- Notes, cautions, and warnings
- S3
- Amazon S3 API support in ECS
- S3 API supported and unsupported features
- Bucket policy support
- Object Tagging
- S3 Object Lock
- Object lifecycle management
- S3 Extensions
- Metadata Search
- S3 and Swift Interoperability
- Create and manage secret keys
- Authenticating with the S3 service
- Using s3curl with ECS
- Use SDKs to access the S3 service
- ECS S3 error codes
- Hadoop S3A for ECS
- Enabling data2 IP in ECS S3
- Cloud DVR
- ECS IAM for S3
- OpenStack Swift
- EMC Atmos
- CAS
- Setting up CAS support in ECS
- Cold Storage
- Compliance
- CAS retention in ECS
- Advanced retention for CAS applications: event-based retention, litigation hold, and the min/max governor
- Set up namespace retention policies
- Create and set up a bucket for a CAS user
- Set up a CAS object user
- Set up bucket ACLs for CAS
- ECS Management APIs that support CAS users
- Content Addressable Storage (CAS) SDK API support
- ECS CAS error codes
- Enabling data2 IP in CAS
- ECS Management REST API
- ECS HDFS
- ECS HDFS Introduction
- Configuring Hadoop to use ECS HDFS
- Hadoop authentication modes
- Migration from a simple to a Kerberos Hadoop cluster
- File system interaction
- Supported Hadoop applications
- Integrate a simple Hadoop cluster with ECS HDFS
- Install Hortonworks HDP using Ambari
- Create a bucket for HDFS using the ECS Portal
- Plan the ECS HDFS and Hadoop integration
- Obtain the ECS HDFS installation and support package
- Deploy the ECS HDFS Client Library
- Configure ECS client properties
- Set up Hive
- Verify Hadoop access to ECS
- Secure the bucket
- Relocate the default file system from HDFS to an ECS bucket
- Integrate a secure Hadoop cluster with ECS HDFS
- Verify that AD/LDAP is correctly configured with a secure Hadoop cluster
- Pig test fails: unable to obtain Kerberos principal
- Permission denied for AD user
- Permissions errors
- Failed to process request
- Enable Kerberos client-side logging and debugging
- Debug Kerberos on the KDC
- Eliminate clock skew
- Configure one or more new ECS nodes with the ECS service principal
- Workaround for Yarn directory does not exist error
- Set up the Kerberos KDC
- Configure AD user authentication for Kerberos
- Secure bucket metadata
- Hadoop core-site.xml properties for ECS HDFS
- Hadoop core-site.xml properties for ECS S3
- External key management
- Document feedback
ECS 3.6.2 Data Access Guide
ECS IAM API and SDK access
This section describes the supported ECS IAM APIs and its access methods.
ECS IAM supported APIs
The following table lists the supported ECS IAM APIs.
| Actions | Description (*required) | Access Level | Resource Types (*required) |
|---|---|---|---|
| AddUserToGroup | Adds an IAM user to the specified IAM group.
URL: /iam/?Action=AddUserToGroup Query Parameters: GroupName*, UserName* Error: LimitExceeded, NoSuchEntity, ServiceFailure |
Write | group* |
| AttachGroupPolicy | Attach a specified managed policy to the specified IAM group.
URL: /iam/?Action=AttachGroupPolicy Query Parameters: GroupName*, PolicyArn* Error: LimitExceeded, NoSuchEntity, ServiceFailure, InvalidInput |
Permissions management | group* |
| AttachRolePolicy | Attach a specified managed policy to the specified IAM role.
URL: /iam/?Action=AttachRolePolicy Query Parameters: RoleName*, PolicyArn* Error: LimitExceeded, NoSuchEntity, ServiceFailure, InvalidInput |
Permissions management | role* |
| AttachUserPolicy | Attach a specified managed policy to the specified IAM user.
URL: /iam/?Action=AttachUserPolicy Query Parameters: UserName*, PolicyArn* Error: LimitExceeded, NoSuchEntity, ServiceFailure, InvalidInput |
Permissions management | user* |
| CreateAccessKey | Creates a new Secret Access credential for specified IAM user.
