-1.
  • Optionally add an Image for your provider. It will be shown to the end users in the client interface. Acceptable image format is any public URL, or a CSS/data:image compatible format such as svg+xml etc.
  • Specify the End Point for your provider. This would be the URL the client application would use for storage API access.
  • Optionally specify the IAM End Point and the STS End Point of your provider. This is required if any of them is different than the End Point you entered above. If they are the same, you can skip these.

The below image shows how the Yarkon Admin Console page would look when set up with Wasabi, a popular compatible S3 provider.

Permissions

Follow the instructions provider by your provider to set up the access policies. At the very least, the access policy must be similar to this generic one used with AWS S3:

{
    "Version": "2012-10-17",
    "Statement": [{
            "Sid": "AllowAllS3Actions",
            "Effect": "Allow",
            "Action": "s3:*",
            "Resource": "arn:aws:s3:::*"
        }, {
            "Sid": "AllowUIToDisplayIAMOptions",
            "Effect": "Allow",
            "Action": [
                "iam:List*",
                "iam:Get*"
            ],
            "Resource": "arn:aws:iam::<account-number>:*"
        }, {
            "Sid": "AllowTheRoleToGetPermissions",
            "Effect": "Allow",
            "Action": "sts:AssumeRole",
            "Resource": "arn:aws:iam::<account-number>:role/yarkons3-console-role"
        }, {
            "Sid": "AllowTheRoleToFederate",
            "Effect": "Allow",
            "Action": [
                "sts:GetFederationToken"
            ],
            "Resource": "arn:aws:sts::<account-number>:*"
        }
    ]
}

Make sure to replace the <account-number> with your account number.

Details (see the Sid attributes for reference):

AllowAllS3Actions – allows the Yarkon Cloud full access to S3. If you want to limit the usage of Yarkon in your organization to a predefined set of buckets, replace the statement with the below:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AllowServerToIterateBuckets",
            "Effect": "Allow",
            "Action": "s3:ListAllMyBuckets",
            "Resource": "arn:aws:s3:::*"
        },
        {
            "Sid": "AllowServerToAccessSpecificBuckets",
            "Effect": "Allow",
            "Action": [
                "s3:ListBucket",
                "s3:GetBucketLocation"
            ],
            "Resource": [
                "arn:aws:s3:::yarkons3-finance",
                "arn:aws:s3:::yarkons3-sales"
            ]
        },
        {
            "Sid": "AllowUserActionsLimitedToSpecificBuckets",
            "Effect": "Allow",
            "Action": "s3:*",
            "Resource": [
                "arn:aws:s3:::yarkons3-finance/*",
                "arn:aws:s3:::yarkons3-sales/*"
            ]
        }
    ]
}

AllowUIToDisplayIAMOptions – only required when using Federated or Integrated security models.
The Yarkon Cloud does not need IAM access when set to use the Shared security model. This setting has no impact on the permissions granted to end users. If you only intend to use the Shared model, you can remove it.

AllowTheRoleToGetPermissions – only required when using the Integrated security model. You can remove it if using any of the other models. Also, the role name specified, yarkons3-console-role assumes this is the name you’d be using for the IAM role required (see below). If you choose a different name, make sure to update here.

AllowTheRoleToFederate – only required when using the Federated security model. You can remove it if using any of the other models.

For more information about the access policies used by Yarkon, please review this document Set up the IAM role and policies.

As an example, at the bottom of the page we provide a walk through of steps required on the provider side when using Wasabi.

Access Key

Follow the instructions provider by your provider to get the API Access Key.

Once you have the Access Key, enter it into the Access page in the Yarkon Admin Console.

As an example, at the bottom of the page we provide a walk through of steps required on the provider side when using Wasabi.

Features

As mentioned above, some of the features available to users of AWS S3, might not be available when using other storage providers. Use the Features page of the Yarkon Admin Console to turn off features that are not supported.

Example Set Up

As an example for how to set up Yarkon with an S3 compatible provider, review the following walk-through: Getting Started with Yarkon Cloud for Wasabi. Setting up any other S3 compatible provider would require following the same steps, with the appropriate changes due to the differences between the providers.