-
-
Notifications
You must be signed in to change notification settings - Fork 2.6k
Amazon IAM API
chrislusf edited this page Dec 15, 2025
·
11 revisions
SeaweedFS provides AWS IAM API compatibility for managing users, access keys, and policies.
Starting with SeaweedFS 3.x, the IAM API is embedded in the S3 server by default. This means:
- IAM API is available on the same port as S3 (default: 8333)
- No need to run a separate IAM server
- Simplified deployment - single process handles both S3 and IAM
# IAM is enabled by default
weed s3 -filer=localhost:8888
# Or with weed server
weed server -s3
# To explicitly disable embedded IAM
weed s3 -iam=false -filer=localhost:8888The IAM API is available at the root path (/) of the S3 server using POST requests with an Action parameter:
# IAM endpoint is the same as S3 endpoint
export AWS_ENDPOINT=http://localhost:8333Note: The standalone
weed iamcommand is deprecated. Please use the embedded IAM in the S3 server instead.
For backwards compatibility, you can still run a separate IAM server:
weed iam -filer=localhost:8888 -port=8111| Action | Description | Self-Service |
|---|---|---|
CreateUser |
Create a new IAM user | Admin only |
DeleteUser |
Delete an IAM user | Admin only |
GetUser |
Get user details | Yes (own user) |
UpdateUser |
Update user properties | Admin only |
ListUsers |
List all users | Admin only |
SetUserStatus |
Enable or disable a user | Admin only |
CreateAccessKey |
Create access key for user | Yes (own keys) |
DeleteAccessKey |
Delete access key | Yes (own keys) |
UpdateAccessKey |
Change access key status (Active/Inactive) | Yes (own keys) |
ListAccessKeys |
List access keys for user | Yes (own keys) |
CreatePolicy |
Validate a policy document | Admin only |
PutUserPolicy |
Attach inline policy to user | Admin only |
GetUserPolicy |
Get user's inline policy | Admin only |
DeleteUserPolicy |
Remove user's inline policy | Admin only |
Users can manage their own access keys without admin privileges:
- Create, delete, and list their own access keys
- View their own user information
Operations on other users require Admin action permission.
Before using the IAM API, create an admin user with the Admin action:
echo 's3.configure -access_key admin_key -secret_key admin_secret -user admin -actions Admin -apply' | weed shellSet environment variables for AWS CLI:
export AWS_ACCESS_KEY_ID=admin_key
export AWS_SECRET_ACCESS_KEY=admin_secret
export AWS_ENDPOINT=http://localhost:8333 # S3/IAM endpoint# Create user
aws --endpoint $AWS_ENDPOINT iam create-user --user-name alice
# Create access key for user
aws --endpoint $AWS_ENDPOINT iam create-access-key --user-name alice# Create policy document
cat > policy.json << 'EOF'
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": ["s3:Get*", "s3:List*"],
"Resource": ["arn:aws:s3:::my-bucket/*"]
}
]
}
EOF
# Attach policy to user
aws --endpoint $AWS_ENDPOINT iam put-user-policy \
--user-name alice \
--policy-name ReadOnlyPolicy \
--policy-document file://policy.json# List all users
aws --endpoint $AWS_ENDPOINT iam list-users
# List access keys for a user
aws --endpoint $AWS_ENDPOINT iam list-access-keys --user-name aliceA non-admin user can manage their own access keys:
# Set credentials for the user
export AWS_ACCESS_KEY_ID=alice_access_key
export AWS_SECRET_ACCESS_KEY=alice_secret_key
# User can create additional access keys for themselves
aws --endpoint $AWS_ENDPOINT iam create-access-key
# (no --user-name needed, defaults to authenticated user)
# List own access keys
aws --endpoint $AWS_ENDPOINT iam list-access-keys
# Deactivate an access key (key rotation)
aws --endpoint $AWS_ENDPOINT iam update-access-key --access-key-id AKIAEXAMPLE --status InactiveSeaweedFS supports enabling/disabling users and access keys without deleting them. This is useful for:
