Configuring STS for Data Fabric

Describes how to configure the AWS role and enable STS when you import an external S3 object store into the global namespace of the HPE Ezmeral Data Fabric.

Enabling STS is a two-step process:
  1. Configure the role in your AWS environment. See Configuring a Role for Data Fabric in AWS.
  2. Use one of the following procedures to import the external AWS S3 object store:

Prerequisite for Configuring STS

Enabling STS requires Keycloak to be deployed on a public network IP address so that AWS STS can communicate with Keycloak and verify that the JWT tokens are from the Data Fabric software. If your Keycloak deployment resides on an intranet and is not reachable by a public network, you cannot use STS. However, you can still use the access key and secret key import method.

For other STS limitations, see Integrating the AWS Security Token Service (STS) with Data Fabric.

Configuring a Role for Data Fabric in AWS

Before importing an external S3 object store into the global namespace, you must configure your AWS environment as follows. In AWS:
  1. Navigate to the Identity and Access Management (IAM) dashboard:

  2. In the left-navigation pane, click Identity providers.
  3. Click Add provider.
  4. Click OpenID Connect:

    This screen enables you to create an external identity provider and specify the type as OIDC.
  5. Specify the provider URL:

    You can obtain this URL from the SSO setup card of the Data Fabric UI:

  6. Set the Audience field to edf-client, and click Add provider. The new provider is added to the list of providers on the Identity providers page.
  7. In the left-navigation pane, click Roles to create a role.
  8. For the trusted entity type, click Web identity:

  9. Select the identity provider that you created in the previous step, then verify that the Audience is edf-client.
  10. Click Next.
  11. Add the permission policies that are applicable for this role. Any entity assuming this role will have these permissions. Specify AmazonS3FullAccess:

  12. Click Next.
  13. Provide a name for the role. For example:

  14. Scroll down, and click Create role.
  15. Navigate to the newly created role to get its ARN. Note the ARN string:

    You must provide the ARN in the next set of steps when you use the maprcli command to import AWS S3 into the global namespace by using STS.

Importing the External AWS S3 Object Store by Using the maprcli Command

Starting with release 7.7.0, the maprcli clustergroup addexternal command is enhanced with a new option to support STS-based access. The command, which is used to import external S3 servers, includes a new -awswebidrolearn option. To enable STS when you run the command, you must:
  • Specify the -awswebidrolearn option
  • Set the -type option to s3
  • Set the -s3vendor option to aws

When you use these settings, Data Fabric ignores the provided access key and secret key and ensures that S3 access for the server is achieved through STS using the specified -awswebidrolearn.

The following example command configures an external S3 object store to use STS access:
maprcli clustergroup addexternal  -type s3 -s3vendor aws -awswebidrolearn 'arn:aws:iam::74601xxxxxxx:role/Keycloak-webid-s3-readonly'

Related maprcli Commands

To implement the features described on this page, Data Fabric relies on the following maprcli command. A link to this command is provided for general reference. For more information, see maprcli Commands in This Guide.