Yarkon Server – Filter IAM Entities

[Version 3.8+]

When you use the Integrated or Federated security mode of Yarkon Server, you need to specify the IAM Name for each user, in order for these users to get their appropriate permissions. This IAM Name can be either the user’s IAM name, group or role.

It is possible that the list of IAM entities might grow very long, or maybe you (the administrator) prefer not to list all groups or roles in the drop down when setting up a Yarkon user. If this is the case, you can now limit the list of IAM entities displayed.

IAM Filtering

The filtering is done using the ENV settings of the server, as following:

  • IAM_FILTER_USER – show only IAM users with a name that satisfies the specified regular expression.
  • IAM_FILTER_GROUP – show only IAM groups with a name that satisfies the specified regular expression.
  • IAM_FILTER_ROLE – show only IAM roles with a name that satisfies the specified regular expression.
  • IAM_FILTER – show only IAM entities with a name that satisfies the specified regular expression.

The value of the environment variable should be a regular expression, specifying the entites you want to show. See the examples below for more.

When specifying both a specific filter (IAM_FILTER_XXX) and the general filter (IAM_FILTER), the specific one takes precedence.

A restart of the Yarkon Server application is required for any changes to apply.

Yarkon Server AMI

If you set up Yarkon Server using an AMI – from the AWS Marketplace or from the FREE trial on this website, you need to follow these steps:

  1. Log in to your server using SSH.
  2. Open the file /var/app/current/yarkon-server.pm2.json in your preferred editor.
  3. In the env section of the json file, add the attributes as needed.

Here is an example, showing how to limit the list of IAM users to only those that start with “yarkon”:

{
    "apps": [{
        "name": "aphek",
        "script": "./aphek",
        "watch": false,
        "env": {
            "PORT": 80,
            "IAM_FILTER_USER": "^yarkon"
        }
    }]
}

Yarkon Server Docker

When using a dockerized version of Yarkon Server, update your Doeckerfile (or similar configuration file you use in your specific set up) like so:

version: "3"

services:
  server:
    image: "yarkon/server:latest"  # Use the correct tag here
    ports:
      # Map the port of the host to the one used by Yarkon
      - "80:8000"
    environment:
      # When running in AWS, the preferred way to provide AWS API keys to the
      # container is through using an IAM machine role. If this cannot be done,
      # or when running it outside of AWS, you can pass credentials here:
      AWS_ACCESS_KEY_ID: "EXAMPLERFP4S3EXAMPLE"
      AWS_SECRET_ACCESS_KEY: "examplexcRA2gvPBPKAmt95yWIwz/vJIJexample"
      AWS_REGION: "us-east-1"

      # The provider name defaults to AWS, but you can change it to something
      # your users might find more recognizable. In the client, it is displayed
      # above the buckets and in the About form.
      PROVIDER_NAME: "My Company"

      # Filtering for IAM entities
      IAM_FILTER_USER: "^yarkon" # Only show users that start with "yarkon"
      #IAM_FILTER_GROUP: "^qa" # Only show groups that start with "qa"
      #IAM_FILTER_ROLE: "^qa" # Only show roles that start with "qa"
      #IAM_FILTER: "^qa" # Only show users, groups or roles that start with "qa"

    volumes:
      - dbdata:/var/app/current/database
      - license:/var/app/current/.lic
      - yarkon:/var/app/current/public/yarkon
      - /var/log:/var/app/current/log # Map the /var/log folder on the host to the log folder
volumes:
  dbdata:
  license:
  yarkon: