Privacera Boto3 Signer¶

This section provides information about the Privacera Boto3 Signer and how to set it up for seamless AWS S3 access with Boto3 applications.

Boto3 Overview¶

Boto3 is the official AWS SDK for Python, enabling developers to build applications that interact with AWS services such as Amazon S3. It offers both a high-level, object-oriented interface for ease of use and low-level APIs for fine-grained control over AWS services.

What is Privacera Boto3 Signer?¶

Privacera Boto3 Signer is a drop-in authentication and request-signing layer for Boto3. It integrates with Privacera DataServer to obtain short-lived AWS STS credentials and sign S3 requests using AWS SigV4.

Privacera Boto3 Signer delivers an enterprise-grade security layer that offers:

• Policy-Driven Access Control
  Enforces Privacera access policies across all Amazon S3 operations.

• Enterprise-Grade Security
  Supports audit trails, short-lived credentials, and centralized policy enforcement.

Pre-requisites¶

1. AWS S3 Connector Setup - AWS S3 connector setup and configure Privacera DataServer with AWS S3.

2. Valid JWT Token - Must be configured with DataServer for authentication with Privacera DataServer.

   • To configure: See JWT Token Configuration
   • To validate: See Test JWT Configuration

3. Python 3.9+ - Required for Boto3 and the signer package.

4. Python Packages - The following Python packages must be installed:

   • boto3 version 1.34.0 or higher
   • botocore version 1.34.0 or higher
   • requests version 2.31.0 or higher

Setup¶

1. Create and Navigate to the Setup Directory:

   Bash
   1 2 3 4 5	# Create installation directory mkdir -p privacera-boto3 # Navigate to installation directory cd privacera-boto3

2. Create download script privacera_boto3_pkg_download.sh in this directory:

   Bash

   1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101

   #!/bin/bash # Privacera Boto3 Signer Package Download Script set -e # Configuration constants readonly PRIVACERA_RELEASES_BASE_URL="https://privacera-releases.s3.us-east-1.amazonaws.com" readonly PCLOUD_URL="https://api.privaceracloud.com" readonly PKG_NAME="privacera_boto3_signer.tar.gz" main() { # Validate arguments if [ "$#" -lt 2 ]; then echo "Usage:" echo " Self-Managed (Platform) : $0 PLATFORM <RELEASE_VERSION>" echo " SaaS (PrivaceraCloud) : $0 PCLOUD <API_KEY>" exit 1 fi DEPLOYMENT_TYPE=$(echo "$1" | tr '[:lower:]' '[:upper:]') # Determine download URL case "$DEPLOYMENT_TYPE" in PLATFORM) RELEASE_VERSION=$2 echo "Fetching DataServer version for release ${RELEASE_VERSION}..." DATASERVER_SHA=$(get_privacera_dataserver_version "${RELEASE_VERSION}") if [ -z "$DATASERVER_SHA" ]; then echo "Error: Failed to retrieve DATASERVER_VERSION for release ${RELEASE_VERSION}" >&2 exit 1 fi PRIVACERA_BASE_DOWNLOAD_URL="${PRIVACERA_RELEASES_BASE_URL}/privacera-dataserver/${DATASERVER_SHA}/${PKG_NAME}" ;; PCLOUD) API_KEY=$2 PRIVACERA_BASE_DOWNLOAD_URL="${PCLOUD_URL}/api/${API_KEY}/plugin/dataserver/${PKG_NAME}" ;; *) echo "Invalid deployment type: ${DEPLOYMENT_TYPE}" echo "Supported values: PLATFORM | PCLOUD" exit 1 ;; esac echo "==========================================" echo "Downloading Privacera Boto3 Signer package" echo "Deployment Type : ${DEPLOYMENT_TYPE}" # Mask API key in URL for security (only show full URL for PLATFORM mode) if [ "${DEPLOYMENT_TYPE}" = "PCLOUD" ]; then MASKED_URL=$(echo "${PRIVACERA_BASE_DOWNLOAD_URL}" | sed "s|/api/[^/]*|/api/***|") echo "Download URL : ${MASKED_URL}" else echo "Download URL : ${PRIVACERA_BASE_DOWNLOAD_URL}" fi echo "==========================================" echo "Downloading Privacera Boto3 Signer package..." if command -v curl >/dev/null 2>&1; then curl -fL "${PRIVACERA_BASE_DOWNLOAD_URL}" -o "${PKG_NAME}" elif command -v wget >/dev/null 2>&1; then wget "${PRIVACERA_BASE_DOWNLOAD_URL}" -O "${PKG_NAME}" else echo "Error: curl or wget is required to download the package." >&2 exit 1 fi echo "Extracting package..." tar xfz "${PKG_NAME}" echo "" echo "Privacera Boto3 Signer package Downloaded successfully" } get_privacera_dataserver_version() { local release_version=$1 local url="${PRIVACERA_RELEASES_BASE_URL}/manifests/${release_version}/release-manifest.yaml" local content if command -v curl >/dev/null 2>&1; then content=$(curl -fs "$url") elif command -v wget >/dev/null 2>&1; then content=$(wget -q -O - "$url") else echo "Error: curl or wget is required to fetch the manifest." >&2 return 1 fi local dataserver_version dataserver_version=$(echo "$content" | grep 'DATASERVER_VERSION:' | awk '{print $2}') if [ -z "$dataserver_version" ]; then echo "Error: DATASERVER_VERSION not found in manifest." >&2 return 1 fi echo "$dataserver_version" } main "$@"

