IAM Role or Temporary STS Credentials Support for s3 Mounting

#1-ALLUXIO/错题本

Questions & Answers

1. What is assume role? What is the relationship between assume role and IAM and s3 bucket?
   Assume role is a API returns a set of temporary security credentials that you can use to access AWS resources that you might not normally have access to.
   

Amazon Resource Name (ARN) arn:aws:iam::123456789012:role/UpdateApp
AWS Security Token Service (AWS STS)
AWS Identity and Access Management (IAM) is a web service that helps you securely control access to AWS resources. You use IAM to control who is authenticated (signed in) and authorized (has permissions) to use resources.

3. How dose assume role works in Alluxio?
   Alluxio would be given the IAM credentials of Role A, and then the ARN of Role B. We would then use Role A to fetch a temporary STS token to assume the privileges of Role B.
   Sample - command to mount the bucket with assume role options:

/opt/alluxio/bin/alluxio fs mount \
--option alluxio.underfs.s3.inherit.acl=false \
--option aws.accessKeyId=<access key> \
--option aws.secretKey=<secret key> \
--option alluxio.underfs.s3.server.side.encryption.enabled=true \
--option alluxio.underfs.s3.proxy.host=<ip> \
--option alluxio.underfs.s3.proxy.port=<port> \
--option alluxio.underfs.s3.secure.http.enabled=true \
--option alluxio.underfs.s3.assumerole.enabled=true \
--option alluxio.underfs.s3.assumerole.rolearn=arn:aws:iam::<aws account>:role/<role> \
--option alluxio.underfs.s3.assumerole.proxy.https.enabled=false \
--option alluxio.underfs.s3.assumerole.https.enabled=true \
--option alluxio.underfs.s3.assumerole.proxy.host=<ip> \
--option alluxio.underfs.s3.assumerole.proxy.port=<port> \
/s3/<bucket name> s3://<bucket name>

4. What is mount in Alluxio?
5. What is the relationship between AWS credentials and assume a role and mount alluxio?
   Use AWS credentials to mount s3 to alluxio and use that credentials to assume a * role to access s3.
   If my article solve your problem, could(paypal, wechat see the bottom) you crowdfund a cup of tea for me?

---

中文版本

Alluxio商业版支持 aws 的 assume role 功能。
首先，assume role 是 AWS 的一个功能(assume role 是 API，调用它会返回一套临时的安全凭证信息)
然后，Alluxio和assume role的关系：假设有两个角色 A 和 B ，Alluxio 把 IAM 凭证给角色A, 然后把 Amazon 资源名称给角色B。我们使用角色A 获取一个临时的 STS token 去 担任 Role B 的权限。
最后，alluxio mount 和 assume role 的关系，以及使用 mount 挂载 s3 文件系统的例子：Alluxio 使用 AWS 凭证把 s3 挂载到 Alluxio 然后使用该凭证去担任某个角色以访问s3中的资源。

/opt/alluxio/bin/alluxio fs mount \
--option alluxio.underfs.s3.inherit.acl=false \
--option aws.accessKeyId=<access key> \
--option aws.secretKey=<secret key> \
--option alluxio.underfs.s3.server.side.encryption.enabled=true \
--option alluxio.underfs.s3.proxy.host=<ip> \
--option alluxio.underfs.s3.proxy.port=<port> \
--option alluxio.underfs.s3.secure.http.enabled=true \
--option alluxio.underfs.s3.assumerole.enabled=true \
--option alluxio.underfs.s3.assumerole.rolearn=arn:aws:iam::<aws account>:role/<role> \
--option alluxio.underfs.s3.assumerole.proxy.https.enabled=false \
--option alluxio.underfs.s3.assumerole.https.enabled=true \
--option alluxio.underfs.s3.assumerole.proxy.host=<ip> \
--option alluxio.underfs.s3.assumerole.proxy.port=<port> \
/s3/<bucket name> s3://<bucket name>

如果我的文章解决了您的问题，众筹我顿自助，可好（提取码：f4nf）？