URL: /iam/?Action=CreateAccessKey Query Parameters: UserName Error: LimitExceeded, NoSuchEntity, ServiceFailure |
Write | user* |
| CreateGroup | Creates a IAM group in namespace.
URL: /iam/?Action=CreateGroup Query Parameters: GroupName*, Path (only '/' supported) Error: EntityAlreadyExists, LimitExceeded, NoSuchEntity, ServiceFailure |
Write | group* |
| CreatePolicy | Creates a new managed policy in namespace.
URL: /iam/?Action=CreatePolicy Query Parameters: Description, Path (only '/' allowed), PolicyDocument*, PolicyName* Error: EntityAlreadyExists, InvalidInput, LimitExceeded, MalformedPolicyDocument, ServiceFailure |
Permissions management | policy* |
| CreatePolicyVersion | Creates a version of the specified managed policy in namespace.
URL: /iam/?Action=CreatePolicy Query Parameters: PolicyArn*, PolicyDocument*, SetAsDefault* Error: InvalidInput, LimitExceeded, MalformedPolicyDocument, NoSuchEntity, ServiceFailure |
Permissions management | policy* |
| CreateRole | Creates a IAM role in namespace.
URL: /iam/?Action=CreateRole Query Parameters: AssumeRolePolicyDocument*, Description, MaxSessionDuration, PermissionsBoundary, Tags, RoleName*, Path (only '/' supported) Error: EntityAlreadyExists, InvalidInput, LimitExceeded, NoSuchEntity, ServiceFailure, MalformedPolicyDocument |
Write | role* |
| CreateSAMLProvider | Creates a SAML 2.0 identity provider (IdP) in namespace
URL: /iam/?Action=CreateSAMLProvider Query Parameters: Name*, SAMLMetadataDocument* Error: EntityAlreadyExists, InvalidInput, LimitExceeded, ServiceFailure |
Write | saml-provider* |
| CreateUser | Creates a IAM user in namespace.
URL: /iam/?Action=CreateUser Query Parameters: Path (only '/' supported), PermissionsBoundary, Tags, UserName* Error: EntityAlreadyExists, InvalidInput, LimitExceeded, NoSuchEntity, ServiceFailure |
Write | user* |
| DeleteAccessKey | Deletes the specified access key credential that is associated with the specified IAM user.
URL: /iam/?Action=DeleteAccessKey Query Parameters: AccessKeyId*, UserName Error: LimitExceeded, NoSuchEntity, ServiceFailure |
Write | user* |
| DeleteGroup | Deletes the specified IAM group from namespace.
URL: /iam/?Action=DeleteGroup Query Parameters: GroupName* Error: DeleteConflict, LimitExceeded, NoSuchEntity, ServiceFailure |
Write | group* |
| DeleteGroupPolicy | Deletes the specified inline policy from its group.
URL: /iam/?Action=DeleteGroupPolicy Query Parameters: GroupName*, PolicyName* Error: LimitExceeded, NoSuchEntity, ServiceFailure |
Permissions management | group* |
| DeletePolicy | Deletes the specified managed policy
URL: /iam/?Action=DeletePolicy Query Parameters: PolicyArn* Error: DeleteConflict, InvalidInput, LimitExceeded, NoSuchEntity, ServiceFailure |
Permissions management | policy* |
| DeletePolicyVersion | Deletes the specified version from the managed policy.
URL: /iam/?Action=DeletePolicyVersion Query Parameters: PolicyArn*, VersionId* Error: DeleteConflict, InvalidInput, LimitExceeded, NoSuchEntity, ServiceFailure |
Permissions management | policy* |
| DeleteRole | Grants permission to delete the specified role.
URL: /iam/?Action=DeleteRole Query Parameters: RoleName* Error: DeleteConflict, LimitExceeded, NoSuchEntity, ServiceFailure |
Write | role* |
| DeleteRolePermissionsBoundary | Deletes the permissions boundary for the specified IAM role.
