An AWS Identity and Access Management (IAM) user is an entity that you create in AWS to represent the person or application that uses it to interact with AWS. 

A user in AWS consists of a name , credentials and an appropriate access policy. 

Filespace initialization requires an IAM User with Access key ID and Secret access key with appropriate permissions to interact with resources within your AWS account.

1. Login to your AWS Management Console

2. Within Services, select Security, Identity & Compliance and choose Identity and Access Management (IAM)

3. Once within IAM navigate to Users (recommended use is individual user access keys rather than root access keys as users can be disabled/updated without affecting global account access)

4. Create or manage an existing (in this topic we will 'add user') select Add User

5. Provide a valid Username, check Programmatic access box and select Next: Permissions to continue.

6. Modify your permissions, assign user an appropriate Access Policy (in this example we chosen an in-built S3 Policy type of AmazonS3FullAccess; CREATE BUCKET, PUT, GET, LIST, DELETE Bucket/Object permissions are required) and Next: Review to continue.

7. Review and Create user

8. Once successful. Please save your user security credentials (Access key ID and Secret access key) in a safe place, Download .csv, or Show to make visible and click Close once complete.

9. Once you have your credentials configured please continue to Filespace initialization please reach out to support should you encounter any challenges.


Advanced Identity and Access Management (IAM) User Policies

An AWS IAM user is an entity that you create in AWS to represent the person or application that uses it to interact with AWS. 

Each IAM user requires a policy providing access to account resources. 

Should you want to limit the policy of an IAM User to only have the required S3 permissions to allow on the functionality of our Filespace (CREATE BUCKET, PUT, GET, LIST, DELETE Bucket/Object). 

Please refer to below JavaScript Object Notation (JSON) example policy templates. 

The 1st policy allows a specific IAM User to access only a specific pre-allocated bucket, this bucket must exist and can be specified during Filespace creation by selecting "Configure advanced settings" and providing the exact "Bucket name".

1. Specific IAM User to Bucket Policy

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "s3:PutObject",
                "s3:GetObject",
                "s3:ListBucket",
                "s3:DeleteObject"
            ],
            "Resource": [
                "arn:aws:s3:::<bucket-name>/*",
                "arn:aws:s3:::<bucket-name>"
            ]
        }
    ]
}

Our 2nd policy provides an IAM User with the necessary permissions to create a bucket, should they be responsible for an account which requires multiple Filespaces.

LucidLink portal automatically creates a bucket based on the Filespace name and a globally unique identifier if no bucket name is provided.

2. IAM User with Create Bucket included in Policy

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "s3:PutObject",
                "s3:GetObject",
                "s3:ListBucket",
                "s3:CreateBucket",
                "s3:DeleteObject"
            ],
            "Resource": [
                "*",
                "arn:aws:s3:::*/*"
            ]
        }
    ]
}

Create policy steps

1. During step 2 of IAM User creation within Set Permissions select Create policy 

2. Select JSON under Create policy wizard and copy/paste appropriate policy into the text editor. Depending on which policy is required, adjust accordingly to ensure that if the specific bucket policy is chosen you update the <bucket-name> with your actual bucket - highlighted in yellow. Once complete, please select Review policy to continue.

3. Name your policy. Review your policy details, ensuring everything is correct and select Create policy.

4. Refresh your policy filter in step 2 Set permissions of IAM User creation and specify your newly created policy.

Once you have your custom policy assigned and credentials configured please continue to Filespace initialization please reach out to support should you encounter any challenges.


LucidLink Filespaces also support IAM Roles based credentials initialization for AWS Services such as EC2 instances. IAM Role based initialization will require a command-line Filespace initialization without providing access-key and secret-key, along with the a Role association with the resource.