viaprog/seaweedfs
1
0
Fork 0
mirror of https://github.com/seaweedfs/seaweedfs.git synced 2026-06-13 23:36:45 +03:00
Code Issues Packages Projects Releases Wiki Activity
Page: AWS IAM CLI
Pages
A typical step‐by‐step example AWS CLI with SeaweedFS AWS IAM CLI Actual Users Admin UI OIDC Admin UI Amazon IAM API Amazon S3 API Applications Async Backup Async Filer Metadata Backup Async Replication to Cloud Async Replication to another Filer Benchmark SeaweedFS as a GlusterFS replacement Benchmarks from jinleileiking Benchmarks Cache Remote Storage Choosing a Filer Store Client Libraries Cloud Drive Architecture Cloud Drive Benefits Cloud Drive Quick Setup Cloud Monitoring Cloud Tier Cluster Plan Day 2 Operations Cluster Plan Inventory Reference Cluster Plan Workflow Components Configure Remote Storage Cryptography and FIPS Compliance Customize Filer Store Data Backup Data Structure for Large Files Deployment to Kubernetes and Minikube Deployment with seaweed up Directories and Files Distributed POSIX Locks Distributing AI Model Files for Multi GPU Loading Docker Compose for S3 Docker Image Registry with SeaweedFS Doris Iceberg Integration Dremio Iceberg Integration DuckDB Iceberg Integration EC Bitrot Detection Environment Variables Erasure Coding for warm storage Error reporting to sentry FAQ FIO benchmark FUSE Mount Failover Master Server File Operations Quick Reference Filer Active Active cross cluster continuous synchronization Filer Cassandra Setup Filer Change Data Capture Filer Commands and Operations Filer Data Encryption Filer JWT Use Filer Metadata Events Filer Notification Webhook Filer Operation Serialization Filer Redis Setup Filer Server API Filer Setup Filer Store Replication Filer Stores Filer as a Key Large Value Store Gateway to Remote Object Storage Getting Started HDFS via S3 connector Hadoop Benchmark Hadoop Compatible File System Hardware Hobbyest Tinkerer scale on premises tutorial Home Iceberg Table Maintenance Independent Benchmarks Kafka to Kafka Gateway to SMQ to SQL Kubernetes Backups and Recovery with K8up Kubernetes ServiceAccount Authentication Lakekeeper Iceberg Integration Large File Handling Load Command Line Options from a file Master Server API Migrate Maintenance Scripts to Admin Script Plugin Migrate to Filer Store Mount Remote Storage OIDC Integration Optimization for Many Small Buckets Optimization P2P reading in weed mount POSIX Compliance Path Specific Configuration Path Specific Filer Store Plugin Worker Scheduling PostgreSQL compatible Server weed db Production Setup Pub Sub to SMQ to SQL Quick Start with weed mini Replication RisingWave Iceberg Integration Run Blob Storage on Public Internet Run Presto on SeaweedFS Rust Volume Server S3 API Audit log S3 API Benchmark S3 API FAQ S3 Bucket Policies S3 Bucket Quota S3 CORS S3 Conditional Operations S3 Configuration S3 Credentials S3 Lifecycle Architecture S3 Lifecycle Monitoring S3 Lifecycle Operator Guide S3 Lifecycle Troubleshooting S3 Lifecycle vs Volume TTL S3 Lifecycle S3 Nginx Proxy S3 Object Lock and Retention S3 Object Versioning S3 Policy Conditions S3 Policy Variables S3 Rate Limiting S3 Table Bucket Commands S3 Table Bucket S3 Tables Security SFTP Server SQL Queries on Message Queue SQL Quick Reference SRV Service Discovery Seaweed Message Queue SeaweedFS Architecture SeaweedFS Iceberg Catalog SeaweedFS Java Client SeaweedFS in Docker Swarm Security Configuration Security Overview Server Side Encryption SSE C Server Side Encryption SSE KMS Server Side Encryption Server Startup via Systemd Simplest S3 Bucket and User Setup Spark Iceberg Integration Store file with a Time To Live Structured Data Lake with SMQ and SQL Super Large Directories Supported APIs vs Minio System Metrics TUS Resumable Uploads TensorFlow with SeaweedFS Tiered Storage Trino Iceberg Integration UrBackup with SeaweedFS Use Cases Volume Files Structure Volume Management Volume Server API WebDAV Words from SeaweedFS Users Worker fstab and systemd mount nodejs with Seaweed S3 rclone with SeaweedFS restic with SeaweedFS run HBase on SeaweedFS run Spark on SeaweedFS s3cmd with SeaweedFS weed shell
Clone
14
AWS IAM CLI
Chris Lu edited this page 2026-04-08 12:57:14 -07:00
Table of Contents