URL: /iam/?Action=DeleteRolePermissionsBoundary Query Parameters: RoleName* Error: NoSuchEntity, ServiceFailure |
Permissions management | role* |
| DeleteRolePolicy | Deletes the specified inline policy from its role.
URL: /iam/?Action=DeleteRolePolicy Query Parameters: RoleName*, PolicyName* Error: LimitExceeded, NoSuchEntity, ServiceFailure |
Permissions management | role* |
| DeleteSAMLProvider | Deletes a specified SAML provider.
URL: /iam/?Action=DeleteSAMLProvider Query Parameters: SAMLProviderArn* Error: InvalidInput, LimitExceeded, NoSuchEntity, ServiceFailure |
Write | saml-provider* |
| DeleteUser | Deletes the specified IAM user from namespace.
URL: /iam/?Action=DeleteUser Query Parameters: UserName* Error: DeleteConflict, LimitExceeded, NoSuchEntity, ServiceFailure |
Write | user* |
| DeleteUserPermissionsBoundary | Deletes the permissions boundary for the specified IAM user.
URL: /iam/?Action=DeleteUserPermissionsBoundary Query Parameters: UserName* Error: NoSuchEntity, ServiceFailure |
Permissions management | user* |
| DeleteUserPolicy | Deletes the specified inline policy from its user.
URL: /iam/?Action=DeleteUserPolicy Query Parameters: UserName*, PolicyName* Error: LimitExceeded, NoSuchEntity, ServiceFailure |
Permissions management | user* |
| DetachGroupPolicy | Detach a specified managed policy from the specified IAM group.
URL: /iam/?Action=DetachGroupPolicy Query Parameters: GroupName*, PolicyArn* Error: InvalidInput, LimitExceeded, NoSuchEntity, ServiceFailure |
Permissions management | group* |
| DetachRolePolicy | Detach a specified managed policy from the specified IAM role.
URL: /iam/?Action=DetachRolePolicy Query Parameters: RoleName*, PolicyArn* Error: InvalidInput, LimitExceeded, NoSuchEntity, ServiceFailure |
Permissions management | role* |
| DetachUserPolicy | Detach a specified managed policy from the specified IAM user.
URL: /iam/?Action=DetachUserPolicy Query Parameters: UserName*, PolicyArn* Error: InvalidInput, LimitExceeded, NoSuchEntity, ServiceFailure |
Permissions management | user* |
| GetAccessKeyLastUsed | Retrieves best effort information about when specified access key was last used.
URL: /iam/?Action=GetAccessKeyLastUsed Query Parameters: AccessKeyId* Error: ServiceFailure |
Read | user* |
| GetContextKeysForCustomPolicy |
Retrieves list of all of the context keys referenced in the input policies. URL: /iam/?Action=GetContextKeysForCustomPolicy Query Parameters: PolicyInputList* Error: InvalidInput |
Read | - |
| GetContextKeysForPrincipalPolicy |
Detach a specified managed policy from the specified IAM user. URL: /iam/?Action=GetContextKeysForPrincipalPolicy Query Parameters: PolicyInputList, PolicySourceArn* Error : InvalidInput, NoSuchEntity |
Read | user, group, role |
| GetGroup | Returns a list of IAM users that are in the specified IAM group. You can paginate the results using the MaxItems and Marker parameters.
URL: /iam/?Action=GetGroup Query Parameters: GroupName*, Marker, MaxItems Error: NoSuchEntity, ServiceFailure |
Read | group* |
| GetGroupPolicy | Gets the specified inline policy document from the specified IAM group.
URL: /iam/?Action=GetGroupPolicy Query Parameters: GroupName*, PolicyName* Error: NoSuchEntity, ServiceFailure |
Read | group* |
| GetPolicy | Retrieve information about the specified managed policy.
URL: /iam/?Action=GetPolicy Query Parameters: PolicyArn* Error: InvalidInput, NoSuchEntity, ServiceFailure |
Read | policy* |
| GetPolicyVersion | Retrieve information about a version of the specified managed policy.
URL: /iam/?Action=GetPolicyVersion Query Parameters: PolicyArn*, VersionId* Error: InvalidInput, NoSuchEntity, ServiceFailure |
Read | policy* |
| GetRole | Retrieves information about the specified role.
