Yarkon Server – Implement user and group level permissions

In the following we will go over the most common use cases for Yarkon Server, and provide sample policies to help you get started.

By default, Yarkon Server is using the Shared security model. It is simple, and works out of the box, without a need to make any additional updates to IAM on top of what was already done. Use the Administration page, Access tab to change the security model.

Shared Security Model

In this case, all users share the same permissions, as were defined in the principal policy of the server in the step Set up the IAM role and policies. There is no need to make any additional updates in AWS IAM.

Federated/Integrated Security Model

In these security models, the permissions granted to a user are set by IAM policies. Later, you will associate these policies through either an IAM user, IAM group or IAM role with the users you’d be adding to Yarkon in the step Add users to Yarkon. In this step, we will be building these policies, following some common use cases.

User level permissions

To control S3 permissions at the user level, follow these steps:

  1. Using the AWS Console, go to the IAM service.
  2. Create a new user. Important: this user need not have any access to the AWS console, so don’t check any of the boxes in AWS Access Type.
  3. For the policy, use something like the below, showing how to give access to a single bucket only – just rename the <bucket-name> place-holder in the policy to your bucket name. The policy can be inline or attached.
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "s3:ListBucket",
                "s3:GetBucketLocation"
            ],
            "Resource": "arn:aws:s3:::<bucket-name>"
        },
        {
            "Effect": "Allow",
            "Action": [
                "s3:PutObject",
                "s3:PutObjectAcl",
                "s3:GetObject",
                "s3:GetObjectAcl",
                "s3:DeleteObject"
            ],
            "Resource": "arn:aws:s3:::<bucket-name>/*"
        }
    ]
}

When you create the Yarkon user in the step Add users to Yarkon, in the “Add User” form, make sure to set the “IAM Type” to “User” and then select the user name you just created from the drop down.

Group level permissions

Basic

To control S3 permissions at the group level, follow these steps:

  1. Using the AWS Console, go to the IAM service.
  2. Create a new group.
  3. For the policy, use something like the below, showing how to give access to a single bucket only – just rename the <bucket-name> place-holder in the policy to your bucket name. The policy can be inline or attached.
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "s3:ListBucket",
                "s3:GetBucketLocation"
            ],
            "Resource": "arn:aws:s3:::<bucket-name>"
        },
        {
            "Effect": "Allow",
            "Action": [
                "s3:PutObject",
                "s3:PutObjectAcl",
                "s3:GetObject",
                "s3:GetObjectAcl",
                "s3:DeleteObject"
            ],
            "Resource": "arn:aws:s3:::<bucket-name>/*"
        }
    ]
}

When you create the Yarkon user in the step Add users to Yarkon, in the “Add User” form, make sure to set the “IAM Type” to “Group” and then select the group name you just created from the drop down.

Advanced

If you already have a group based permission structure in AWS (or would like to build one), you can follow this alternative:

  1. Using the AWS Console, go to the IAM service.
  2. Create a new group.
  3. Add the policy as below.
  4. Create a new user and place it in the group you just created. This user will assume the permissions of the group.

When you create the Yarkon user in the step Add users to Yarkon, in the “Add User” form, make sure to set the “IAM Type” to “User” and then select the user name you just created from the drop down.

This more advanced approach allows you to “compose” user permissions using group membership, as well as override these permissions using inline and attached policies at the IAM user level.

Folder level permissions

AWS IAM allows great flexibility. The following annotated example policy shows how to create a policy that allows a user full access to a specific folder only, while disallowing any access, not even listing, of any other folder. In this example, the folder was named based on the user name, and is placed in a shared home folder.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AllowUserToSeeHomeBucket",
            "Action": [
                "s3:GetBucketLocation"
            ],
            "Effect": "Allow",
            "Resource": [
                "arn:aws:s3:::<bucket-name>"
            ]
        },
        {
            "Sid": "AllowSeeingUserFolder",
            "Action": "s3:ListBucket",
            "Effect": "Allow",
            "Resource": "arn:aws:s3:::<bucket-name>",
            "Condition": {
                "StringEquals": {
                    "s3:prefix": "home/john/",
                    "s3:delimiter": [
                        "/"
                    ]
                }
            }
        },
        {
            "Sid": "AllowListingOfUserFolder",
            "Action": [
                "s3:ListBucket"
            ],
            "Effect": "Allow",
            "Resource": [
                "arn:aws:s3:::<bucket-name>"
            ],
            "Condition": {
                "StringLike": {
                    "s3:prefix": [
                        "home/john/*"
                    ]
                }
            }
        },
        {
            "Sid": "AllowAllS3ActionsInUserFolder",
            "Effect": "Allow",
            "Action": [
                "s3:*"
            ],
            "Resource": [
                "arn:aws:s3:::<bucket-name>/home/john/*"
            ]
        }
    ]
}

Yarkon respects the standard AWS substitution for a user name ${aws:username}, so it you have AWS user names defined for the users, you can use a single policy to handle all users. And that’s pretty cool.

