Integrating the AWS Security Token Service (STS) with Data Fabric

Describes how the HPE Ezmeral Data Fabric can access AWS services by using the Security Token Service (STS) rather than a secret key and access key.

Data Fabric releases 7.5 and later support importing an external S3 object store into the global namespace. This feature requires the user to provide an access key and secret key to access the external S3 object store.

With release 7.7.0, Data Fabric provides a new option for gaining access to AWS S3 object stores. You can import an external AWS S3 server by using the maprcli clustergroup addexternal command and specifying an Amazon Resource Name (ARN) to enable STS authentication. For configuration steps, see Configuring STS for Data Fabric.

Using STS simplifies the process of accessing AWS services by using STS tokens for authentication. With STS tokens, the Data Fabric user can assume an AWS role and get temporary credentials to perform S3 actions. Once the external S3 object store is imported into the global namespace, all S3 operations automatically use STS.

How STS Works with Keycloak and Data Fabric

The following diagram illustrates the authentication flow based on a Keycloak web identity to a user account using AWS STS:

In the diagram:
  1. The user logs in to the Data Fabric.
  2. Keycloak authenticates the user and generates a JWT token for the user.
  3. The Data Fabric requests a temporary access key and secret key for the user using the Keycloak JWT token from STS.
  4. STS verifies the token validity.
  5. If the token is valid, STS responds with temporary credentials to access the user's AWS account.
  6. Data Fabric accesses the user account to perform the infrastructure or S3 actions.

Limitations for STS Support

Note the following limitations for using STS in the current release:
  • The option to use STS when importing an S3 object store is available only for AWS S3 object stores. Non-AWS S3 object stores may not use STS with Data Fabric.
  • The Data Fabric UI does not currently provide an option to enable STS when you import an S3 object store. You must use the maprcli clustergroup addexternal command to enable STS. If you use the Data Fabric UI import method, authentication is handled through the access key and secret key.
  • Enabling STS requires Keycloak to be deployed on a public network IP address so that AWS STS can communicate with Keycloak and verify that the JWT tokens are from the Data Fabric software. If your Keycloak deployment resides on an intranet and is not reachable by a public network, you cannot use STS. However, you can still use the access key and secret key import method.