URL: /iam/?Action=GetRole Query Parameters: RoleName* Error: NoSuchEntity, ServiceFailure |
Read | role* |
| GetPolicy | Retrieves information about specified managed policy.
URL: /iam/?Action=GetPolicy Query Parameters: PolicyArn* Error: InvalidInput, NoSuchEntity, ServiceFailure |
Read | policy* |
| GetPolicyVersion | Retrieves information about specified version of the managed policy.
URL: /iam/?Action=GetPolicyVersion Query Parameters: PolicyArn*, VersionId* Error: InvalidInput, NoSuchEntity, ServiceFailure |
Read | policy* |
| GetRolePolicy | Retrieves the specified inline policy document that is embedded with the specified IAM role.
URL: /iam/?Action=GetRolePolicy Query Parameters: RoleName*, PolicyName* Error: NoSuchEntity, ServiceFailure |
Read | role* |
| GetSAMLProvider | Retrieves the SAML provider metadata document that is associated with the IAM SAML provider resource.
URL: /iam/?Action=GetSAMLProvider Query Parameters: SAMLProviderArn* Error: InvalidInput, NoSuchEntity, ServiceFailure |
Read | saml-provider* |
| GetUser | Retrieves information about the specified IAM user
URL: /iam/?Action=GetUser Query Parameters: UserName Error: NoSuchEntity, ServiceFailure |
Read | user* |
| GetUserPolicy | Retrieves the specified inline policy document that of the specified IAM user.
URL: /iam/?Action=GetUserPolicy Query Parameters: UserName*, PolicyName* Error: NoSuchEntity, ServiceFailure |
Read | user* |
| ListAccessKeys | Lists information about the access key IDs that are associated with the specified IAM user.
URL: /iam/?Action=ListAccessKeys Query Parameters: UserName* Error: NoSuchEntity, ServiceFailure |
List | user* |
| ListAttachedGroupPolicies | List all managed policies that are attached to the specified IAM group.
URL: /iam/?Action=ListAttachedGroupPolicies Query Parameters: GroupName*, Marker, MaxItems, PathPrefix (only '/' supported) Error: InvalidInput, NoSuchEntity, ServiceFailure |
List | group* |
| ListAttachedRolePolicies | List all managed policies that are attached to the specified IAM role.
URL: /iam/?Action=ListAttachedRolePolicies Query Parameters: RoleName*, Marker, MaxItems, PathPrefix (only '/' supported) Error: InvalidInput, NoSuchEntity, ServiceFailure |
List | role* |
| ListAttachedUserPolicies | List all managed policies that are attached to the specified IAM user URL: /iam/?Action=ListAttachedUserPolicies Query Parameters: UserName*, Marker, MaxItems, PathPrefix (only '/' supported) Error: InvalidInput, NoSuchEntity, ServiceFailure | List | user* |
| ListEntitiesForPolicy | Lists all entities (IAM users, groups, and roles) that are attached to the specified managed policy.
URL: /iam/?Action=ListEntitiesForPolicy Query Parameters: EntityFilter, Marker, MaxItems, PathPrefix (only '/' supported), PolicyArn*, PolicyUsageFilter Error: InvalidInput, NoSuchEntity, ServiceFailure |
List | policy* |
| ListGroupPolicies | List the names of the inline policies that are in the specified IAM group.
URL: /iam/?Action=ListGroupPolicies Query Parameters: GroupName*, Marker, MaxItems Error: NoSuchEntity, ServiceFailure |
List | group* |
| ListGroups | List the IAM groups that have the specified path prefix.
URL: /iam/?Action=ListGroups Query Parameters: Marker, MaxItems, PathPrefix (only '/' supported) Error: ServiceFailure |
List | - |
| ListGroupsForUser | List the IAM groups that the provided IAM user belongs to.
URL: /iam/?Action=ListGroupsForUser Query Parameters: Marker, MaxItems, UserName* Error: NoSuchEntity, ServiceFailure |
List | user* |
| ListPolicies | Lists all managed policies that are associated with the namespace.
