diff --git a/CHANGELOG.md b/CHANGELOG.md index c32b2085..0a1e94bb 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -27,6 +27,7 @@ This document outlines major changes between releases. - Support dump metrics descriptions (#80) - Support impersonate bearer token (#81) - Return bearer token in `s3-authmate obtain-secret` result (#132) +- Add `s3-authmate update-secret` command (#131) ### Changed - Remove object from tree and reset its cache on object deletion when it is already removed from storage (#78) diff --git a/docs/authmate.md b/docs/authmate.md index cf3c5171..69874a48 100644 --- a/docs/authmate.md +++ b/docs/authmate.md @@ -26,6 +26,7 @@ potentially). 4. [Containers policy](#containers-policy) 3. [Obtainment of a secret](#obtaining-credential-secrets) 4. [Generate presigned url](#generate-presigned-url) +5. [Update secrets](#update-secret) ## Generation of wallet @@ -334,3 +335,39 @@ $ aws s3 --endpoint http://localhost:8084 presign s3://pregigned/obj http://localhost:8084/pregigned/obj?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=6UpmiuYspPLMWfyhEKYmZQSsTGkFLS5MhQVdsda3fhz908Hw9eo9urTmaJtfvHMHUpY8SWAptk61bns2Js8f1M5tZ%2F20220615%2Fus-east-2%2Fs3%2Faws4_request&X-Amz-Date=20220615T072348Z&X-Amz-Expires=3600&X-Amz-SignedHeaders=host&X-Amz-Signature=b82c13952534b1bba699a718f2d42d135c2833a1e64030d4ce0e198af46551d4 ``` + +## Update secret +You can extend list of s3 gates that can accept already issued credentials. +To do this use `frostfs-s3-authmate update-secret` command: + +**Required parameters:** +* `--wallet` is a path to a user wallet `.json` file. You can provide a passphrase to decrypt + a wallet via environment variable `AUTHMATE_WALLET_PASSPHRASE`, or you will be asked to enter a passphrase + interactively. You can also specify an account address to use from a wallet using the `--address` parameter. +* `--gate-wallet` is a path to a gate wallet `.json` file (need to decrypt current access box version). You can provide a passphrase to decrypt + a wallet via environment variable `AUTHMATE_WALLET_GATE_PASSPHRASE`, or you will be asked to enter a passphrase + interactively. You can also specify an account address to use from a wallet using the `--gate-address` parameter. +* `--peer` is an address of a FrostFS peer to connect to +* `--gate-public-key` is a public `secp256r1` 33-byte short key of a gate (use flags repeatedly for multiple gates). +* `--access-key-id` is a credential id to update. + +```shell +$ frostfs-s3-authmate update-secret --wallet wallet.json --gate-wallet s3-wallet.json \ + --peer 192.168.130.71:8080 \ + --gate-public-key 0313b1ac3a8076e155a7e797b24f0b650cccad5941ea59d7cfd51a024a8b2a06bf \ + --gate-public-key 0317585fa8274f7afdf1fc5f2a2e7bece549d5175c4e5182e37924f30229aef967 \ + --gate-public-key 0223450b9db6d0c083e9c6de1f7d8fd22858d70829e09afa39828bb2416bf190fc \ + --access-key-id HwrdXgetdGcEWAQwi68r1PMvw4iSm1Y5Z1fsFNSD6sQP04QomYDfYsspMhENEDhzTGwGxm86Q6R2Weugf3PG4sJ3M + +Enter password for wallet.json > +Enter password for s3-wallet.json > + +{ + "initial_access_key_id": "HwrdXgetdGcEWAQwi68r1PMvw4iSm1Y5Z1fsFNSD6sQP04QomYDfYsspMhENEDhzTGwGxm86Q6R2Weugf3PG4sJ3M", + "access_key_id": "HwrdXgetdGcEWAQwi68r1PMvw4iSm1Y5Z1fsFNSD6sQP0xXf1ahGndNkydG9MrL9WmCebrPwdSHTAysQa9w6yCNJ", + "secret_access_key": "f6a65481fd2752e69e4aa80a6fdcad70cfbf8304d2b3b8c2f9c15212aeee3ae7", + "owner_private_key": "7f40233893e4f4a54e4f2f52455a0e6d563f7eb0233a985094937ed69faef681", + "wallet_public_key": "031a6c6fbbdf02ca351745fa86b9ba5a9452d785ac4f7fc2b7548ca2a46c4fcf4a", + "container_id": "HwrdXgetdGcEWAQwi68r1PMvw4iSm1Y5Z1fsFNSD6sQP" +} +```