Network and Storage Protocols

S3-Bucket Key Authentication

Neolitics
308 Views

Hello everyone,

 

I would like to know if I can use a FAS 2720 and ONTAP 9.12 to share S3 buckets with public and private key authentication?

 The idea is that the client has the private key on his workstation and when he mounts the S3 share, the authentication is done with the encryption keys.

 

Thanks for your help.

 Neolitics

1 ACCEPTED SOLUTION

elementx
294 Views

S3 uses its own key pairs and there's no way to "map" them to some other keys stored on ONTAP.

 

If you want to build some client-side stuff that prompts the user to enter a password (for Active Directory, LDAP, password for encrypted Zip file, etc.) and get the S3 key pair from there or some other database, you may do that but S3 service doesn't know or care how it's done.

 

S3 API access must use a valid access & secret key. How you get it and whether you encrypt it or not is a client-side concern. There's nothing ONTAP S3-specific in this process.

 

There's an API that lets you create own keys, but again, how you store and access them is up to you.

https://docs.netapp.com/us-en/ontap/s3-config/generate-access-keys-api.html

 

In theory you could auth against LDAP and always create a new set of keys to access S3 without storing the key pair anywhere. But I'm not sure if there's a best practice for this (that is, if ONTAP S3 can tolerate everyone creating a new pair every time they use S3).

View solution in original post

2 REPLIES 2

elementx
295 Views

S3 uses its own key pairs and there's no way to "map" them to some other keys stored on ONTAP.

 

If you want to build some client-side stuff that prompts the user to enter a password (for Active Directory, LDAP, password for encrypted Zip file, etc.) and get the S3 key pair from there or some other database, you may do that but S3 service doesn't know or care how it's done.

 

S3 API access must use a valid access & secret key. How you get it and whether you encrypt it or not is a client-side concern. There's nothing ONTAP S3-specific in this process.

 

There's an API that lets you create own keys, but again, how you store and access them is up to you.

https://docs.netapp.com/us-en/ontap/s3-config/generate-access-keys-api.html

 

In theory you could auth against LDAP and always create a new set of keys to access S3 without storing the key pair anywhere. But I'm not sure if there's a best practice for this (that is, if ONTAP S3 can tolerate everyone creating a new pair every time they use S3).

Neolitics
206 Views

Thank you elementx for your reply.

Your answer and the documentation provided in your reply will help me in my study.

Best wishes for 2024.

Philippe (Paris France)

Public