Skip to main content

Enable LDAP or domain users to generate their own ONTAP S3 access keys

Contributors netapp-aaron-holt netapp-dbagwell netapp-manini netapp-ahibbard netapp-aherbin

Beginning with ONTAP 9.14.1, as an ONTAP administrator, you can create custom roles and grant them to local or domain groups or Lightweight Directory Access Protocol (LDAP) groups, so that the users belonging to those groups can generate their own access and secret keys for S3 client access.

You have to perform a few configuration steps on your storage VM, so that the custom role can be created and assigned to the user that invokes the API for access key generation.

Before you begin

Ensure the following:

  1. An S3-enabled storage VM containing an S3 server has been created. See Create an SVM for S3.

  2. A bucket has been created in that storage VM. See Create a bucket.

  3. DNS is configured on the storage VM. See Configure DNS services.

  4. A self-signed root certification authority (CA) certificate of the LDAP server is installed on the storage VM. See Install the self-signed root CA certificate on the SVM.

  5. An LDAP client is configured with TLS enabled on the storage VM. See Create an LDAP client configuration.

  6. Associate the client configuration with the Vserver. See Associate the LDAP client configuration with SVMs. Learn more about the vserver services name-service ldap create command in the ONTAP command reference.

  7. If you are using a data storage VM, create a management network interface (LIF) and on the VM, and also a service policy for the LIF. Learn more about the network interface create and network interface service-policy create commands in the ONTAP command reference.

Configure users for access key generation

  1. Specify LDAP as the name service database of the storage VM for the group and password to LDAP:

    ns-switch modify -vserver <vserver-name> -database group -sources files,ldap
    ns-switch modify -vserver <vserver-name> -database passwd -sources files,ldap

    Learn more about the vserver services name-service ns-switch modify command in the ONTAP command reference.

  2. Create a custom role with access to S3 user REST API endpoint:
    security login rest-role create -vserver <vserver-name> -role <custom-role-name> -api "/api/protocols/s3/services/*/users" -access <access-type>
    In this example, the s3-role role is generated for users on the storage VM svm-1, to which all access rights, read, create, and update are granted.

    security login rest-role create -vserver svm-1 -role s3role -api "/api/protocols/s3/services/*/users" -access all

    Learn more about the security login rest-role create command in the ONTAP command reference.

  3. Create an LDAP user group with the security login command and add the new custom role for accessing the S3 user REST API endpoint. Learn more about the security login create command in the ONTAP command reference.

    security login create -user-or-group-name <ldap-group-name> -application http -authentication-method nsswitch -role <custom-role-name> -is-ns-switch-group yes

    In this example, the LDAP group ldap-group-1 is created in svm-1, and the custom role s3role is added to it for accessing the API endpoint, along with enabling LDAP access in the fast bind mode.

    security login create -user-or-group-name ldap-group-1 -application http -authentication-method nsswitch -role s3role -is-ns-switch-group yes -second-authentication-method none -vserver svm-1 -is-ldap-fastbind yes

Adding the custom role to the domain or LDAP group allows users in that group a limited access to the ONTAP /api/protocols/s3/services/{svm.uuid}/users endpoint. By invoking the API, the domain or LDAP group users can generate their own access and secret keys to access the S3 client. They can generate the keys for only themselves and not for other users.

As an S3 or LDAP user, generate your own access keys

Beginning with ONTAP 9.14.1, you can generate your own access and secret keys for accessing S3 clients, if your administrator has granted you the role to generate your own keys. You can generate keys for only yourself by using the following ONTAP REST API endpoint.

HTTP method and endpoint

This REST API call uses the following method and endpoint. For information about the other methods of this endpoint, see the reference API documentation.

HTTP method Path

POST

/api/protocols/s3/services/{svm.uuid}/users

Curl example
curl
--request POST \
--location "https://$FQDN_IP /api/protocols/s3/services/{svm.uuid}/users " \
--include \
--header "Accept: */*" \
--header "Authorization: Basic $BASIC_AUTH"
--data '{"name":"_name_"}'
JSON output example
{
  "records": [
    {
      "access_key": "Pz3SB54G2B_6dsXQPrA5HrTPcf478qoAW6_Xx6qyqZ948AgZ_7YfCf_9nO87YoZmskxx3cq41U2JAH2M3_fs321B4rkzS3a_oC5_8u7D8j_45N8OsBCBPWGD_1d_ccfq",
      "_links": {
        "next": {
          "href": "/api/resourcelink"
        },
        "self": {
          "href": "/api/resourcelink"
        }
      },
      "name": "user-1",
      "secret_key": "A20_tDhC_cux2C2BmtL45bXB_a_Q65c_96FsAcOdo14Az8V31jBKDTc0uCL62Bh559gPB8s9rrn0868QrF38_1dsV2u1_9H2tSf3qQ5xp9NT259C6z_GiZQ883Qn63X1"
    }
  ],
  "num_records": "1"
}