Secure Token Service

Edit online

The Amazon Web Services Secure Token Service (STS) is a set of APIs that return a set of temporary set of S3 access and secret keys to authenticate users.

IBM Storage Ceph Object Gateway supports a subset of Amazon STS application programming interfaces (APIs) for identity and access management (IAM).

Users first authenticate against STS and receive a short-lived S3 access key and secret key that can be used in subsequent requests.

IBM Storage Ceph Object Storage can authenticate S3 users by integrating with a Single Sign-On by configuring an OIDC provider. This feature enables Object Storage users to authenticate against an enterprise identity provider rather than the local Ceph Object Gateway database. For instance, if the SSO is connected to an enterprise IDP in the backend, Object Storage users can use their enterprise credentials to authenticate and get access to the Ceph Object Gateway S3 endpoint.

By using STS along with the IAM role policy feature, you can create finely tuned authorization policies to control access to your data. This enables you to implement either a Role-Based Access Control (RBAC) or Attribute-Based Access Control (ABAC) authorization model for your object storage data, giving you complete control over who can access the data.

For more information about STS Lite and Keystone, see Configuring and using STS Lite with Keystone (Technology Preview).
For more information about STS Lite and Keystone limitations, see Working around the limitations of using STS Lite with Keystone (Technology Preview).
For more information on how to set up step-by-step STS Authentication with RHSSO using IDM (LDAP) as the IDP backend and Authorization using IAM roles with an RBAC model based on LDAP groups, see IBM Redbook.