Secure Token Service

Edit online

The Amazon Web Services Secure Token Service (STS) is a set of APIs that return a set of temporary set of S3 access and secret keys to authenticate users.

IBM Storage Ceph Object Gateway supports a subset of Amazon STS application programming interfaces (APIs) for identity and access management (IAM).

Users first authenticate against STS and receive a short-lived S3 access key and secret key that can be used in subsequent requests.

IBM Storage Ceph Object Storage can authenticate S3 users by integrating with a Single Sign-On by configuring an OIDC provider. This feature enables Object Storage users to authenticate against an enterprise identity provider rather than the local Ceph Object Gateway database. For instance, if the SSO is connected to an enterprise IDP in the backend, Object Storage users can use their enterprise credentials to authenticate and get access to the Ceph Object Gateway S3 endpoint.

By using STS along with the IAM role policy feature, you can create finely tuned authorization policies to control access to your data. These policies allow you to implement either a Role-Based Access Control (RBAC) or Attribute-Based Access Control (ABAC) authorization model for your object storage data, giving you complete control over who can access the data.

Following is a simplified workflow to access S3 resources with STS:

The user wants access S3 resources in IBM Storage Ceph.
The user needs to authenticate against the SSO provider.
The SSO provider is federated with an IDP and checks if the user credentials are valid, the user gets authenticated and the SSO provides a Token to the user.
Using the Token provided by the SSO, the user accesses the Ceph Object Gateway STS endpoint, asking to assume an IAM role that provides the user with access to S3 resources.
The IBM Storage Ceph gateway receives the user token and asks the SSO to validate the token.
Once the SSO validates the token, the user is allowed to assume the role. Through STS, the user is provided with temporary access and secret keys that give the user access to the S3 resources.
Depending on the policies attached to the IAM role the user has assumed, the user can access a set of S3 resources.
For example, read for bucket A and write to bucket B.

For more information about STS Lite and Keystone, see Configuring and using STS Lite with Keystone (Technology Preview).
For more information about STS Lite and Keystone limitations, see Working around the limitations of using STS Lite with Keystone (Technology Preview).
For more information on how to set up step-by-step STS Authentication with RHSSO using IDM (LDAP) as the IDP backend and Authorization that uses IAM roles with an RBAC model based on LDAP groups, see IBM Redbook.