URL: /iam/?Action=ListPolicies Query Parameters: Marker, MaxItems, OnlyAttached, PathPrefix (only '/' supported), PolicyUsageFilter, Scope Error: InvalidInput, NoSuchEntity, ServiceFailure |
List | - |
| ListPolicyVersions | Lists information about the versions of the requested managed policy.
URL: /iam/?Action=ListPolicyVersions Query Parameters: Marker, MaxItems, PolicyArn* Error: InvalidInput, NoSuchEntity, ServiceFailure |
List | policy* |
| ListRolePolicies | List the names of the inline policies that are in the specified IAM role.
URL: /iam/?Action=ListRolePolicies Query Parameters: RoleName*, Marker, MaxItems Error: NoSuchEntity, ServiceFailure |
List | role* |
| ListRoles | List the IAM roles that have the specified path prefix.
URL: /iam/?Action=ListRoles Query Parameters: Marker, MaxItems, PathPrefix (only '/' supported) Error: ServiceFailure |
List | - |
| ListRoleTags | Lists the tags that are attached to the specified role.
URL: /iam/?Action=ListRoleTags Query Parameters: Marker, MaxItems, RoleName* Error: NoSuchEntity, ServiceFailure |
List | role* |
| ListSAMLProviders | List the SAML providers in the namespace.
URL: /iam/?Action=ListSAMLProviders Error: ServiceFailure |
List | - |
| ListUserPolicies | List the names of the inline policies that are in the specified IAM user.
URL: /iam/?Action=ListUserPolicies Query Parameters: UserName*, Marker, MaxItems Error: NoSuchEntity, ServiceFailure |
List | user* |
| ListUsers | List the IAM users that have the specified path prefix.
URL: /iam/?Action=ListUsers Query Parameters: Marker, MaxItems, PathPrefix (only '/' supported) Error: ServiceFailure |
List | - |
| ListUserTags | Lists the tags that are attached to the specified user.
URL: /iam/?Action=ListUserTags Query Parameters: Marker, MaxItems, UserName* Error: NoSuchEntity, ServiceFailure |
List | user* |
| PutGroupPolicy | Adds or updates an inline policy document to the specified IAM group.
URL: /iam/?Action=PutGroupPolicy Query Parameters: GroupName*, PolicyDocument*, PolicyName* Error: LimitExceeded, MalformedPolicyDocument, NoSuchEntity, ServiceFailure |
Permissions management | group* |
| PutRolePermissionsBoundary | Sets or updates the provided managed policy as the roles permissions boundary.
URL: /iam/?Action=PutRolePermissionsBoundary Query Parameters: RoleName*, PermissionsBoundary* Error: InvalidInput, PolicyNotAttachable, NoSuchEntity, ServiceFailure |
Permissions management | role* |
| PutRolePolicy | Adds or updates an inline policy document to the specified IAM role.
URL: /iam/?Action=PutRolePolicy Query Parameters: RoleName*, PolicyDocument*, PolicyName* Error: LimitExceeded, MalformedPolicyDocument, NoSuchEntity, ServiceFailure |
Permissions management | role* |
| PutUserPermissionsBoundary | Sets or updates the provided managed policy as the users permissions boundary.
URL: /iam/?Action=PutUserPermissionsBoundary Query Parameters: UserName*, PermissionsBoundary* Error: InvalidInput, PolicyNotAttachable, NoSuchEntity, ServiceFailure |
Permissions management | user* |
| PutUserPolicy | Adds or updates an inline policy document to the specified IAM user.
URL: /iam/?Action=PutUserPolicy Query Parameters: UserName*, PolicyDocument*, PolicyName* Error: LimitExceeded, MalformedPolicyDocument, NoSuchEntity, ServiceFailure |
Permissions management | user* |
| RemoveUserFromGroup | Remove an IAM user from the specified group.