3. Execute the privacera_boto3_pkg_download.sh script based on deployment type. This script will download the Privacera Boto3 Signer tar package:

   Self ManagedPrivaceraCloud

   Execute the script with your Privacera release version (e.g. 9.2.9.1):

   For Self Managed
   1 2 3 4 5	# Make script executable chmod +x privacera_boto3_pkg_download.sh # Run with PLATFORM mode ./privacera_boto3_pkg_download.sh PLATFORM <RELEASE_VERSION>

   To get the API Key and Ranger Admin URL, follow the steps below:

   • Login to PrivaceraCloud Portal

   • Navigate to Settings → API keys

   • Click the i (information icon) next to API key

   • Copy the API Key value

   • Execute the script:

     For PrivaceraCloud
     1 2 3 4 5 6 7 8	# Make script executable chmod +x privacera_boto3_pkg_download.sh # Set API_KEY from previous step API_KEY=<API_KEY> # Run with PCLOUD mode ./privacera_boto3_pkg_download.sh PCLOUD $API_KEY

4. Install Privacera Boto3 Signer - After running the privacera_boto3_pkg_download.sh script, complete the installation (the current directory should be privacera-boto3):

   1. [Optional] Check if virtual environment already exists and activate it. If it doesn't exist, create a new one:

      Bash
      1 2 3 4 5	# Create a new virtual environment named 'venv' python3 -m venv venv # Activate the virtual environment source venv/bin/activate

   2. Create requirements.txt file:

      Bash
      1	vi requirements.txt

      Add the following content:

      Text Only
      1 2 3 4	# Core dependencies for Privacera Boto3 Signer boto3>=1.34.0 botocore>=1.34.0 requests>=2.31.0

   3. Install dependencies:

      Bash
      1	pip install -r requirements.txt

   4. Install Privacera Boto3 Signer:

      Bash
      1	pip install privacera_boto3_signer-*-py3-none-any.whl

   5. Verify privacera_auto_register.pth file installation - Check and see if the auto-registration file exists in venv site-packages path:

      Bash
      1	ls -la venv/lib/python3.*/site-packages/privacera_auto_register.pth

5. Configure privacera-signer.properties file:

   Bash
   1	vi privacera-signer.properties

   Add the following content:

   Text Only
   1 2 3 4	# Privacera Boto3 Signer Configuration privacera.signer.base.url=<https://dataserver-endpoint-url> privacera.jwt.token.str=<jwt-token>

