Secure Zero Trust Secret-less Access to AWS S3

Octelium enables you to seamlessly provide identity-based, secret-less secure access to your AWS S3 buckets or any S3 compatible stores. The benefits of using Octelium to access your S3 bucket objects can be summed up as follows:

You no longer need to have allow public unrestricted anonymous access to your S3 buckets.
Eliminate the need to manage AWS IAM identities and create, distribute, monitor, rotate and revoke over-privileged, long-lived AWS credentials for your, possibly hundreds or thousands of, human Users as well as service accounts and workloads that actually need to access your S3 resources. You can read more about Octelium secret-less access capabilities here.
You can use Octelium's rich identity-based, context-aware, L7 aware, on a per-request basis, centralized access control via policy-as-code with CEL and OPA to enforce fine-grained access control way beyond of what AWS policies can offer (read more about Policies and access control here).
Centralize identity management for all of your human Users via Octelium's OpenID Connect and SAML 2.0 IdentityProviders (read more here) as well as for your workload Users via OAuth2 client credentials (read more here) and bearer access tokens (read more here).

Let us assume that we have an S3 bucket with the URL https://my-bucket-abcdef-123456.s3.eu-central-1.amazonaws.com. You can now create an IAM user and obtain an access key for that user with a s3:GetObject permission to that bucket. Now you can now create a Secret for your AWS IAM user secret access key as follows:

octeliumctl create secret s3-bucket-1

Now we create our S3 bucket's Service as follows:

1kind: Service
2metadata:
3  name: s3
4spec:
5  mode: HTTP
6  isPublic: true
7  config:
8    upstream:
9      url: https://my-bucket-abcdef-123456.s3.eu-central-1.amazonaws.com
10    http:
11      auth:
12        sigv4:
13          accessKeyID: ABCDEF...FEDCBA
14          secretAccessKey:
15            fromSecret: s3-bucket-1
16          region: eu-central-1
17          service: s3

NOTE

Note that you have to set the service field to s3 and the region field to your S3 bucket region.

Now authorized Users can now fetch S3 objects at the public URL https://s3.<DOMAIN>. When it comes to access control, Octelium provides a rich layer-7 aware, identity-based, context-aware ABAC access control on a per-request basis where you can control access based on the HTTP request's path, method, body content, etc... using policy-as-code with CEL and Open Policy Agent (OPA) (You can read more in detail about Policies and access control here). Here is an example:

1kind: Service
2metadata:
3  name: s3
4spec:
5  mode: HTTP
6  isPublic: true
7  config:
8    upstream:
9      url: https://my-bucket-abcdef-123456.s3.eu-central-1.amazonaws.com
10    http:
11      auth:
12        sigv4:
13          accessKeyID: ABCDEF...FEDCBA
14          secretAccessKey:
15            fromSecret: s3-bucket-1
16          region: eu-central-1
17          service: s3
18  authorization:
19    inlinePolicies:
20      - spec:
21          rules:
22            - effect: ALLOW
23              condition:
24                all:
25                  of:
26                    - match: ctx.user.spec.email.endsWith("@example.com")
27                    - match: ctx.user.spec.groups.hasAny(["dev", "ops"])
28                    - match: ctx.request.http.path.startsWith("/prefix1")
29                    - match: [".jpg", ".webp"].exists(x, ctx.request.http.path.endsWith(x))
30                    - match: ctx.request.http.method == "GET"

Octelium also provides OpenTelemetry-ready, application-layer L7 aware visibility and access logging in real time (see an example for HTTP here). You can read more about visibility here.

This was a very short guide to show you how to use Octelium to deploy, scale, route and provide dynamic zero trust secure access to your workloads. Here are a few more related features that you might be interested in:

Routing not just by request paths, but also by header keys and values, request body content including JSON (read more here).
Request/response header manipulation (read more here).
Cross-Origin Resource Sharing (CORS) (read more here).
gRPC mode (read more here).
Secret-less access to upstreams and injecting bearer, basic, or custom authentication header credentials (read more here).
Exposing the API publicly for anonymous access (read more here).
Application layer-aware ABAC access control via policy-as-code using CEL and Open Policy Agent (read more here).
OpenTelemetry-ready, application-layer L7 aware auditing and visibility (read more here).