Creating Identity Policies

You can create multiple identity policies and attach them to users, groups, and IAM roles.

Identity policies are managed via VMS. You add an identity policy to VMS and then attach it to user(s), group(s), and/or roles. When you add an identity policy to VMS, you can choose to enter the policy statements from scratch, create a policy based on predefined rules, or import a policy as a JSON file.

VAST identity policies support a subset of the elements listed in Amazon's IAM JSON Policy Reference. For information about the required JSON format, supported elements and examples, see Identity and Bucket Policy Reference.Identity and Bucket Policy Reference

Creating an Identity Policy to VMS in VAST Web UI

Tip
VAST recommends adding identity policies through VAST Web UI.

Create an identity policy in the following ways:

Using the Interactive Policy Editor - create a policy interactively by defining rules
Uploading a JSON file containing a policy definition.
Manually defining the policy in JSON format, in a text editor window

Creating an Identity Policy Using the Interactive Policy Editor

You create an identity policy by defining statements that are included in the policy. There are different types of statements, which can be combined in a single policy.

In the left navigation menu, choose User Management and then Identity Policies.
In Tenant, select the tenant.
Note
This option appears only if tenants are defined on the cluster.
In the Identity Policies page, click Create Policy to open the Add Policy dialog.
In the General Policy Details section, enter a name for the policy, without spaces, in the Name field, and select the Tenant.
In the Define Statements section, select the type of statement to add to the policy:
- Pre-defined. Select from a list of common, predefined statements.
- Custom. Define a custom statement consisting of actions, effects, conditions, and resources.
- Database Row/Column Security. Define a statement for controlling access to database rows and columns.
In the Statement ID field, enter a name for the statement. If not specified, a random name is generated.
If the policy is used to control application user access to a bucket, in the Resource type field select Bucket. If the policy is used for application users access to pipelines, select Data Engine.
In the Resource field, enter one or more S3 resources (comma separated) on which the statement will apply. Wildcards can be included (for example, '*'). You can also use variables (see Using Variables in Identity Policies ).
Note
Separate statements in a common policy can apply to different resources.
Do one of the next three steps, according to the statement type selected above.
If the statement type is Pre-defined, select one or more statements from the list of Available Statements, then click to move them to the Selected Statements list. The list of statements depends on the Resource type, selected above.
If the statement type is Custom, do the following:
1. Select the Effects of the actions in the statement: Allow or Deny. When applied, the policy will either allow or deny the selected actions.
2. Select one or more actions from the list of Available Actions, then click to move them to the Selected Actions list.
If the statement type is Database row/column security, do the following:
1. In the Resources section, select whether the rows selected in the next step should be included or excluded. If Included is selected, for example, the policy will permit access to the selected rows; if Excluded is selected, the policy will permit access to all rows except the selected ones.
2. Optionally, in the Row Filters box, add row filter strings, one per line. A row filter is a string that would appear in a WHERE clause in a query. For example, col1='ABC'. If there are multiple filters listed, they are combined using logical AND when the policy is applied. In this case, the policy would apply to rows for which all the row filter conditions are met (rfilter1 AND rfilter2 ....).
3. Optionally, in the Column masks section, add masks for specific columns. Enter a Column name and a Mask string, then click Add Column Mask, to add a mask to the list. Repeat for additional masks (one mask per column). Masks must conform to SQL syntax used by Trino.
  The masks replace the contents of the selected columns with the masked value (hiding sensitive information, for example). The mask can include regular expressions, using regexp_replace. For example, regexp_replace(my_col_email, '.*', '***') replaces email addresses with '*' in a column named my_col_email.
4. Optionally, enable Row Filter Using VAST S3 Object Permissions. When enabled, a filter is applied based on the VAST S3 permission model. This uses a column in the database labelled vastdb_s3_path_auth (reserved name), The cells in this column contain lists of comma separated S3 paths in the form "bucket_name1/object_name1", "bucket_name2/object_name2", ...
  When the policy is applied, and this option enabled, the filter checks each of these paths, and the effective permissions to access them, based on applicable identity and bucket policies for the paths. Rows in the path that have permission for the get-object action are returned by the filter; rows without are not returned.
See VAST Database Row and Column Security for more details about VAST DataBase Row/Column security features.
Optionally, In the Conditions section add conditions for the statement. Conditions qualify when a policy statement applies to resources. Follow these steps to add conditions to the policy:
1. Click Add Condition
2. Select a Condition Key, from the list. This is the element that is tested by the condition.
3. Select a Qualifier, from the list. This indicates whether the condition applies to any or for all values in a request.
  Note
  This field applies only to some condition keys.
4. Select an Operator.
5. Enter a list of Values, separated by commas.
  For example, these selections create a condition for the policy statement testing for the userid 1234:
  - Key: aws: userid
  - Qualifier: Any value in request
  - Operator: StringEquals
  - Value: 1234
6. Repeat above steps for additional conditions for the same statement.
See Adding Conditions to Identity Policies for more detail about conditions.
Click Add Statement To Policy. The statement, in JSON format, is shown in the Identity Policy pane on the right.
Once the statement has been added to the policy (next step), you cannot add or change the statement or any conditions for it using the editor (but you can manually edit the policy, including its statements and conditions, in the Identity Policy pane, on the right). You can manually make changes to the statement in this pane.
You can also copy the text of the policy (click Copy Policy).
Repeat steps Step 5 to Step 13 to add additional statements to the policy. You can include statements of different types in a single policy, each with its own list of resources and conditions.
Click Create. The policy is created and added to the set of available policies and displayed in the Identity Policies page. Proceed to Attaching/Removing Identity Policies to/from Users and Groups. to associate Identity Policies with users or groups, in the Users or Groups tab.

