Enable Access to AWS Storage Using Delegation
MATLAB® Online™ end users can use MATLAB functions to access data stored remotely in AWS® resources such as Amazon S3™. However, if end users do not acquire the AWS credentials needed to access those resources in advance, MATLAB returns an error. If you enable MATLAB Online Server™ to have delegated access to these resources, the server acquires these credentials for end users when they log in to MATLAB Online, providing them immediate access to their remote data.
MATLAB Online Server has Transport Layer Security (TLS) enabled. For more details, see the Security configuration properties.
You have an AWS account with permission to manage Identity and Access Management (IAM) roles. These permissions enable you to delegate AWS resource access to MATLAB Online Server. For more details, see IAM roles (AWS).
You are using a Security Assertion Markup Language (SAML) identity provider to authenticate MATLAB Online users. For details on authenticating MATLAB Online users using SAML, see Configure User Authentication in MATLAB Online Server.
Your SAML identity provider uses identity federation and has roles with privileged access to the
Identity federation is the process of establishing a trust relationship between the identity provider and AWS, enabling the provider to verify user identities and transmit authentication details to AWS. For more details, see About SAML 2.0-based federation (AWS).
AssumeRoleWithSAMLAPI provided by AWS allows the identity provider to assume an IAM role on behalf of the user from within AWS, granting them temporary security credentials for accessing AWS resources.
Configure Authentication Service to Support AWS Delegation
Enable AWS delegation in the MATLAB
Online Server authentication service by setting the appropriate values in the
authnz.yaml file. The file is located at this path.
is the root folder of your MATLAB Online Server installation.
is the name of your Kubernetes® cluster.
is the Kubernetes namespace you used to deploy MATLAB Online Server.
identityProviders, within the
identity provider, add a
delegation section with this
identityProviders: - id: saml type: saml # Standard SAML Configuration ... delegation: aws: iam: failureMode: "halt" sessionProperties: region: "us-east-1" sessionDuration: 3600
For details on the standard SAML configuration, see the SAML section of the authentication documentation.
delegation section, configure these attributes.
|Optional or Required
Action that the authentication provider takes when a delegation request fails.
|Region of the AWS resources being accessed. Example:
Amount of time, in seconds, that users have access to AWS resources.
If you enable delegation, when an end user logs into MATLAB Online, AWS grants the user access to AWS resources for a fixed session duration. When this session expires, to access AWS resources again, the user must sign out and sign back in to MATLAB Online.
MATLAB Online Server sets the session duration based on these rules.
Deploy Kubernetes Secret for AWS User Credentials
To transmit the AWS credentials of end users within the MATLAB Online Server cluster, deploy a Kubernetes secret to the cluster. A Kubernetes secret is an object that encrypts sensitive data so that it can be shared securely between services within the cluster. You must deploy this secret within the same namespace as other MATLAB Online Server services in your Kubernetes cluster.
To deploy a Kubernetes secret to the cluster:
Generate a random 64-bit-encoded string that the cluster can use to encrypt the data. For example, this Linux® bash script generates a random string of alphanumeric characters wrapped onto lines of 32 characters each, and then encodes the string using base-64 encoding.
#!/bin/bash SECRET=$(cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 32 | head -n 1) echo $SECRET echo -n $SECRET | base64
Create a file named
credentials-secret.yamland copy in the fields shown. Then, set the
credentials-secretfield to the value of the base-64-encoded string generated earlier. Save the file in any location within the Kubernetes cluster.
apiVersion: v1 kind: Secret metadata: name: credentials-secret data: credentials-secret: <secret string>
Deploy the secret to the Kubernetes cluster. Replace
with your MATLAB Online Server namespace.
kubectl apply -f credentials-secret.yaml --namespace
Enable AWS Access Across Server
Enable all services to have delegated access to AWS resources by setting the appropriate values in the
all.yaml file. The file is located at this path.
global section, add a
with this structure.
global: tls: enabled: true delegation: providers: - type: "awsiam" enabled: true secretFile: mountPath: "/etc/credentials-secret-volume/" name: "credentials-secret"
Configure these attributes.
|Optional or Required
Delegation provider. To enable AWS delegation,
Full path to the secret file used for securely transmitting AWS credentials within the MATLAB Online Server cluster.
If you do not change the default values, then you
can omit the
Deploy Changes to Server
To apply your changes, undeploy and redeploy the server.
These changes take effect the next time that MATLAB Online end users log in with their single sign-on credentials.
For an example of how end users can access their remote data, see Work with Remote Data. When delegation is enabled, end users do not have to follow the instructions on setting up access and setting environment variables for their credentials.