- Temporary suspension: Disable user access during investigation
- Key rotation: Deactivate old keys before deletion
- Offboarding: Disable rather than delete for audit purposes
- Emergency response: Quickly disable compromised credentials
# Disable a user (all their access keys will stop working)
aws --endpoint $AWS_ENDPOINT iam set-user-status --user-name alice --status Inactive
# Re-enable the user
aws --endpoint $AWS_ENDPOINT iam set-user-status --user-name alice --status Active# Deactivate an access key
aws --endpoint $AWS_ENDPOINT iam update-access-key \
--user-name alice \
--access-key-id AKIAEXAMPLE \
--status Inactive
# Reactivate the access key
aws --endpoint $AWS_ENDPOINT iam update-access-key \
--user-name alice \
--access-key-id AKIAEXAMPLE \
--status Active# List access keys shows their status
aws --endpoint $AWS_ENDPOINT iam list-access-keys --user-name aliceOutput:
{
"AccessKeyMetadata": [
{
"UserName": "alice",
"AccessKeyId": "X8R439UM7OSQJX28I9QTP",
"Status": "Active"
},
{
"UserName": "alice",
"AccessKeyId": "Y9S540VN8PTRKZ39J0URP",
"Status": "Inactive"
}
]
}IAM configurations are stored on the filer at /etc/iam/identity.json. Changes are automatically propagated to all S3 servers subscribed to filer metadata events.
You can view the current configuration:
echo 's3.configure' | weed shell- AWS IAM CLI - AWS CLI examples for IAM operations
- S3 Credentials - Managing S3 access credentials
- S3 Configuration - S3 server configuration options
- Amazon S3 API - S3 API compatibility
- Replication
- Store file with a Time To Live
- Failover Master Server
- Erasure coding for warm storage
- Server Startup via Systemd
- Environment Variables
- Filer Setup
- Directories and Files
- File Operations Quick Reference
- Data Structure for Large Files
- Filer Data Encryption
- Filer Commands and Operations
- Filer JWT Use
- TUS Resumable Uploads
- Filer Cassandra Setup
- Filer Redis Setup
- Super Large Directories
- Path-Specific Filer Store
- Choosing a Filer Store
- Customize Filer Store
- Migrate to Filer Store
- Add New Filer Store
- Filer Store Replication
- Filer Active Active cross cluster continuous synchronization
- Filer as a Key-Large-Value Store
- Path Specific Configuration
- Filer Change Data Capture
- Cloud Drive Benefits
- Cloud Drive Architecture
- Configure Remote Storage
- Mount Remote Storage
- Cache Remote Storage
- Cloud Drive Quick Setup
- Gateway to Remote Object Storage
- Amazon S3 API
- S3 Conditional Operations
- S3 CORS
- S3 Object Lock and Retention
- S3 Object Versioning
- S3 API Benchmark
- S3 API FAQ
- S3 Bucket Quota
- S3 Rate Limiting
- S3 API Audit log
- S3 Nginx Proxy
- Docker Compose for S3
- S3 Configuration - Start Here
-
S3 Credentials (
-s3.config) -
OIDC Integration (
-s3.iam.config) - Amazon IAM API
- AWS IAM CLI
- AWS CLI with SeaweedFS
- s3cmd with SeaweedFS
- rclone with SeaweedFS
- restic with SeaweedFS
- nodejs with Seaweed S3
- Hadoop Compatible File System
- run Spark on SeaweedFS
- run HBase on SeaweedFS
- run Presto on SeaweedFS
- Hadoop Benchmark
- HDFS via S3 connector
- Async Replication to another Filer [Deprecated]
- Async Backup
- Async Filer Metadata Backup
- Async Replication to Cloud [Deprecated]
- Kubernetes Backups and Recovery with K8up
- Structured Data Lake with SMQ and SQL
- Seaweed Message Queue
- SQL Queries on Message Queue
- SQL Quick Reference
- PostgreSQL-compatible Server weed db
- Pub-Sub to SMQ to SQL
- Kafka to Kafka Gateway to SMQ to SQL
- Large File Handling
- Optimization
- Volume Management
- Tiered Storage
- Cloud Tier
- Cloud Monitoring
- Load Command Line Options from a file
- SRV Service Discovery
- Volume Files Structure