diff options
Diffstat (limited to 'doc/radosgw/role.rst')
| -rw-r--r-- | doc/radosgw/role.rst | 82 |
1 files changed, 57 insertions, 25 deletions
diff --git a/doc/radosgw/role.rst b/doc/radosgw/role.rst index e97449872..514f17d5c 100644 --- a/doc/radosgw/role.rst +++ b/doc/radosgw/role.rst @@ -2,14 +2,20 @@ Role ====== -A role is similar to a user and has permission policies attached to it, that determine what a role can or can not do. A role can be assumed by any identity that needs it. If a user assumes a role, a set of dynamically created temporary credentials are returned to the user. A role can be used to delegate access to users, applications, services that do not have permissions to access some s3 resources. +A role is similar to a user. It has permission policies attached to it that +determine what it can do and what it cannot do. A role can be assumed by any +identity that needs it. When a user assumes a role, a set of +dynamically-created temporary credentials are provided to the user. A role can +be used to delegate access to users, to applications, and to services that do +not have permissions to access certain S3 resources. -The following radosgw-admin commands can be used to create/ delete/ update a role and permissions associated with a role. +The following ``radosgw-admin`` commands can be used to create or delete or +update a role and the permissions associated with it. Create a Role ------------- -To create a role, execute the following:: +To create a role, run a command of the following form:: radosgw-admin role create --role-name={role-name} [--path=="{path to the role}"] [--assume-role-policy-doc={trust-policy-document}] @@ -23,15 +29,16 @@ Request Parameters ``path`` -:Description: Path to the role. The default value is a slash(/). +:Description: Path to the role. The default value is a slash(``/``). :Type: String ``assume-role-policy-doc`` -:Description: The trust relationship policy document that grants an entity permission to assume the role. +:Description: The trust relationship policy document that grants an entity + permission to assume the role. :Type: String -For example:: +For example:: radosgw-admin role create --role-name=S3Access1 --path=/application_abc/component_xyz/ --assume-role-policy-doc=\{\"Version\":\"2012-10-17\",\"Statement\":\[\{\"Effect\":\"Allow\",\"Principal\":\{\"AWS\":\[\"arn:aws:iam:::user/TESTER\"\]\},\"Action\":\[\"sts:AssumeRole\"\]\}\]\} @@ -51,9 +58,11 @@ For example:: Delete a Role ------------- -To delete a role, execute the following:: +To delete a role, run a command of the following form: - radosgw-admin role delete --role-name={role-name} +.. prompt:: bash + + radosgw-admin role delete --role-name={role-name} Request Parameters ~~~~~~~~~~~~~~~~~~ @@ -63,18 +72,23 @@ Request Parameters :Description: Name of the role. :Type: String -For example:: +For example: + +.. prompt:: bash - radosgw-admin role delete --role-name=S3Access1 + radosgw-admin role delete --role-name=S3Access1 -Note: A role can be deleted only when it doesn't have any permission policy attached to it. +Note: A role can be deleted only when it has no permission policy attached to +it. Get a Role ---------- -To get information about a role, execute the following:: +To get information about a role, run a command of the following form: - radosgw-admin role get --role-name={role-name} +.. prompt:: bash + + radosgw-admin role get --role-name={role-name} Request Parameters ~~~~~~~~~~~~~~~~~~ @@ -84,9 +98,11 @@ Request Parameters :Description: Name of the role. :Type: String -For example:: +For example: + +.. prompt:: bash - radosgw-admin role get --role-name=S3Access1 + radosgw-admin role get --role-name=S3Access1 .. code-block:: javascript @@ -104,21 +120,26 @@ For example:: List Roles ---------- -To list roles with a specified path prefix, execute the following:: +To list roles with a specified path prefix, run a command of the