AWS IAM CLI with SeaweedFS

This guide shows how to use the AWS CLI to manage IAM users, access keys, and policies in SeaweedFS.

Installation

See AWS-CLI-with-SeaweedFS for AWS CLI installation instructions.

Prerequisites

1. Start SeaweedFS with S3/IAM

The IAM API is embedded in the S3 server by default:

# Start with embedded IAM (default)
weed s3 -filer=localhost:8888

# Or with weed server
weed server -s3

2. Create Admin Credentials

Create an admin user to manage IAM:

echo 's3.configure -apply -user admin -access_key admin_access_key -secret_key admin_secret_key -actions Admin' | weed shell

3. Configure AWS CLI

Set the endpoint to your S3 server (IAM uses the same endpoint):

export AWS_ACCESS_KEY_ID=admin_access_key
export AWS_SECRET_ACCESS_KEY=admin_secret_key

# IAM and S3 use the same endpoint
export AWS_ENDPOINT=http://localhost:8333

User Management

Create a User

aws --endpoint $AWS_ENDPOINT iam create-user --user-name bob

Output:

{
    "User": {
        "UserName": "bob"
    }
}

List Users

aws --endpoint $AWS_ENDPOINT iam list-users

Output:

{
    "Users": [
        { "UserName": "admin" },
        { "UserName": "bob" }
    ]
}

Get User Details

aws --endpoint $AWS_ENDPOINT iam get-user --user-name bob

Delete User

aws --endpoint $AWS_ENDPOINT iam delete-user --user-name bob

Enable/Disable User

Disable or re-enable a user without deleting them:

# Disable a user (all their access keys will stop working)
aws --endpoint $AWS_ENDPOINT iam set-user-status --user-name bob --status Inactive

# Re-enable the user
aws --endpoint $AWS_ENDPOINT iam set-user-status --user-name bob --status Active

Access Key Management

Create Access Key

aws --endpoint $AWS_ENDPOINT iam create-access-key --user-name bob

Output:

{
    "AccessKey": {
        "UserName": "bob",
        "AccessKeyId": "X8R439UM7OSQJX28I9QTP",
        "Status": "Active",
        "SecretAccessKey": "FLh9yeeYhzA7qsiyLIXsvuhv4g2cSgoUJJe/EqZw1z"
    }
}

List Access Keys

aws --endpoint $AWS_ENDPOINT iam list-access-keys --user-name bob

Output:

{
    "AccessKeyMetadata": [
        {
            "UserName": "bob",
            "AccessKeyId": "X8R439UM7OSQJX28I9QTP",
            "Status": "Active"
        }
    ]
}

Delete Access Key

aws --endpoint $AWS_ENDPOINT iam delete-access-key --user-name bob --access-key-id X8R439UM7OSQJX28I9QTP

Update Access Key Status

Deactivate or reactivate an access key without deleting it:

# Deactivate an access key
aws --endpoint $AWS_ENDPOINT iam update-access-key \
  --user-name bob \
  --access-key-id X8R439UM7OSQJX28I9QTP \
  --status Inactive

# Reactivate the access key
aws --endpoint $AWS_ENDPOINT iam update-access-key \
  --user-name bob \
  --access-key-id X8R439UM7OSQJX28I9QTP \
  --status Active

Self-Service: Manage Your Own Keys

Users can manage their own access keys without admin privileges:

# Set credentials for the user
export AWS_ACCESS_KEY_ID=bob_access_key
export AWS_SECRET_ACCESS_KEY=bob_secret_key

# Create a new key for yourself (no --user-name needed)
aws --endpoint $AWS_ENDPOINT iam create-access-key

# List your own keys
aws --endpoint $AWS_ENDPOINT iam list-access-keys

Policy Management

Create and Attach a Read-Only Policy

# Create policy document
cat > readonly-policy.json << 'EOF'
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "s3:Get*",
        "s3:List*"
      ],
      "Resource": [
        "arn:aws:s3:::my-bucket",
        "arn:aws:s3:::my-bucket/*"
      ]
    }
  ]
}
EOF

