============================= Ceph Object Gateway IAM API ============================= .. versionadded:: Squid The Ceph Object Gateway supports a subset of the `Amazon IAM API`_ for the RESTful management of account users, roles, and associated policies. This REST API is served by the same HTTP endpoint as the `Ceph Object Gateway S3 API`_. Authorization ============= By default, only :ref:`Account Root Users ` are authorized to use the IAM API, and can only see the resources under their own account. The account root user can use policies to delegate these permissions to other users or roles in the account. Feature Support =============== The following tables describe the currently supported IAM actions. Users ----- +------------------------------+---------------------------------------------+ | Action | Remarks | +==============================+=============================================+ | **CreateUser** | | +------------------------------+---------------------------------------------+ | **GetUser** | | +------------------------------+---------------------------------------------+ | **UpdateUser** | | +------------------------------+---------------------------------------------+ | **DeleteUser** | | +------------------------------+---------------------------------------------+ | **ListUsers** | | +------------------------------+---------------------------------------------+ | **CreateAccessKey** | | +------------------------------+---------------------------------------------+ | **UpdateAccessKey** | | +------------------------------+---------------------------------------------+ | **DeleteAccessKey** | | +------------------------------+---------------------------------------------+ | **ListAccessKeys** | | +------------------------------+---------------------------------------------+ | **PutUserPolicy** | | +------------------------------+---------------------------------------------+ | **GetUserPolicy** | | +------------------------------+---------------------------------------------+ | **DeleteUserPolicy** | | +------------------------------+---------------------------------------------+ | **ListUserPolicies** | | +------------------------------+---------------------------------------------+ | **AttachUserPolicies** | | +------------------------------+---------------------------------------------+ | **DetachUserPolicy** | | +------------------------------+---------------------------------------------+ | **ListAttachedUserPolicies** | | +------------------------------+---------------------------------------------+ Groups ------ +-------------------------------+--------------------------------------------+ | Action | Remarks | +===============================+============================================+ | **CreateGroup** | | +-------------------------------+--------------------------------------------+ | **GetGroup** | | +-------------------------------+--------------------------------------------+ | **UpdateGroup** | | +-------------------------------+--------------------------------------------+ | **DeleteGroup** | | +-------------------------------+--------------------------------------------+ | **ListGroups** | | +-------------------------------+--------------------------------------------+ | **AddUserToGroup** | | +-------------------------------+--------------------------------------------+ | **RemoveUserFromGroup** | | +-------------------------------+--------------------------------------------+ | **ListGroupsForUser** | | +-------------------------------+--------------------------------------------+ | **PutGroupPolicy** | | +-------------------------------+--------------------------------------------+ | **GetGroupPolicy** | | +-------------------------------+--------------------------------------------+ | **DeleteGroupPolicy** | | +-------------------------------+--------------------------------------------+ | **ListGroupPolicies** | | +-------------------------------+--------------------------------------------+ | **AttachGroupPolicies** | | +-------------------------------+--------------------------------------------+ | **DetachGroupPolicy** | | +-------------------------------+--------------------------------------------+ | **ListAttachedGroupPolicies** | | +-------------------------------+--------------------------------------------+ Roles ----- +------------------------------+---------------------------------------------+ | Action | Remarks | +==============================+=============================================+ | **CreateRole** | | +------------------------------+---------------------------------------------+ | **GetRole** | | +------------------------------+---------------------------------------------+ | **UpdateRole** | | +------------------------------+---------------------------------------------+ | **UpdateAssumeRolePolicy** | | +------------------------------+---------------------------------------------+ | **DeleteRole** | | +------------------------------+---------------------------------------------+ | **ListRoles** | | +------------------------------+---------------------------------------------+ | **TagRole** | | +------------------------------+---------------------------------------------+ | **UntagRole** | | +------------------------------+---------------------------------------------+ | **ListRoleTags** | | +------------------------------+---------------------------------------------+ | **PutRolePolicy** | | +------------------------------+---------------------------------------------+ | **GetRolePolicy** | | +------------------------------+---------------------------------------------+ | **DeleteRolePolicy** | | +------------------------------+---------------------------------------------+ | **ListRolePolicies** | | +------------------------------+---------------------------------------------+ | **AttachRolePolicies** | | +------------------------------+---------------------------------------------+ | **DetachRolePolicy** | | +------------------------------+---------------------------------------------+ | **ListAttachedRolePolicies** | | +------------------------------+---------------------------------------------+ OpenIDConnectProvider --------------------- +---------------------------------+------------------------------------------+ | Action | Remarks | +=================================+==========================================+ | **CreateOpenIDConnectProvider** | | +---------------------------------+------------------------------------------+ | **GetOpenIDConnectProvider** | | +---------------------------------+------------------------------------------+ | **DeleteOpenIDConnectProvider** | | +---------------------------------+------------------------------------------+ | **ListOpenIDConnectProviders** | | +---------------------------------+------------------------------------------+ Managed Policies ---------------- The following managed policies are available for use with ``AttachGroupPolicy``, ``AttachRolePolicy`` and ``AttachUserPolicy``: IAMFullAccess :Arn: ``arn:aws:iam::aws:policy/IAMFullAccess`` :Version: v2 (default) IAMReadOnlyAccess :Arn: ``arn:aws:iam::aws:policy/IAMReadOnlyAccess`` :Version: v4 (default) AmazonSNSFullAccess :Arn: ``arn:aws:iam::aws:policy/AmazonSNSFullAccess`` :Version: v1 (default) AmazonSNSReadOnlyAccess :Arn: ``arn:aws:iam::aws:policy/AmazonSNSReadOnlyAccess`` :Version: v1 (default) AmazonS3FullAccess :Arn: ``arn:aws:iam::aws:policy/AmazonS3FullAccess`` :Version: v2 (default) AmazonS3ReadOnlyAccess :Arn: ``arn:aws:iam::aws:policy/AmazonS3ReadOnlyAccess`` :Version: v3 (default) .. _Amazon IAM API: https://docs.aws.amazon.com/IAM/latest/APIReference/welcome.html .. _Ceph Object Gateway S3 API: ../s3/