following form: + +.. prompt:: bash - radosgw-admin role list [--path-prefix ={path prefix}] + radosgw-admin role list [--path-prefix ={path prefix}] Request Parameters ~~~~~~~~~~~~~~~~~~ ``path-prefix`` -:Description: Path prefix for filtering roles. If this is not specified, all roles are listed. +:Description: Path prefix for filtering roles. If this is not specified, all + roles are listed. :Type: String -For example:: +For example: + +.. prompt:: bash - radosgw-admin role list --path-prefix="/application" + radosgw-admin role list --path-prefix="/application" .. code-block:: javascript @@ -134,7 +155,6 @@ For example:: } ] - Update Assume Role Policy Document of a role -------------------------------------------- @@ -334,6 +354,7 @@ Create a Role ------------- Example:: + POST "<hostname>?Action=CreateRole&RoleName=S3Access&Path=/application_abc/component_xyz/&AssumeRolePolicyDocument=\{\"Version\":\"2012-10-17\",\"Statement\":\[\{\"Effect\":\"Allow\",\"Principal\":\{\"AWS\":\[\"arn:aws:iam:::user/TESTER\"\]\},\"Action\":\[\"sts:AssumeRole\"\]\}\]\}" .. code-block:: XML @@ -353,14 +374,18 @@ Delete a Role ------------- Example:: + POST "<hostname>?Action=DeleteRole&RoleName=S3Access" -Note: A role can be deleted only when it doesn't have any permission policy attached to it. +Note: A role can be deleted only when it doesn't have any permission policy +attached to it. If you intend to delete a role, you must first delete any +policies attached to it. Get a Role ---------- Example:: + POST "<hostname>?Action=GetRole&RoleName=S3Access" .. code-block:: XML @@ -380,6 +405,7 @@ List Roles ---------- Example:: + POST "<hostname>?Action=ListRoles&RoleName=S3Access&PathPrefix=/application" .. code-block:: XML @@ -399,18 +425,21 @@ Update Assume Role Policy Document ---------------------------------- Example:: + POST "<hostname>?Action=UpdateAssumeRolePolicy&RoleName=S3Access&PolicyDocument=\{\"Version\":\"2012-10-17\",\"Statement\":\[\{\"Effect\":\"Allow\",\"Principal\":\{\"AWS\":\[\"arn:aws:iam:::user/TESTER2\"\]\},\"Action\":\[\"sts:AssumeRole\"\]\}\]\}" Add/ Update a Policy attached to a Role --------------------------------------- Example:: + POST "<hostname>?Action=PutRolePolicy&RoleName=S3Access&PolicyName=Policy1&PolicyDocument=\{\"Version\":\"2012-10-17\",\"Statement\":\[\{\"Effect\":\"Allow\",\"Action\":\[\"s3:CreateBucket\"\],\"Resource\":\"arn:aws:s3:::example_bucket\"\}\]\}" List Permission Policy Names attached to a Role ----------------------------------------------- Example:: + POST "<hostname>?Action=ListRolePolicies&RoleName=S3Access" .. code-block:: XML @@ -424,6 +453,7 @@ Get Permission Policy attached to a Role ---------------------------------------- Example:: + POST "<hostname>?Action=GetRolePolicy&RoleName=S3Access&PolicyName=Policy1" .. code-block:: XML @@ -439,6 +469,7 @@ Delete Policy attached to a Role -------------------------------- Example:: + POST "<hostname>?Action=DeleteRolePolicy&RoleName=S3Access&PolicyName=Policy1" Tag a role @@ -447,6 +478,7 @@ A role can have multivalued tags attached to it. These tags can be passed in as AWS does not support multi-valued role tags. Example:: + POST "<hostname>?Action=TagRole&RoleName=S3Access&Tags.member.1.Key=Department&Tags.member.1.Value=Engineering" .. code-block:: XML @@ -463,6 +495,7 @@ List role tags Lists the tags attached to a role. Example:: + POST "<hostname>?Action=ListRoleTags&RoleName=S3Access" .. code-block:: XML @@ -486,6 +519,7 @@ Delete role tags Delete a tag/ tags attached to a role. Example:: + POST "<hostname>?Action=UntagRoles&RoleName=S3Access&TagKeys.member.1=Department" .. code-block:: XML @@ -500,6 +534,7 @@ Update Role ----------- Example:: + POST "<hostname>?Action=UpdateRole&RoleName=S3Access&MaxSessionDuration=43200" .. code-block:: XML @@ -565,6 +600,3 @@ The following is sample code for adding tags to role, listing tags and untagging 'Department', ] ) - - - |