IAM workflow
In this section, the typical workflow of IAM is described. You can install AWS CLI to send IAM-related API request to complete the tasks.
IAM workflow
- Reset and get S3 server root user's credentials.
Create root user credentials. You can use the root user to create users with limited permissions.
After S3 interface for MSDP is configured, run the following command to create root user's credentials:
/usr/openv/pdde/vxs3/cfg/script/s3srv_config.sh --reset-iam-root
You can also use this command if you have lost root user's access keys. The new access key and secret key of root user is available in the command output.
To create or reset root user's credentials using NetBackup web UI, see Resetting the MSDP object store root credentials topic of the NetBackup Web UI Administrator's Guide.
- Create a user.
aws --endpoint https://<MSDP_HOSTNAME>:8443 [--ca-bundle <CA_BUNDLE_FILE>] iam create-user --user-name <USER_NAME>
- Attach one or more policies to a user.
aws --endpoint https://<MSDP_HOSTNAME>:8443 [--ca-bundle <CA_BUNDLE_FILE>] iam put-user-policy --user-name <USER_NAME> --policy-name <POLICY_NAME> --policy-document file://<POLICY_DOCUMENT_FILE_PATH>
- Create access key for a user.
aws --endpoint https://<MSDP_HOSTNAME>:8443 [--ca-bundle <CA_BUNDLE_FILE>] iam create-access-key [--user-name <USER_NAME>]
Note:
If you omit the --user-name option, the access key is created under the user who sends the request.
- Delete access key for a user.
aws --endpoint https://<MSDP_HOSTNAME>:8443 [--ca-bundle <CA_BUNDLE_FILE>] iam delete-access-key [--user-name <USER_NAME>] --access-key-id <ACCESS_KEY>
Note:
If you omit the --user-name option, the access key is deleted under the user who sends the request. You cannot delete the last active access key of a root user.
- List access keys for a user.
aws --endpoint https://<MSDP_HOSTNAME>:8443 [--ca-bundle <CA_BUNDLE_FILE>] iam list-access-keys [--user-name <USER_NAME>]
Note:
If you omit the --user-name option, the access key is listed under the user who sends the request.
- Update an access key's status for a user.
aws --endpoint https://<MSDP_HOSTNAME>:8443 [--ca-bundle <CA_BUNDLE_FILE>] iam update-access-key [--user-name <USER_NAME>] --access-key-id <ACCESS_KEY> --status [Active | Inactive]
If you omit the --user-name option, the access key is updated under the user who sends the request.
The option --status must follow Active or Inactive parameter (case sensitive).
You cannot update the last active access key of root user to Inactive status.
- Get a specific user policy.
aws --endpoint https://<MSDP_HOSTNAME>:8443 [--ca-bundle <CA_BUNDLE_FILE>] iam get-user-policy --user-name <USER_NAME> --policy-name <POLICY_NAME>
- List all attached policies for a user.
aws --endpoint https://<MSDP_HOSTNAME>:8443 [--ca-bundle <CA_BUNDLE_FILE>] iam list-user-policies --user-name <USER_NAME>
- Delete a user policy.
aws --endpoint https://<MSDP_HOSTNAME>:8443 [--ca-bundle <CA_BUNDLE_FILE>] iam delete-user-policy --user-name <USER_NAME> --policy-name <POLICY_NAME>
- Get user information.
aws --endpoint https://<MSDP_HOSTNAME>:8443 [--ca-bundle <CA_BUNDLE_FILE>] iam get-user --user-name <USER_NAME>
- List all users.
aws --endpoint https://<MSDP_HOSTNAME>:8443 [--ca-bundle <CA_BUNDLE_FILE>] iam list-users
- Delete a user.
aws --endpoint https://<MSDP_HOSTNAME>:8443 [--ca-bundle <CA_BUNDLE_FILE>] iam delete-user --user-name <USER_NAME>
Note:
Before you delete a user, you must delete the user policies and access keys that are attached to the user. You cannot delete a root user.