Practical persistent cloud storage for Docker in AWS using RexRay - pt 3

Posted by Eric Noriega

Jul 26, 2017 11:25:00 AM Docker, Amazon Web Services, aws, RexRay

 RexRay is plugin module available for use with Docker which provides the ability to use shared storage as a Docker volume. It is quick to setup and provides near seamless data sharing between containers. We review it's basic design and detail tips for it's use in the AWS environment.


Previously we configured RexRay and then added various IAM policies in order to manage access to our S3 resources.  Now let's take that basic policy for read-write and make it more flexible for the people running our container infrastructure. Once again let's start with our with our basic s3 access policy: 

{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:ListAllMyBuckets",
"s3:GetBucketLocation"
],
"Resource": "arn:aws:s3:::*"
}
]
}

Why manage access?

One reason why limiting RexRay via IAM policy has value is how the AWS S3 service uses the bucket entity as a hook for automation and management features such as versioning, logging, and replication; as well as for the default security policy (configurable as a a bucket policy). 

We are also limiting the IAM credentials from doing something dangerous such as making the bucket contents public. RexRay doesn't currently do this, but someone with the credentials could enable public access by using the AWS cli.  With this in mind, we don't want to insert ourselves into every volume creation, since that slows things down.

A space to work in

The plan is to give some level of control to the persons managing containers. Let's add a condition allowing full access and control of a set of buckets based on the name prefix of the bucket:

{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:ListAllMyBuckets",
"s3:GetBucketLocation"
],
"Resource": "arn:aws:s3:::*"
},
{
"Effect": "Allow",
"Action": "s3:CreateBucket",
"Resource": "arn:aws:s3:::*",
"Condition": {
"ForAllValues:StringLike": {
"s3:prefix": "dockvol-example-com*",
"s3:LocationConstraint": "us-east-*"
}
}
},
{
"Effect": "Allow",
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::dockvol-example-com*",
"arn:aws:s3:::dockvol-example-com*/*"
]
}
]
}

Notice that we added two statements to the policy.  The original stanza allows for access to find and locate buckets and is our base policy.  The second allows us to create buckets (volumes) as long as a prefix is included and the bucket location will be in the us-east-1 or us-east-2 AWS regions.  The last stanza grants all s3 operations against buckets created under the prefix.  This is a reasonable way to hand off a chunk of s3 storage with full rights.  Note this includes bucket deletion and global settings.  If we want to pare those down, we would change the Allow: "s3:*" to a list of specific actions.

Trying it out

As before, we will attach this to the user directly as a policy using the AWS console.


In the console, select the IAM service, select Users.

IAM dashboard.png


Choose the user you are using for plugin storage access.  Remove any policies that you might have associated with the user (1), and then select "Add inline policy" (2).

iam-remove-policy.png

Select "Custom Policy"; you can then paste in the policy. Give the policy a name, and select "Apply Policy".

IAM-policy-add-2.png
This gives us the ability to hand out sets of buckets to systems or clusters without worrying about existing S3 buckets or micro-managing access.  Now to verify it:

docker volume create --driver rexray/s3fs:0.9.2 dockvol-example-com99
docker volume create --driver rexray/s3fs:0.9.2 dockvol-example-com201
docker run -it -v dockvol-example-com201:/myvol ubuntu bash
...inside the container here...
# cd /myvol
# date >mydate
# ls -l


An interesting item of note is that certain variables can be used in the policy, such as ${aws:username} or ${aws:userid}. By using these as part of the bucket prefix, you could create a self‑documenting system of s3 buckets. (You can see here for details.)


Next, we will talk about some of what is happening under the covers with RexRay...

Posted by Eric Noriega

    
Request a Complimentary Docker Consultation

An Open View

Vizuri Blog

Subscribing to our blog is a great way to stay up to date with the latest information from Vizuri, as well as our strategic partners. We focus on providing a range of content that is practically useful and relevant from both a technical and business perspective.

We promise to respect your privacy.

×