Merge pull request #6 from bcgov/service_account

update Service account details

Author: TimCsaky

docs/Config.md

@@ -68,6 +68,32 @@ This mode is generally recommended for systems where you expect to use COMS at a
 },
 ```
 
+Basic Auth can also be used where machine-to-machine API access is required. This can be set by enabling the s3AccessMode in the configuration, which is enabled by default on all COMS environments. This setup is suitable for service-level account access.
+
+```sh
+"basicAuth": {
+  "enabled": “true", # note: to disable, delete this environment variable
+  "s3AccessMode": "true",
+
+  "password": "<custom Basic Auth Password.",
+  "username": "<custom Basic Auth Username>"
+},
+```
+
+In this case, storage credentials provided by the optimization teams are used to grant access. The following are used as user and password:
+
+```sh
+accesskeyid
+accesskeysecret
+```
+
+Additional request params: bucket and endpoint must be provided in the request headers using the following key-value pairs:
+
+```sh
+x-amz-bucket: <bucket>
+x-amz-endpoint: <endpoint>
+```
+
 ### Full
 
 This mode is generally recommended for systems that need both user level and administrative level access to objects. This grants the full suite of functionality COMS offers, but care must be taken to ensure that access to objects is done securely from your line of business application.

docs/Service-Account.md

@@ -0,0 +1,28 @@
+## Service Account API access**
+
+Service account feature for COMS can be enabled by setting s3AccessMode enabled in configuration, it allows automated systems or services to securely interact with the COMS environment using access keys for authentication. Below are the steps for configuring and utilizing s3AccessMode.
+
+### Credentials
+
+For M2M API access, the storage credentials are used to authenticate API requests. These credentials consist of an Access Key ID and Access Key Secret, which are essential for machine-to-machine communication.
+
+#### Service Account Credentials:
+**accesskeyid:*** The unique identifier for the service account.
+
+**accesskeysecret:** The associated secret key for the service account.
+
+#### Set Request Headers and Parameters
+
+With s3AccessMode enabled, the M2M communication requires specific headers to authenticate and provide access correctly.
+
+**Headers to Include**:
+
+***x-amz-bucket:*** The name of the bucket being accessed by the service account.
+
+***x-amz-endpoint:*** The endpoint to which the request is directed.
+
+### Security Considerations
+
+*   **Store Credentials Securely**: Ensure the accesskeyid and accesskeysecret are stored securely, such as in environment variables or a secure credential vault, to prevent unauthorized access.
+    
+*   **Use HTTPS**: Make sure that all API requests are made over HTTPS to protect sensitive data during transmission.

mkdocs.yml

@@ -13,12 +13,13 @@ markdown_extensions:
 nav:
 - Introduction: index.md
 - API User Guide:
-  - Authentication: Authentication.md
+  - Authentication: Authentication.md  
   - Endpoint Notes: Endpoint-Notes.md
   - Permissions: Permissions.md
   - Metadata and Tags: Metadata-Tag.md
   - Managing buckets: Buckets.md
-  - Synchronization: Synchronization.md
+  - Service Account: Service-Account.md  
+  - Synchronization: Synchronization.md  
   - Use-Case Examples: Use-Case-Examples.md
 - Deployment Guide:
   - Self-Hosting COMS: Self-Hosting-COMS.md