> ## Documentation Index
> Fetch the complete documentation index at: https://docs.nx1cloud.com/llms.txt
> Use this file to discover all available pages before exploring further.

# s3Cli

> Overview of NexusOne's s3Cli command-line tool used for governed S3 operations with Ranger policy enforcement.

`s3Cli` is a governed S3 command-line tool in NexusOne's Jupyter environment. Its core features include:

* Interacting with S3 buckets in NexusOne
* Evaluating Apache Ranger policies before executing S3 operations
* Loading and storing credentials via a Java Cryptography Extension Key Store (JCEKS)

## Problems s3Cli solves

Prior to the release of `s3Cli`, you would directly interact with S3 buckets using the AWS Command Line Interface.

<Card style={{ display: 'inline-block', textAlign: 'center' }}>
  <img style={{ width: '550px', display: 'block', margin: '0 auto' }} src="https://mintcdn.com/nexusone-4c77570d/xYx5euOx7d6bhNv-/images/documentation/platform/overview/hosted-apps/cli-tools/01-before-s3cli.png?fit=max&auto=format&n=xYx5euOx7d6bhNv-&q=85&s=46390520f3fffba6065a94ba2b5cac1b" width="972" height="298" data-path="images/documentation/platform/overview/hosted-apps/cli-tools/01-before-s3cli.png" />

  Before `s3Cli`
</Card>

This architecture creates a problem because there is no centralized policy check within NexusOne.
S3 actions allowed depend on the AWS IAM policy assigned to the user performing the action using the AWS
command line tool.

As a NexusOne customer, this creates a problem in the following ways:

* You have to reach out to the NexusOne team to update these AWS IAM policies since you don't manage the NexusOne environment
* If you manage your NexusOne environment, then you have to manage both the AWS policies and other custom policies, not even
  related to this feature within Apache Ranger

What `s3Cli` does is collapse this governance split. IAM authorization still exists, but Ranger is now used as the
authorization layer.

<Card img="https://mintcdn.com/nexusone-4c77570d/xYx5euOx7d6bhNv-/images/documentation/platform/overview/hosted-apps/cli-tools/02-after-s3cli.png?fit=max&auto=format&n=xYx5euOx7d6bhNv-&q=85&s=ab8a2335f965da63603596e026f80e6e" width="1644" height="610" data-path="images/documentation/platform/overview/hosted-apps/cli-tools/02-after-s3cli.png">
  After `s3Cli`
</Card>

Now, when you use `s3Cli`, the following happens:

1. You perform an S3 action using `s3Cli`
2. JCEKS loads your AWS S3, MinIO, or other S3-compatible storage credentials, so
   `s3Cli` can authenticate to the storage service before performing any action
3. Ranger evaluates if you have permission to perform the requested S3 action
4. The S3 action executes if it's allowed by Ranger

<Note>Hadoop's `core-site.xml` file makes it possible to access multiple S3 buckets.</Note>

## Supported s3Cli operations

The `s3Cli` tool supports the following operations.

| Operation | Description                              |
| --------- | ---------------------------------------- |
| ls        | List buckets or objects                  |
| get       | Download a file or directory recursively |
| put       | Upload file or directory                 |
| rm        | Delete file                              |
| cat       | Print file contents                      |
| auth      | Check authorization                      |

## Additional resources

For more information about the supported flags and how to use them, refer to the
[s3Cli command line reference page](/cli-reference/s3cli/auth).