Getting Started with Yarkon Cloud for Wasabi

The Yarkon Cloud of Yarkon is not hard to set up, but it does require some effort. We estimate that a novice admin should take about 15-20 minutes to get it up and running, ready to go. If your organization is already set up, the process would take less.

The set up requires these steps:

  1. Set up the security credentials.
  2. Subscribe to Yarkon.
  3. Add user accounts.

For a step by step instructions, keep following this illustrated guide.

Set up the security credentials

Yarkon is fully integrated with the Identity and Access Management (IAM) service, offering two options for this integration – the Shared Security Model and the Integrated Security Model. As the name suggests, the Shared option is ideal when all end users are granted the same permissions to S3 buckets. If you need to grant different levels of permissions to different users or groups of users, you will need to opt for the Integrated option. For more about the security models, see Yarkon – Security Models.

In this Getting Started guide, we are going to set up the Shared Security Model, as it is considerably easier to implement. Once you get it to work, you can easily go back to the admin portal and implement the more involved Integrated Security Model and update the settings in the Yarkon Admin Console.

For the Yarkon Admin Console server to be able to access your Wasabi storage and other services, it has to be authenticated and authorized. The proper way to handle these chores is to assign a Wasabi user to the task. This user will have the policy defining the permissions granted to it attached to it. These permissions should allow the server to perform the set of actions needed.

The Wasabi access keys you are about to provision in the next step are used by the Yarkon Admin Console only. They are never shared with the end users. End users only get short lived temporary access credentials that are based on the permissions granted to these access keys.
You will only need to use these access credentials once, during the set up of Yarkon, as described later on in this guide.

We start with creating the policy:

  1. Sign in to the Wasabi Management Console and open the IAM tab.
  2. In the navigation pane, choose Policies.
  3. Click the button Create Policy.
  4. For the policy name use yarkons3-user-policy, or any other name you prefer. Add an informative description like “Policy for Yarkon Admin Console”.
  5. Copy paste the policy document below.
  6. When done and after verifying that the policy is valid, click the Save button.
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "s3:*",
            "Resource": "arn:aws:s3:::*"
        }
    ]
}

Important: The above policy allows full access to all buckets. If you want to limit access to specific buckets, change the Resource lines.
For instance, if you want to allow access to the buckets yarkons3-finance and yarkons3-sales, change the policy to the following:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "s3:ListAllMyBuckets",
            "Resource": "arn:aws:s3:::*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "s3:ListBucket",
                "s3:GetBucketLocation"
            ],
            "Resource": [
                "arn:aws:s3:::yarkons3-finance",
                "arn:aws:s3:::yarkons3-sales"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "s3:PutObject",
                "s3:PutObjectAcl",
                "s3:GetObject",
                "s3:GetObjectAcl",
                "s3:DeleteObject",
                "s3:ListMultipartUploadParts",
                "s3:AbortMultipartUpload"
            ],
            "Resource": [
                "arn:aws:s3:::yarkons3-finance/*",
                "arn:aws:s3:::yarkons3-sales/*"
            ]
        }
    ]
}

Next, we need to create a user.

  1. In the navigation pane, choose Users.
  2. Click the button Create User.
  3. For the user name use yarkons3-user, or any other name you prefer.
  4. Make sure the Programmatic Access checkbox is checked, then click the Next button.
  1. We are not using a group in this case, so skip the Groups step by clicking the Next button.
  2. In the Policies step, enter the name of the policy you created before; in our case, it was yarkons3-user-policy.
  3. Click the Next button to proceed.
  1. Use the Review step to verify that all is well, then click the Create User button.
  2. The user will be created, and the API Key will be created as well. In the confirmation form displayed, you can access the API Key details.
  3. Make sure to Download the CSV file and save it in a safe place. You will not have another option to get the API Key credentials.
  4. Once you have the CSV file, click the Close button.

Subscribe to Yarkon

Browse to the Admin Console of Yarkon Cloud, using https://ce-wasabi.yarkons3.com. As this is the first time you are accessing the service, use the Sign Up Now! link, next to the Login Now button.

The set up is a wizard like step-by-step user experience that will guide you through the steps required to set your company up with a Yarkon subscription.

Account Details

Go through the Welcome screen and click the Next button to proceed. In the Contact Details put in your contact and the email address you’d like to associate with this account. Note that Yarkon uses your email as a uniquely identifying username for logging in to the system. When your user account is created, a temporary password will be generated for you by the system, and will be sent to this email address, so make sure to use a valid one.

IAM Integration

Next, you tell Yarkon how to access your Wasabi Account.

In the Access Keys form, enter the API Access Keys you created before and downloaded into the CSV file. You can optionally use the Validate button to verify that the access keys you entered could be used by Yarkon. If the keys are invalid for whatever reason, Yarkon will provide feedback to help you resolve the issue.

Choose the Security Model you would like to use. For more details, please review this document. If you are just starting with IAM, it is recommended you’d start with the simpler Shared Security Model. You can always change it later – see the document on how to set up Yarkon Cloud for integrated security.

If you choose the Integrated Security Model, you will have to choose the IAM role you would use for this IAM integration from the drop-down. For more details, please review the aforementioned document, and specifically the section describing how to create a role. The easiest way to ensure the API Access keys you use here have sufficient permissions for this IAM integration, is to attach the policy you created for the role to these keys (specifically, the required IAM permission is ListRoles).

When you are done with the keys, move to the next step – S3 Region – and choose from the drop-down the region you use. While the Yarkon client application would work with any region choice you make here, it is preferable to choose the region where most of your buckets are hosted. If you are unsure, use the default which is US Standard.

Review & Setup

The final step of the process is used for verification. Review the details displayed to ensure all are correct. If you want to make changes, you can use the Update button available for each section. When done, click the Done button to have the system proceed to create your administrator user account and set up Yarkon for your Wasabi account.

The system might take a moment to complete the registration after going through some back-end validation process. After it completes, it will send an email with your login credentials to the address you entered before.

Login & Set password

Use the temporary password sent to you by email to login to Yarkon for the first time. The system will prompt you to replace the automatically generated temporary password with whichever password you choose.

Note that the same password is used to log in to the Yarkon client application.

Add user accounts

Next, add end user account. Use the Users section from the left navigation pane, then click the Add button and fill in the details of each user. When using the Shared Security Model, as we do in this guide, there is no need to specify anything IAM related. When using the Integrated Security Model, you will have to specify the user name, group or role through which permissions are granted.

When a user is added to Yarkon, a temporary password would be automatically generated for the user by the system, and sent to the user by email. This email will include the full details on how to log in to Yarkon using the web client application. On first log-in, the user would have to choose their password. The end user will only have access to the buckets defined by you when setting up the security policy.