# Attach to user
aws --endpoint $AWS_ENDPOINT iam put-user-policy \
  --user-name bob \
  --policy-name ReadOnlyPolicy \
  --policy-document file://readonly-policy.json

Create Read-Write Policy for Specific Bucket

cat > readwrite-policy.json << 'EOF'
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "s3:Get*",
        "s3:Put*",
        "s3:Delete*",
        "s3:List*"
      ],
      "Resource": [
        "arn:aws:s3:::data-bucket",
        "arn:aws:s3:::data-bucket/*"
      ]
    }
  ]
}
EOF

aws --endpoint $AWS_ENDPOINT iam put-user-policy \
  --user-name bob \
  --policy-name DataBucketAccess \
  --policy-document file://readwrite-policy.json

List User Policies

List the names of inline policies attached to a user:

aws --endpoint $AWS_ENDPOINT iam list-user-policies --user-name bob

Output:

{
    "PolicyNames": [
        "ReadOnlyPolicy"
    ],
    "IsTruncated": false
}

Get User Policy

aws --endpoint $AWS_ENDPOINT iam get-user-policy \
  --user-name bob \
  --policy-name ReadOnlyPolicy

Delete User Policy

aws --endpoint $AWS_ENDPOINT iam delete-user-policy \
  --user-name bob \
  --policy-name ReadOnlyPolicy

Managed Policies

Managed policies are standalone policies that are stored in the configuration and can be attached to multiple users.

Create a Managed Policy

# Create policy document
cat > readonly-policy.json << 'EOF'
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": ["s3:Get*", "s3:List*"],
      "Resource": ["*"]
    }
  ]
}
EOF

# Create the policy
aws --endpoint $AWS_ENDPOINT iam create-policy \
  --policy-name ReadOnlyPolicy \
  --policy-document file://readonly-policy.json

List All Managed Policies

aws --endpoint $AWS_ENDPOINT iam list-policies

Get Managed Policy Details

aws --endpoint $AWS_ENDPOINT iam get-policy \
  --policy-arn arn:aws:iam:::policy/ReadOnlyPolicy

Attach a Managed Policy to a User

aws --endpoint $AWS_ENDPOINT iam attach-user-policy \
  --user-name bob \
  --policy-arn arn:aws:iam:::policy/ReadOnlyPolicy

List Managed Policies Attached to a User

aws --endpoint $AWS_ENDPOINT iam list-attached-user-policies --user-name bob

Detach a Managed Policy from a User

aws --endpoint $AWS_ENDPOINT iam detach-user-policy \
  --user-name bob \
  --policy-arn arn:aws:iam:::policy/ReadOnlyPolicy

Delete a Managed Policy

Note

: A policy must be detached from all users before it can be deleted.

aws --endpoint $AWS_ENDPOINT iam delete-policy \
  --policy-arn arn:aws:iam:::policy/ReadOnlyPolicy

Group Management

Groups allow you to organize users and apply policies at the group level. Policies attached to a group are evaluated for all group members during S3 authorization.

Create a Group

aws --endpoint $AWS_ENDPOINT iam create-group --group-name developers

Output:

{
    "Group": {
        "GroupName": "developers"
    }
}

List Groups

aws --endpoint $AWS_ENDPOINT iam list-groups

Get Group Details (including members)

aws --endpoint $AWS_ENDPOINT iam get-group --group-name developers

Add User to Group

aws --endpoint $AWS_ENDPOINT iam add-user-to-group --group-name developers --user-name bob

Remove User from Group

aws --endpoint $AWS_ENDPOINT iam remove-user-from-group --group-name developers --user-name bob

Attach Policy to Group

aws --endpoint $AWS_ENDPOINT iam attach-group-policy \
  --group-name developers \
  --policy-arn arn:aws:iam:::policy/ReadOnlyPolicy

List Policies Attached to Group

aws --endpoint $AWS_ENDPOINT iam list-attached-group-policies --group-name developers