URL: /iam/?Action=RemoveUserFromGroup Query Parameters: UserName*, GroupName* Error: LimitExceeded, NoSuchEntity, ServiceFailure |
Write | group* |
| SetDefaultPolicyVersion | Sets the specified version of the policy as default
URL: /iam/?Action= SetDefaultPolicyVersion Query Parameters: PolicyArn*, VersionId* Error: InvalidInput, LimitExceeded, NoSuchEntity, ServiceFailure |
Permissions management | policy* |
| SimulateCustomPolicy | Simulate how a set of IAM policies and optionally a resource-based policy works with a list of API operations and RCS resources to determine the policies effective permissions.
URL: /iam/?Action= SimulateCustomPolicy Query Parameters: ActionNames*, CallerArn, ContextEntries, Marker, MaxItems, PolicyInputList*, ResourceArns, ResourceOwner, ResourcePolicy Error: InvalidInput, PolicyEvaluation |
Read | - |
| SimulatePrincipalPolicy | Simulate how a set of IAM policies attached to an IAM entity (user, group, or role) works with a list of API operations and ECS resources to determine the policies effective permissions.
URL: /iam/?Action= SimulatePrincipalPolicy Query Parameters: ActionNames*, CallerArn, ContextEntries, Marker, MaxItems, PolicyInputList, PolicySourceArn*, ResourceArns, ResourceOwner, ResourcePolicy Error : InvalidInput, NoSuchEntity, PolicyEvaluation |
Read | user, group, role |
| TagRole | Add tags to an IAM role.
URL: /iam/?Action=TagRole Query Parameters: RoleName*, Tags Error: InvalidInput, LimitExceeded, NoSuchEntity, ServiceFailure |
Tagging | role* |
| TagUser | Add tags to an IAM user .
URL: /iam/?Action=TagUser Query Parameters: UserName*, Tags Error: InvalidInput, LimitExceeded, NoSuchEntity, ServiceFailure |
Tagging | user* |
| UntagRole | Remove tags from specified IAM role.
URL: /iam/?Action=UntagRole Query Parameters: RoleName*, Tags Error: NoSuchEntity, ServiceFailure |
Tagging | role* |
| UntagUser | Remove tags from specified IAM user.
URL: /iam/?Action=UntagUser Query Parameters: UserName*, Tags Error: NoSuchEntity, ServiceFailure |
Tagging | user* |
| UpdateAccessKey | Update the status of the specified access key as Active or Inactive.
URL: /iam/?Action=UpdateAccessKey Query Parameters: AccessKeyId*, Status*, UserName Error: LimitExceeded, NoSuchEntity, ServiceFailure |
Write | user* |
| UpdateAssumeRolePolicy | Update the policy that grants an IAM entity permission to assume a role.
URL: /iam/?Action=UpdateAssumeRolePolicy Query Parameters: PolicyDocument*, RoleName* Error: LimitExceeded, MalformedPolicyDocument, NoSuchEntity, ServiceFailure |
Permissions management | role* |
| UpdateRole | Updates the description or maximum session duration setting of an IAM role.
URL: /iam/?Action=UpdateRole Query Parameters: Description, MaxSessionDuration, RoleName* Error: NoSuchEntity, ServiceFailure |
Write | role* |
| UpdateSAMLProvider | Updates the metadata document for an existing SAML provider.
URL: /iam/?Action=UpdateSAMLProvider Query Parameters: SAMLMetadataDocument*, SAMLProviderArn* Error: Invalidinput, LimitExceeded, NoSuchEntity, ServiceFailure |
Write | saml-provider* |
ECS S3 and IAM API access
| API | Access method |
|---|---|
| S3 |
NOTE: ECS management users must create legacy users or IAM users or IAM roles with the required permissions to access S3 API.
|
| IAM |
NOTE: ECS management users can also create IAM users or IAM roles with the required permissions to access IAM API.
|
| Other management APIs |
|
| Other data head APIs (except S3) |
NOTE: ECS management users must create legacy users with the required permissions to access other data head APIs.
|
Please provide ratings (1-5 stars).
Please provide ratings (1-5 stars).
Please provide ratings (1-5 stars).
Please select whether the article was helpful or not.
Comments cannot contain these special characters: <>()\