ECS 2.0 – Obtain secret key to access object storage

Table of Contents

Introduction

Users of the ECS object services require a secret key in order to authenticate with a service.

Secret keys can be created and made available to the object user in the following ways:
Back to Top

Create a key for an object user

ECS Management users can create a secret key for an object user.

Back to Top

Generate a secret key from the ECS Portal

You can generate a secret key at the ECS Portal.

Before you begin

  • You must be an ECS System Admin or Namespace Admin

If you are a System Admin, you can create a secret key for an object user belonging to any namespace. If you are a Namespace Admin, you can create a secret key for an object users who belongs to your namespace.

Procedure

  1. At the ECS Portal, select the Manage > Users page.
  2. In the Object Users table, select Edit for the user to which you want to assign a secret key.
  3. For S3, select Generate & Add Password.
  4. Copy the generated key and email to the object user.
Back to Top

Create an S3 secret key using the ECS Management REST API

The ECS Management REST API enables a management user to create a secret key for an S3 object user.

The APIs is as follows:

You can find out more information about the API call in the ECS Management REST API reference.

Back to Top

Create an S3 secret key: self-service

The ECS Management REST API provides the ability to allow authenticated domain users to request a secret key to enable them to access the object store.

The ECS Management REST API reference can be used where you want to create a custom client to perform certain ECS management operations. For simple operations domain users can use curl or a browser-based HTTP client to execute the API to create a secret key.

When a user runs the object/secret-keys API, ECS automatically creates an object user and assigns a secret key.

The payload for the /object/secret-keys can include an optional existing key expiry time.
<secret_key_create_param>
    <existing_key_expiry_time_mins></existing_key_expiry_time_mins>
  </secret_key_create_param>

If you are creating a secret key for the first time, you can omit the existing_key_expiry_time_mins parameter and a call would be:

POST object/secret-keys

Request body
  <?xml version="1.0" encoding="UTF-8"?> 
  <secret_key_create_param/>
    

Response
  <user_secret_key>
    <secret_key>...</secret_key>
    <key_timestamp>...</key_timestamp>
    <link rel="..." href="..." />
  </user_secret_key>
Back to Top

Working with self-service keys

There are a number of operations that you might want to perform with self-service secret keys using the ECS REST API Reference.

The examples provided use the curl tool to demonstrate the following activities.

Log in as a domain user

You can log in as a domain user and obtain an authentication token that can be used to authenticate subsequent requests.
curl -ik -u user@mydomain.com:<Password> https://10.241.48.31:4443/login
HTTP/1.1 200 OK
Date: Mon, 27 Apr 2015 17:29:38 GMT
Content-Type: application/xml
Content-Length: 107
Connection: keep-alive
X-SDS-AUTH-TOKEN: BAAcaVAzNU16eVcwM09rOWd2Y1ZoUFZ4QmRTK2JVPQMAQQIADTE0MzAwNzQ4ODA1NTQDAC
51cm46VG9rZW46YWJmODA1NTEtYmFkNC00ZDA2LWFmMmMtMTQ1YzRjOTdlNGQ0AgAC0A8=

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<loggedIn>
<user>tcas@corp.sean.com</user>
</loggedIn>

Generate first key

You can generate a secret key.
curl -ks -H "X-SDS-AUTH-TOKEN: BAAcaVAzNU16eVcwM09rOWd2Y1ZoUFZ4QmRTK2JVPQMAQQIADTE0MzAw
NzQ4ODA1NTQDAC51cm46VG9rZW46YWJmODA1NTEtYmFkNC00ZDA2LWFmMmMtMTQ1YzRjOTdlNGQ0AgAC0A8=" 
-H "Content-Type: application/json" -X POST -d "{}" 
https://10.241.48.31:4443/object/secret-keys | xmllint --format -

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<user_secret_key>
  <link rel="self" href="/object/user-secret-keys/tcas@corp.sean.com"/>
  <secret_key>7hXZ9/EHTVvmFuYly/z3gHpihXtEUX/VZxdxDDBd</secret_key>
  <key_expiry_timestamp/>
  <key_timestamp>2015-04-27 17:39:13.813</key_timestamp>
</user_secret_key>

Generate second key

You can generate a second secret key and set the expiration for the first key.
curl -ks -H "X-SDS-AUTH-TOKEN: BAAcaVAzNU16eVcwM09rOWd2Y1ZoUFZ4QmRTK2JVPQMAQQIADTE0MzAwN
zQ4ODA1NTQDAC51cm46VG9rZW46YWJmODA1NTEtYmFkNC00ZDA2LWFmMmMtMTQ1YzRjOTdlNGQ0AgAC0A8=" 
-H "Content-Type: application/json" -X POST -d "{\"existing_key_expiry_time_mins\": \"10\"}" 
https://10.241.48.31:4443/object/secret-keys | xmllint --format -

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<user_secret_key>
  <link rel="self" href="/object/user-secret-keys/tcas@corp.sean.com"/>
  <secret_key>l3fPCuFCG/bxoOXCPZoYuPwhXrSTwU0f1kFDaRUr</secret_key>
  <key_expiry_timestamp/>
  <key_timestamp>2015-04-27 17:40:12.506</key_timestamp>
</user_secret_key>

Check keys

You can check the keys that you have been assigned. In this case there are two keys with the first having an expiration date/time.
curl -ks -H "X-SDS-AUTH-TOKEN: BAAcaVAzNU16eVcwM09rOWd2Y1ZoUFZ4QmRTK2JVPQMAQQIADTE0MzAw
NzQ4ODA1NTQDAC51cm46VG9rZW46YWJmODA1NTEtYmFkNC00ZDA2LWFmMmMtMTQ1YzRjOTdlNGQ0AgAC0A8=" 
https://10.241.48.31:4443/object/secret-keys | xmllint --format -
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<user_secret_keys>
  <secret_key_1>7hXZ9/EHTVvmFuYly/z3gHpihXtEUX/VZxdxDDBd</secret_key_1>
  <secret_key_2>l3fPCuFCG/bxoOXCPZoYuPwhXrSTwU0f1kFDaRUr</secret_key_2>
  <key_expiry_timestamp_1>2015-04-27 17:50:12.369</key_expiry_timestamp_1>
  <key_expiry_timestamp_2/>
  <key_timestamp_1>2015-04-27 17:39:13.813</key_timestamp_1>
  <key_timestamp_2>2015-04-27 17:40:12.506</key_timestamp_2>
  <link rel="self" href="/object/secret-keys"/>
</user_secret_keys>

Delete all secret keys

If you need to delete your secret keys before regenerating them. You can use the following.
curl -ks -H "X-SDS-AUTH-TOKEN: BAAcaVAzNU16eVcwM09rOWd2Y1ZoUFZ4QmRTK2JVPQMAQQIADTE0MzAw
NzQ4ODA1NTQDAC51cm46VG9rZW46YWJmODA1NTEtYmFkNC00ZDA2LWFmMmMtMTQ1YzRjOTdlNGQ0AgAC0A8=" 
-H "Content-Type: application/json" -X POST -d "{}" https://10.241.48.31:4443/object/secret-keys/deactivate

Back to Top