Archil enforces POSIX permissions for files and folders. However, we do not recommend that you rely on POSIX permissions as a security boundary between untrusted users — Archil does not limit the access of “Disk Users” beyond what POSIX enforces. Authorization is also scoped to an entire disk, including all of its branches and checkpoints: a disk user who can mount a disk can access every branch and checkpoint on it. To isolate untrusted workloads from each other — for example, one agent or tenant per fork — give each its own disk.
Disk tokens are not API keys. A disk token grants access to a single disk — it’s what a client presents when mounting or connecting. An API key authenticates requests to the Control Plane API for managing disks, mounts, and users. The two are created in different places and used in different contexts. This page is about disk tokens.
Which method should I use?
Use IAM role authorization if you’re mounting from an EC2 instance — no extra credentials needed. For everything else, use a disk token.Authentication methods
We recommend using IAM Authorization whenever you are mounting an Archil disk located in AWS from a server that is located in the same AWS Region.AWS role authorization
Archil natively supports using AWS IAM users or roles to authorize access to the disk. This is the recommended authorization method when mounting from AWS EC2 instances in the same region as your disk. Archil disks perform IAM authorization by matching the ARN of the mounting role to the list of that disks’ authorized users. As a result, your IAM user or role does not need any specific Archil permissions in its policy.Setup steps
- Get your EC2 server’s IAM role ARN using the following command:
- Copy the resulting IAM role ARN.
- Return to the disk’s Details page in the Archil console, and paste the role ARN as an Authorized User.
Mounting with IAM authentication
When using IAM authentication, mount your disk without specifying a disk token:When using AWS IAM Roles Anywhere, you must set the
AWS_EC2_METADATA_SERVICE_ENDPOINT and AWS_REGION environment variables before mounting. These can be set inline with the mount command or exported in your shell session.Disk token authorization
Outside of AWS, or when mounting from a different region, Archil can issue a disk token — a static credential scoped to a single disk.Setup steps
- Navigate to the disk’s Details page in the Archil console
- In the sidebar, select Connections
- In the Disk Users section of the page, click Add User
- Select Disk Token
- Copy the disk token — you’ll need it when mounting the disk
- Keep the disk token secure; it grants full access to this disk
Mounting with a disk token
Set theARCHIL_MOUNT_TOKEN environment variable to your disk token and pass it through sudo:
Using
--preserve-env=ARCHIL_MOUNT_TOKEN passes the disk token through sudo’s environment rather than the command line, preventing it from being visible in process listings (ps aux). This is more secure than both sudo -E (which passes all environment variables) and inline assignment (which exposes the token in the process list).The TypeScript SDK reads the same disk token from the
ARCHIL_DISK_TOKEN environment variable (or the authToken connection option). Despite the different variable names, ARCHIL_MOUNT_TOKEN and ARCHIL_DISK_TOKEN refer to the same kind of credential — the disk token you generated above.