Shared bucket for B2B

This is an advanced IAM policy – use only if you have good working knowledge of IAM.

Suppose you are using Yarkon for your business and your end users work for vendors that are clients of yours. You want to have all your vendors using a single bucket named acme-vendors, with each having their own folder in it, but without allowing one vendor to see, or even know, about any other vendor.

While completely fulfilling this requirement is actually not possible with IAM – as any experienced AWS IAM administrator would tell you – it is definitely possible with Yarkon, thanks to the extra policy processing handled by the Yarkon server. To illustrate how this would be done, consider the following sample structure:

  • acme-vendors (bucket)
    • acme-vendor-east (folder)
      • CT (folder)
      • NJ (folder)
      • NY (folder)
    • acme-vendor-central (folder)
      • CO (folder)
      • KY (folder)
      • TX (folder)
    • acme-vendor-west (folder)
      • CA (folder)
      • OR (folder)
      • WA (folder)

And suppose you need the following roles defined:

  • An administrator user to manage all vendors, with full access to all folders.
  • An administrator user for each vendor, with full access to the vendor folder and its sub-folders.
  • An end user for each vendor, with limited read only access to the vendor folder and its sub-folders.

The following policies will get the job done (shown for acme-vendor-east only, it is similar for the others).

The policy for the system administrator:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AllowUserToSeeLocationOfBucket",
            "Action": [
                "s3:GetBucketLocation"
            ],
            "Effect": "Allow",
            "Resource": [
                "arn:aws:s3:::acme-vendors"
            ]
        },
        {
            "Action": "s3:ListBucket",
            "Effect": "Allow",
            "Resource": "arn:aws:s3:::acme-vendors"
        },
        {
            "Effect": "Allow",
            "Action": [
                "s3:*"
            ],
            "Resource": [
                "arn:aws:s3:::acme-vendors/*"
            ]
        }
    ]
}

The policy for the vendor’s administrator:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AllowUserToSeeLocationOfBucket",
            "Action": [
                "s3:GetBucketLocation"
            ],
            "Effect": "Allow",
            "Resource": [
                "arn:aws:s3:::acme-vendors"
            ]
        },
        {
            "Sid": "AllowRootAndHomeListingOfVendorsBucket",
            "Action": "s3:ListBucket",
            "Effect": "Allow",
            "Resource": "arn:aws:s3:::acme-vendors",
            "Condition": {
                "StringEquals": {
                    "s3:prefix": "acme-vendor-east/",
                    "s3:delimiter": [
                        "/"
                    ]
                }
            }
        },
        {
            "Sid": "AllowListingOfUserFolder",
            "Action": [
                "s3:ListBucket"
            ],
            "Effect": "Allow",
            "Resource": [
                "arn:aws:s3:::acme-vendors"
            ],
            "Condition": {
                "StringLike": {
                    "s3:prefix": [
                        "acme-vendor-east/*"
                    ]
                }
            }
        },
        {
            "Sid": "AllowAllS3ActionsInUserFolder",
            "Effect": "Allow",
            "Action": [
                "s3:*"
            ],
            "Resource": [
                "arn:aws:s3:::acme-vendors/acme-vendor-east/*"
            ]
        }
    ]
}

The policy for the vendor’s end user:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AllowUserToSeeLocationOfBucket",
            "Action": [
                "s3:GetBucketLocation"
            ],
            "Effect": "Allow",
            "Resource": [
                "arn:aws:s3:::acme-vendors"
            ]
        },
        {
            "Sid": "AllowRootAndHomeListingOfVendorsBucket",
            "Action": "s3:ListBucket",
            "Effect": "Allow",
            "Resource": "arn:aws:s3:::acme-vendors",
            "Condition": {
                "StringEquals": {
                    "s3:prefix": "acme-vendor-east/",
                    "s3:delimiter": [
                        "/"
                    ]
                }
            }
        },
        {
            "Sid": "AllowListingOfUserFolder",
            "Action": [
                "s3:ListBucket"
            ],
            "Effect": "Allow",
            "Resource": [
                "arn:aws:s3:::acme-vendors"
            ],
            "Condition": {
                "StringLike": {
                    "s3:prefix": [
                        "acme-vendor-east/*"
                    ]
                }
            }
        },
        {
            "Sid": "AllowReadOnlyS3ActionsInUserFolder",
            "Effect": "Allow",
            "Action": [
                "s3:head*",
                "s3:get*"
            ],
            "Resource": [
                "arn:aws:s3:::acme-vendors/acme-vendor-east/*"
            ]
        }
    ]
}

Note that the Yarkon Web Application, when used by an end user that belongs to this vendor, will see the folder acme-vendor-east as the root, and not the bucket.

You can use these policies as a basis for more advanced variations of this approach.

Next Step – Add users to Yarkon
Go back to Getting Started