/
How to validate AWS Compatible S3 Storage Credentials

How to validate AWS Compatible S3 Storage Credentials

Owned by LaTroy, created
Last updated: Jan 15, 2025
3 min read

This article describes a method for using a bash script to validate S3 storage credentials prior to use with a Kasm deployment.

Kasm supports using the S3 protocol to store and access data for persistent profiles, storage mappings, volume mappings, and session recording. The resulting S3 credentials must to compatible with AWS S3 standards and must have the following permissions:

{ "Statement": [ { "Action": [ "s3:GetObject", "s3:PutObject", "s3:ListBucket", "s3:DeleteObject" ], "Effect": "Allow", "Resource": [ "<s3 bucket arn>", "<s3 bucket arn>/*" ] }, { "Action": [ "s3:GetBucketLocation" ], "Effect": "Allow", "Resource": "<s3 bucket arn>" } ], "Version": "2012-10-17" }

The script provided in the instructions has been created as an open source optional method for verifying your credentials provide access to:

  • an AWS S3 compatible endpoint

  • the GetObject function

  • the PutObject function

  • the ListObject function

  • the DeleteObject function

  • the GetBucketLocationfunction

If any of these test fail, your kasm deployment is also likely to have errors when attempt to utilize the S3 storage provider. If all of these test fail, further tests within your kasm deployment will are necessary to confirm that kasm is fully compatible with your S3 storage provider.

 

 Instructions

IMPORTANT: This script and examples are provided without warrantee or support. This method is ad-hoc solution to assist with troubleshooting potential kasm deployment issues concerning S3 storage providers. It is critical that you assess the script and methods suggested below for security and efficacy relevant to your specific environment prior to attempt.

 

The script provided accepts the S3 access key, access secret, bucket name, and endpoint. Upon execution it will create a temporary hidden directory called “aws_test_creds“ at the current working directory. In this hidden directory it will store the S3 credentials provided, pass these credentials to a docker image preloaded with the AWS CLI, then execute a series of AWS CLI commands to verify the minimum required policy permissions for kasm access to the S3 storage are working. At the end of the script commands will be run to remove the temporary hidden directory. There is a risk of this hidden directory persisting on the client device if the script is stopped or fails prior to full completion. Manually confirmation and removal of the entire hidden directory is recommended to ensure security.

 

  1. Create a bash script called “test_aws_s3_creds.sh“ with the contents shown below.

    #!/usr/bin/env bash set -ex ## USAGE: bash test_aws_s3_creds.sh [AWS_ACCESS_KEY_ID] [AWS_SECRET_ACCESS_KEY] [$AWS_BUCKET_NAME] [AWS_BUCKET_ENDPOINT] ## EXAMPLE: bash test_aws_s3_creds.sh 'AKIXXXXXXXXXXXXXXXXX' 'XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX' 'kasmrecords' 's3.us-east-1.amazonaws.com' AWS_ACCESS_KEY_ID="$1" AWS_SECRET_ACCESS_KEY="$2" AWS_BUCKET_NAME="$3" AWS_BUCKET_ENDPOINT="$4" ## Set temp AWS creds aws_test_creds_dir='./.aws_test_creds' mkdir -p "${aws_test_creds_dir}" echo '[default]' >> "${aws_test_creds_dir}/config" echo '[default]' >> "${aws_test_creds_dir}/credentials" echo 'aws_access_key_id = AKIARJALEYVBZ3ZZ5OJF' >> "${aws_test_creds_dir}/credentials" echo 'aws_secret_access_key = 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' >> "${aws_test_creds_dir}/credentials" ## Set commands to run declare -a cmd_list=() cmd_list+=("s3api get-bucket-location --bucket $AWS_BUCKET_NAME --endpoint-url https://$AWS_BUCKET_ENDPOINT/") cmd_list+=("s3api put-object --bucket $AWS_BUCKET_NAME --endpoint-url https://$AWS_BUCKET_ENDPOINT/ --key SampleFile1.txt --body /etc/hosts --content-type text/plain") cmd_list+=("s3api list-objects --query Contents[].{Key:Key,Size:Size} --bucket $AWS_BUCKET_NAME --endpoint-url https://$AWS_BUCKET_ENDPOINT/") cmd_list+=("s3api get-object --bucket $AWS_BUCKET_NAME --endpoint-url https://$AWS_BUCKET_ENDPOINT/ --key SampleFile1.txt SampleFile1.txt" ) cmd_list+=("s3api delete-object --bucket $AWS_BUCKET_NAME --endpoint-url https://$AWS_BUCKET_ENDPOINT/ --key SampleFile1.txt") ## Docker pull the AWS CLI docker image (REF: https://hub.docker.com/r/amazon/aws-cli) docker pull amazon/aws-cli ## Run commands for cmd in "${cmd_list[@]}" do echo "======================================================" echo "AWS_CLI_CMD: $cmd" echo "------------------------------------------------------" docker run --rm -it -v "${aws_test_creds_dir}":/root/.aws amazon/aws-cli $cmd echo "======================================================" echo -e "\n\n" done ## Clean up temp AWS creds and sample file rm -rf "${aws_test_creds_dir}"

  2. Run the script using the following syntax:

    1. bash test_aws_s3_creds.sh [AWS_ACCESS_KEY_ID] [AWS_SECRET_ACCESS_KEY] [$AWS_BUCKET_NAME] [AWS_BUCKET_ENDPOINT]

    2. Example: bash test_aws_s3_creds.sh 'AKIXXXXXXXXXXXXXXXXX' 'XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX' 'kasmrecords' 's3.us-east-1.amazonaws.com'

  3. A failure will be indicated in the scripts output. Adding command option “--debug“ to a cmd_list item can provide debug details from the S3 service.

  4. A successful run will provide an output similar to the example below:

====================================================== AWS_CLI_CMD: s3api get-bucket-location --bucket kasmrecords --endpoint-url https://s3.us-east-1.amazonaws.com/ ------------------------------------------------------ { "LocationConstraint": null } ====================================================== ====================================================== AWS_CLI_CMD: s3api put-object --bucket kasmrecords --endpoint-url https://s3.us-east-1.amazonaws.com/ --key SampleFile1.txt --body /etc/hosts --content-type text/plain ------------------------------------------------------ { "ETag": "\"ca9879b1e4416d553896ad804e31ba46\"", "ServerSideEncryption": "AES256" } ====================================================== ====================================================== AWS_CLI_CMD: s3api list-objects --query Contents[].{Key:Key,Size:Size} --bucket kasmrecords --endpoint-url https://s3.us-east-1.amazonaws.com/ ------------------------------------------------------ [ { "Key": "SampleFile1.txt", "Size": 174 } ] ====================================================== ====================================================== AWS_CLI_CMD: s3api get-object --bucket kasmrecords --endpoint-url https://s3.us-east-1.amazonaws.com/ --key SampleFile1.txt SampleFile1.txt ------------------------------------------------------ { "AcceptRanges": "bytes", "LastModified": "2025-01-15T17:53:09+00:00", "ContentLength": 174, "ETag": "\"ca9879b1e4416d553896ad804e31ba46\"", "ContentType": "text/plain", "ServerSideEncryption": "AES256", "Metadata": {} } ====================================================== ====================================================== AWS_CLI_CMD: s3api delete-object --bucket kasmrecords --endpoint-url https://s3.us-east-1.amazonaws.com/ --key SampleFile1.txt ------------------------------------------------------ ======================================================

 

 

Related Docs:

 Related articles

  • n/a

 

Related content