Examples of Identity Policies

This is a simple policy that allows GetObject for a bucket and its objects.

{
  "Version": "2012-10-17",
  "Id": "e9483951-4471-43e2-8361-baae43ad339d",
  "Statement": [
    {
      "Sid": "Stmt17440227975897972",
      "Action": [
        "s3:GetObject"
      ],
      "Effect": "Allow",
      "Resource": [
        "test-bucket",
        "test-bucket/*"
      ]
    }
  ]
}

This example includes wildcards to allow any Get* action on the bucket:

{
  "Version": "2012-10-17",
  "Id": "e9483951-4471-43e2-8361-baae43ad339d",
  "Statement": [
    {
      "Sid": "Stmt17440227975897972",
      "Action": [
        "s3:Get*"
      ],
      "Effect": "Allow",
      "Resource": [
        "test-bucket",
        "test-bucket/*"
      ]
    }
  ]
}

This example includes multiple statements in the policy, one for Get* actions, and one for Put* actions:

{
  "Version": "2012-10-17",
  "Id": "12ce48cf-6ca9-4f33-ad2d-47b0bfbad5c0",
  "Statement": [
    {
      "Sid": "Stmt17440229217713216",
      "Action": [
        "s3:Get*"
      ],
      "Effect": "Allow",
      "Resource": [
        "test-bucket",
        "test-bucket/*"
      ]
    },
    {
      "Sid": "Stmt17440229217716670",
      "Action": [
        "s3:Put*"
      ],
      "Effect": "Allow",
      "Resource": [
        "another-bucket",
        "another-bucket/*"
      ]
    }
  ]
}

Adding Conditions to Identity Policies

Conditions qualify when a policy applies to a resource (to grant permissions). They can be added to any statement in a policy.

Conditions consist of a key, an operator, and a value. They appear in the policy (JSON) in the format:

"Condition" : { "{condition-operator}" : { "{condition-key}" : "{condition-value}" }}

Condition keys are case-insensitive. See Supported Condition Keys per S3 Action for a list of a supported condition keys.

Examples of Conditions

This condition allows the retrieval of objects if they have a tag 'foo' with value 'bar':

"Condition": { "StringEquals": {"s3:ExistingObjectTag/foo": "bar"    }}

This condition applies if the request is made over a secure HTTPs connection:

"Condition": {"Bool": {"aws:SecureTransport": "True"}}

This condition uses the 'IfExists' condition, and is true if the tag 'DeleteApproved' exists and is set to true, or if it doesn't exist:

 "Condition": {"StringEqualsIfExists": {"aws:ResourceTag/DeleteApproved": "true"}}

This condition uses the 'Null' condition operator, and is true if the the tag TagKeys exists:

"Condition": { "Null": { "aws:TagKeys": "true" }}

Using Variables in Identity Policies

Yo can use variables instead of hard-coded values in policies. For example, instead of adding a username in some bucket prefix, you can use a variable that contains the name of the user.

Insert variables in the resource or condition parts of policy statements using the format ${variable}.

These variables are supported:

${BucketName}
${ObjectName}
${username}
${sourceip}

Examples

This statement permits read-only access to objects in any bucket:

{
  "Id": "Policy1234",
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "RO",
      "Action": [
        "s3:Get*",
        "s3:List*"
      ],
      "Effect": "Allow",
      "Resource": "${BucketName}"
    }
  ]
}

This statement grants GetObject and PutObject permissions on the current bucket for user john:

{
      "Sid": "Policy12345",
      "Action": [
        "s3:GetObject",
        "s3:PutObject"
      ],
      "Effect": "Allow",
      "Resource": "arn:aws:s3:::bucket/home/${aws:username}/*",
      "Condition": "StringEquals": { "aws:username": "john" }
    }

Creating an Identity Policy by Importing an Existing Policy File

In the left navigation menu, choose User Management and then Identity Policies.
In the Identity Policies page, click Create Policy to open the Add Policy dialog.
Click Import Policy, in the lower right corner.
Browse to the file containing the policy definition. The file must be in JSON format. The policy definition appears in the Policy pane.
Optionally, edit the file in the Policy pane.
Click Create to save the policy.

Creating an Identity Policy Manually

In the left navigation menu, choose User Management and then Identity Policies.
In the Identity Policies page, click Create Policy to open the Add Policy dialog.
In the Policy pane on the right, enter the definition for the policy, including all rules for it, in JSON format.
Click Create to save the policy.

Adding an Identity Policy to VMS in VAST CLI

Note
The recommended way to add identity policies to VMS is via the VAST Web UI. Since policies are multi-line, you may find that your SSH terminal does not succeed in creating the policies.

To add an identity policy, use the identitypolicy create command.

To modify an identity policy that has been added, use the identitypolicy modify command.