Archil requires that you specify a list of “Disk Users” who are authorized to connect to your disk. When attempting to mount your Archil disk, only these users will be allowed access. There are multiple ways that you can authorize a user to connect to an Archil disk. The correct method will depend on the location of your Archil disk and the location of the server which wishes to mount the disk.
Archil enforces POSIX permissions for files and folders. However, we do not recommend that you rely on POSIX permissions as a security boundary between untrusted users. Archil does not limit the access of “Disk Users” beyond what POSIX enforces.

Authentication methods

We recommend using IAM Authorization whenever you are mounting an Archil disk located in AWS from a server that is located in the same AWS Region.

AWS role authorization

Archil natively supports using AWS IAM users or roles to authorize access to the disk. This is the recommended authorization method when mounting from AWS EC2 instances in the same region as your disk. Archil disks perform IAM authorization by matching the ARN of the mounting role to the list of that disks’ authorized users. As a result, your IAM user or role does not need any specific Archil permissions in its policy.

Setup steps

  1. Get your EC2 server’s IAM role ARN using the following command:
aws sts get-caller-identity --query 'Arn' --output text |\
sed 's/\:sts\:/\:iam\:/' |\
sed 's/\:assumed-role\//\:role\//' |\
cut -d'/' -f1-2
  1. Copy the resulting IAM role ARN.
  2. Return to the disk’s Details page in the Archil console, and paste the role ARN as an Authorized User.

Mounting with IAM authentication

When using IAM authentication, mount your disk without specifying an auth token: 
sudo archil mount <disk-name> /mnt/data --region <disk-region>
The Archil client will automatically use your EC2 instance’s IAM role for authentication.

Token authorization

Outside of AWS, or when mounting from a different region, Archil can create static token credentials that can be used to gain access to the disk.

Setup steps

  1. Navigate to the disk’s Details page in the Archil console
  2. Click Generate Token to create a new authorization token
  3. Copy the generated token - you’ll need it when mounting the disk
  4. Keep this token secure as it grants full access to your disk
Archil does not store tokens in plaintext. Store your token somewhere securely when it’s created because it will not be visible again from the Archil console.

Mounting with token authentication

When using token authentication, include the token in your mount command: 
sudo archil mount <disk-name> /mnt/data --region <disk-region> --auth-token <token>