   Configure the properties with appropriate values:

   a. Determine privacera.signer.base.url (DataServer Endpoint URL):

   Self ManagedPrivaceraCloud

   • Run the following command in Self Managed Privacera environment to retrieve the DataServer external URL:

     Bash
     1	cat ~/privacera/privacera-manager/output/service-urls.txt

   • Locate the DATASERVER section in the output and identify the EXTERNAL URL:

     Text Only
     1 2 3	DATASERVER: INTERNAL - https://dataserver:8282 EXTERNAL - https://<dataserver-endpoint-url>

   • Use the EXTERNAL URL value as privacera.signer.base.url.

     Example:

     If EXTERNAL URL is https://dataserver-example.endpoint.com, then:

     Text Only
     1	privacera.signer.base.url=https://dataserver-example.endpoint.com

   • Use the API Key from step 3 (PrivaceraCloud tab) and construct the URL as follows for privacera.signer.base.url:

   • Then set:

     Text Only
     1	privacera.signer.base.url=https://api.privaceracloud.com/api/<API_KEY>/signerserver

   b. Configure JWT Token:

   • Set privacera.jwt.token.str to the JWT token value that is configured with DataServer for authentication.

     Example:

     Text Only
     1	privacera.jwt.token.str="as4w2423casd32sdad12....."

6. Configure environment - before executing the use case, set the environment variable:

   Bash
   1	export PRIVACERA_CONFIG_FILE=<path>/privacera-signer.properties

Validation Checklist¶

Test Use Case - Create and run a sample test script to validate the integration:¶

• Create the test script (update bucket_name, s3_key, and local_file_path with actual values):

  1. Create test_boto3_signer.py file:

     Bash
     1	vi test_boto3_signer.py

  2. Add the following content:

     Python
     1 2 3 4 5 6 7 8 9 10 11 12 13 14	#!/usr/bin/env python3 import boto3 # Standard Boto3 usage - no code changes needed s3 = boto3.client('s3') # Configure S3 details bucket_name = "<bucket-name>" s3_key = "<folder>/file.txt" local_file_path = "<local-path>/file.txt" # Download file with Privacera policy enforcement s3.download_file(bucket_name, s3_key, local_file_path) print("Download completed")

• Execute the test script:

  Bash
  1	python3 test_boto3_signer.py

Verify Console Logs¶

• After running the use case, Privacera logs similar to the following appear in the console:

  Text Only
  1 2	INFO [PRIVACERA] Privacera auto-registration enabled INFO [PRIVACERA] Boto3 client and resource wrapped for Privacera auto-registration

Verify Audit Logs¶

Check Privacera audit logs to confirm policy enforcement:

• Privacera Portal: Navigate to Access Management → Audits → ACCESS tab

• Verify audit entry: A Denied audit record is generated for the JWT-authenticated user, showing the resource path and the attempted operation.

• Allow access to user on resource (if access was denied):

  a. Create user: Navigate to Access Management → Users/Groups/Roles → Create JWT user/group/role here

  b. Create policy: Navigate to Access Management → Resource Policies → privacera_s3 → ADD NEW POLICY

  Configure the policy with the following values:

  For download operation:

  • Policy Name: Boto3 download operation
  • Bucket Name: <s3 bucket>
  • Object Path: <s3 resource path excluding bucket>
  • Principal: <assign user/group/role created in above steps>
  • Permissions: Read, Metadata Read

• Re-run and Verify: Execute test script again and verify the use case is successful and verify an Allowed audit is now generated.

Troubleshoot¶

Configure Log Level¶

To enable detailed logging for debugging purposes, configure the signer log level in privacera-signer.properties file:

Add the following property to set the log level:

1

privacera.signer.log.level=DEBUG

Available log levels:

• DEBUG - Detailed diagnostic information for debugging
• INFO - General informational messages (default)
• WARN - Warning messages for potential issues
• ERROR - Error messages only

Note: Set the log level to DEBUG when troubleshooting issues, and revert to INFO or WARN for production environments to reduce log verbosity.