Group Inline Policies

Groups can also have inline policies attached directly:

# Attach an inline policy to a group
cat > group-policy.json << 'EOF'
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": ["s3:Get*", "s3:List*"],
      "Resource": ["arn:aws:s3:::shared-bucket/*"]
    }
  ]
}
EOF

aws --endpoint $AWS_ENDPOINT iam put-group-policy \
  --group-name developers \
  --policy-name SharedBucketReadOnly \
  --policy-document file://group-policy.json

# List inline policies for a group
aws --endpoint $AWS_ENDPOINT iam list-group-policies --group-name developers

# Get an inline policy
aws --endpoint $AWS_ENDPOINT iam get-group-policy \
  --group-name developers \
  --policy-name SharedBucketReadOnly

# Delete an inline policy from a group
aws --endpoint $AWS_ENDPOINT iam delete-group-policy \
  --group-name developers \
  --policy-name SharedBucketReadOnly

Detach Policy from Group

aws --endpoint $AWS_ENDPOINT iam detach-group-policy \
  --group-name developers \
  --policy-arn arn:aws:iam:::policy/ReadOnlyPolicy

List Groups for a User

aws --endpoint $AWS_ENDPOINT iam list-groups-for-user --user-name bob

Delete a Group

Note

: A group must have no members and no attached policies before it can be deleted.

aws --endpoint $AWS_ENDPOINT iam delete-group --group-name developers

Key Behaviors

  • Group policies: Policies attached to a group apply to all members during S3 authorization
  • Disabled groups: Groups can be disabled/enabled (SeaweedFS extension, not in AWS CLI)
  • User deletion: Deleting a user automatically removes them from all groups
  • Policy deletion: A policy cannot be deleted if it is attached to any group

Verify Configuration

Check the current S3/IAM configuration:

echo 's3.configure' | weed shell

Output:

{
  "identities": [
    {
      "name": "admin",
      "credentials": [
        {
          "accessKey": "admin_access_key",
          "secretKey": "admin_secret_key"
        }
      ],
      "actions": ["Admin"]
    },
    {
      "name": "bob",
      "credentials": [
        {
          "accessKey": "X8R439UM7OSQJX28I9QTP",
          "secretKey": "FLh9yeeYhzA7qsiyLIXsvuhv4g2cSgoUJJe/EqZw1z"
        }
      ],
      "actions": [
        "Read:my-bucket",
        "List:my-bucket"
      ]
    }
  ]
}

Complete Workflow Example

# 1. Set admin credentials
export AWS_ACCESS_KEY_ID=admin_key
export AWS_SECRET_ACCESS_KEY=admin_secret
export AWS_ENDPOINT=http://localhost:8333

# 2. Create a new user
aws --endpoint $AWS_ENDPOINT iam create-user --user-name alice

# 3. Create access key for the user
aws --endpoint $AWS_ENDPOINT iam create-access-key --user-name alice

# 4. Create a read-only policy
cat > alice-policy.json << 'EOF'
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": ["s3:Get*", "s3:List*"],
      "Resource": ["arn:aws:s3:::shared-bucket/*"]
    }
  ]
}
EOF

# 5. Attach inline policy to user
aws --endpoint $AWS_ENDPOINT iam put-user-policy \
  --user-name alice \
  --policy-name SharedBucketReadOnly \
  --policy-document file://alice-policy.json

# 6. Attach a managed policy (e.g., ReadOnlyPolicy is built-in or previously created)
aws --endpoint $AWS_ENDPOINT iam attach-user-policy \
  --user-name alice \
  --policy-arn arn:aws:iam:::policy/ReadOnlyPolicy

# 7. Verify
echo 's3.configure' | weed shell

Related Documentation

Introduction

API

Configuration

Filer

Filer Stores

Management

Advanced Filer Configurations

FUSE Mount

WebDAV

SFTP Server

Cloud Drive

AWS S3 API

S3 Table Bucket

Iceberg Integrations

S3 Authentication & IAM

Server-Side Encryption

S3 Client Tools

Machine Learning

HDFS

Replication and Backup

Metadata Change Events

Messaging

Use Cases

Operations

Rust Volume Server

Advanced

Security

Misc Use Case Examples