Cloud IAM Setup
When flexFS servers and mount clients run on cloud instances, they can authenticate to object storage using the cloud provider’s native identity system instead of static credentials. This is the recommended approach for production deployments because it eliminates the need to manage and rotate access keys.
Amazon Web Services (S3)
Section titled “Amazon Web Services (S3)”On AWS, flexFS can use EC2 instance roles to access S3 without static credentials.
1. Create an IAM policy
Section titled “1. Create an IAM policy”Create a policy that grants the required S3 permissions:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "s3:GetObject", "s3:PutObject", "s3:DeleteObject", "s3:ListBucket" ], "Resource": [ "arn:aws:s3:::my-flexfs-bucket", "arn:aws:s3:::my-flexfs-bucket/*" ] } ]}Replace my-flexfs-bucket with your bucket name.
2. Create an IAM role
Section titled “2. Create an IAM role”aws iam create-role \ --role-name flexfs-role \ --assume-role-policy-document '{ "Version": "2012-10-17", "Statement": [{ "Effect": "Allow", "Principal": {"Service": "ec2.amazonaws.com"}, "Action": "sts:AssumeRole" }] }'3. Attach the policy to the role
Section titled “3. Attach the policy to the role”aws iam attach-role-policy \ --role-name flexfs-role \ --policy-arn arn:aws:iam::$ACCOUNT_ID:policy/flexfs-s3-policy4. Create an instance profile and attach the role
Section titled “4. Create an instance profile and attach the role”aws iam create-instance-profile \ --instance-profile-name flexfs-profile
aws iam add-role-to-instance-profile \ --instance-profile-name flexfs-profile \ --role-name flexfs-role5. Attach the profile to your instances
Section titled “5. Attach the profile to your instances”For new instances, specify the profile at launch:
aws ec2 run-instances \ --instance-type c6gn.16xlarge \ --iam-instance-profile Name=flexfs-profile \ ...For existing instances:
aws ec2 associate-iam-instance-profile \ --instance-id i-0123456789abcdef0 \ --iam-instance-profile Name=flexfs-profileCredential chain
Section titled “Credential chain”When blockPass is empty, flexFS tries in order:
- EC2 instance metadata (IMDS v2) for instance role credentials
- Default AWS credential chain (environment variables,
~/.aws/credentials, etc.)
Google Cloud Platform (GCS)
Section titled “Google Cloud Platform (GCS)”On GCP, flexFS can use attached service accounts on Compute Engine VMs or Workload Identity on GKE.
1. Create a service account
Section titled “1. Create a service account”gcloud iam service-accounts create flexfs-sa \ --display-name "flexFS Storage Access"2. Grant storage permissions
Section titled “2. Grant storage permissions”gcloud storage buckets add-iam-policy-binding gs://my-flexfs-bucket \ --member serviceAccount:flexfs-sa@$PROJECT_ID.iam.gserviceaccount.com \ --role roles/storage.objectAdmin3. Attach the service account to your VM
Section titled “3. Attach the service account to your VM”For new instances:
gcloud compute instances create my-vm \ --service-account flexfs-sa@$PROJECT_ID.iam.gserviceaccount.com \ --scopes storage-full \ ...For existing instances (requires a stop/start):
gcloud compute instances stop my-vmgcloud compute instances set-service-account my-vm \ --service-account flexfs-sa@$PROJECT_ID.iam.gserviceaccount.com \ --scopes storage-fullgcloud compute instances start my-vmCredential chain
Section titled “Credential chain”When blockPass is empty, flexFS uses GCP Application Default Credentials (ADC):
GOOGLE_APPLICATION_CREDENTIALSenvironment variablegcloud auth application-default logincredentials- Attached service account or GKE Workload Identity (via metadata server)
Microsoft Azure (Blob Storage)
Section titled “Microsoft Azure (Blob Storage)”On Azure, flexFS can use managed identities to access Blob Storage without access keys.
1. Enable managed identity on your VM
Section titled “1. Enable managed identity on your VM”For system-assigned identity:
az vm identity assign --name my-vm --resource-group my-rgNote the principalId from the output.
2. Grant storage permissions
Section titled “2. Grant storage permissions”az role assignment create \ --assignee $PRINCIPAL_ID \ --role "Storage Blob Data Contributor" \ --scope /subscriptions/$SUBSCRIPTION_ID/resourceGroups/my-rg/providers/Microsoft.Storage/storageAccounts/myflexfsstorage3. Configure flexFS with only the storage account name
Section titled “3. Configure flexFS with only the storage account name”When creating a block store, provide --username (the storage account name) but omit --password:
configure.flexfs create block-store \ --providerCode azure \ --regionCode eastus \ --apiCode azure \ --bucket my-flexfs-container \ --prefix flexfs \ --username myflexfsstorageCredential chain
Section titled “Credential chain”When blockPass is empty, flexFS uses Azure Default Credentials:
- Managed identity (system-assigned or user-assigned)
- Environment variables (
AZURE_CLIENT_ID,AZURE_TENANT_ID,AZURE_CLIENT_SECRET) - Azure CLI credentials (
az login)
Oracle Cloud Infrastructure (OCI)
Section titled “Oracle Cloud Infrastructure (OCI)”On OCI, flexFS can use instance principals to access Object Storage without API keys.
1. Create a dynamic group
Section titled “1. Create a dynamic group”Create a dynamic group that matches your compute instances:
Any {instance.compartment.id = 'ocid1.compartment.oc1..example'}Or match specific instances:
Any {instance.id = 'ocid1.instance.oc1..example'}2. Create an IAM policy
Section titled “2. Create an IAM policy”Allow dynamic-group flexfs-instances to manage objects in compartment my-compartmentAllow dynamic-group flexfs-instances to read buckets in compartment my-compartment3. Configure flexFS without credentials
Section titled “3. Configure flexFS without credentials”When creating a block store, omit both --username and --password:
configure.flexfs create block-store \ --providerCode oci \ --regionCode us-ashburn-1 \ --apiCode oci \ --bucket my-flexfs-bucket \ --prefix flexfsCredential chain
Section titled “Credential chain”When blockPass is empty, flexFS tries in order:
- Instance principal (from instance metadata via dynamic group)
- Default OCI config (
~/.oci/config)