The VMS REST API provides an endpoint that creates and deletes S3 access key pairs for the requesting user. This endpoint is accessible to users on an Active Directory/LDAP server that is connected to the cluster. Users can also retrieve the access key of a given access key pair and the status of the key pair.
How to Enable the Required Access for Active Directory/LDAP Users
Ensure that the relevant users belong to an Active Directory or other LDAP-based directory server that is connected to the VAST Cluster.
This enables valid login to the S3 keys API endpoint for client users on the Active Directory/LDAP server.
A user may now authenticate to the VMS REST API using their Active Directory/LDAP credentials and send POST, GET and DELETE requests to the <vms_vip>/api/s3keys/ endpoint to create, and delete their own s3 access key pair(s) and view the enabled/disabled status of such a key pair.
You can optionally provide the same users with broader VMS access by mapping Active Directory/LDAP group(s) to VMS RBAC roles.
How to Create and Manage an S3 Access Key Pair as an Active Directory/LDAP User
Creating an S3 Access Key Pair
To create an access key pair, send a POST request to the https://<VMS_VIP>/api/s3keys/ endpoint. In this example, the user sends their Active Directory or LDAP username and password for basic authentication:
Note
This feature supports Active Directory users on the joined domain only.
vastdata@v112lg1:/home/vastdata $ curl -u "vms_ad_user:vastdata" -X POST https://10.71.200.112/api/s3keys/ -k
A new pair is created. The access key and secret key are returned in the response:
{"access_key":"4XACULB2SLCZ80ZQPVMX","secret_key":"KgZYAI4E66+CWhYiUM5dvyICBjXzfwg/HWoxL9Et"}Note
The operation requires basic authentication. You can either authenticate each request as done in the examples, or you can use secure authentication by JSON Web Tokens (JWTs) over HTTPS. For information about how to authenticate with JWTs, see Authenticating to the VMS REST API in the VMS REST API documentation, which is available on your cluster's management network at https://<VMS_VIP>/docs/index.html.
Retrieving the S3 Access Key Pair's Properties
Sending a GET request to the https://<VMS_VIP>/api/s3keys endpoint returns details of previously created key pairs:
6vastdata@v112lg1:/home/vastdata $ curl -u "vms_ad_user:vastdata" -X GET https://10.71.200.112/api/s3keys/ -k
The response includes the access key, and the status of the key (whether enabled or not):
{"4XACULB2SLCZ80ZQPVMX":{"enabled":true,"identifier":"sid"}}Note
It also includes an identifier, which indicates whether the key was associated with the user's SID or UID, if both are present on the Active Directory/LDAP server. This can be relevant in case of later administrative changes where a UID can be associated with a different user, in which case the S3 access remains linked to the original identifier.
Deleting an S3 Access Key Pair
To delete an S3 access key pair, send a DELETE request to the same endpoint, providing the access key only as the access_key property in the body parameter. For example:
vastdata@v112lg1:/home/vastdata $ curl -u "vms_ad_user:vastdata" -X DELETE https://10.71.200.112/api/s3keys/ -d '{"access_key":"4XACULB2SLCZ80ZQPVMX"}'
-k -H "accept: application/json" -H "Content-Type: application/json"