Create a config for a SUB USER in Wasabi

Hello my friends!

Could anyone tell me how to create a config for a SUB USER in Wasabi?

hi,

  1. create a user at wasabi, which wil generate a new client id/secret
  2. create a rclone remote that uses that client id/secret

Thanks for the answer!
I created one for testing, but the user can read all the buckets... I wanted the subuser to only have access to a specific bucket, is that possible?

yes, that is possible.
for that, i create a bucket policy, giving access only to that specifc sub-user

I understand... so I'll have to see how to do it in wasabi... I'll study how to do it there... If you have any tips, I'd be grateful. Thanks!

wasabi polices use the same format as AWS.

here are two working bucket polices from my wasabi account

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::redacted:user/user.en.keepass"
      },
      "Action": [
        "s3:ListBucket",
        "s3:GetObject",
        "s3:PutObject",
      ],
      "Resource": [
        "arn:aws:s3:::en.kdbx/*",
        "arn:aws:s3:::en.kdbx"
      ]
    }
  ]
}

and this policy is about as locked down as is possible.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::redacted:user/zork"
      },
      "Action": "s3:PutObject",
      "Resource": [
        "arn:aws:s3:::zork/*",
        "arn:aws:s3:::zork"
      ]
    }
  ]
}

and if you want ever more locked down bucket access, i use an advanced user policy,
each IAM user is forced to use MFA login and temporary session tokens.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Deny",
      "Action": "s3:*",
      "Resource": "*",
      "Condition": {
        "Bool": {
          "aws:MultiFactorAuthPresent": "false"
        }
      }
    }
  ]
}

Thank you very much!!!! I'll go there and see if I can...

A small question, do I create the policy and attach it to the user or to the bucket?

tho i do not use it, i should have pointed out that there is an official bucket policy.
which would lock a bucket to a single user.
https://rclone.org/s3/#s3-permissions

that is up to you, and depends on how you plan to access wasabi.
for me, i attached polices to buckets

Excellent, I understand. Thank you so much again!

My idea is to create a user to access a specific bucket because if someone has access to the rclone config file they will not be able to access all buckets

ok, now, you have the info to do that...

That's right! Now I can do it! thanks!

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.