How to use AWS Identity and Access Management (IAM) roles to set docroot to S3 storage

Summary

To avoid having to specify S3 credentials in the doc-root, you can use your AWS Indentity and Access Management (IAM) roles to set docroot to S3 storage.  This article shows you the procedures on how to do so.

 

Prerequisites

This article assumes the following:

  • You have purchased and booted up v.3.4.0 or newer Aspera On Demand instance.
  • You have created an S3 bucket.
  • You have permissions to create IAM roles or change the policies of your IAM.
  • You know how to SSH as root to your Aspera On Demand Instance.

 

Procedures

 

1) Set IAM Roles and Permissions to access S3

a) Login to AWS Management Console as admin and create a new IAM role that has access to your S3 storage.

Role

A role has Permissions that allows or denies certain actions and Trust Relationships with other entities such as EC2 or other AWS accounts.

CreateNewRole.jpg

 

b) In the "Create Role" screen, select role Type: 'Amazon EC2'

RoleType.jpg

 

c) In 'Policy Templates' select 'Amazon S3 Full Access' (the policy can be edited later)

PolicyTemp.jpg

OR use the 'Policy Generator' to set policy.  For example,

Policy

Simple permissions sample for full access to all S3 buckets.  

NOTE:  Additional information and advanced examples can be found in these KB articles:  

{
  "Statement": [
    {
      "Sid": "Stmt1360956435483",
      "Action": [
        "s3:*"
      ],
      "Effect": "Allow",
      "Resource": [
        "*"
      ]
    }
  ]
}

This policy allows all actions on all s3 resources

Trust Relationships sample for ec2 (the dates condition are optional)

{
  "Version": "2008-10-17",
  "Statement": [
    {
      "Sid": "",
      "Effect": "Allow",
      "Principal": {
        "Service": "ec2.amazonaws.com"
      },
      "Action": "sts:AssumeRole",
      "Condition": {
        "DateLessThan": {
          "aws:CurrentTime": "2033-02-18T13:00:00.000+0000"
        },
        "DateGreaterThan": {
          "aws:CurrentTime": "2010-08-16T12:00:00.000+0000"
        }
      }
    }
  ]
}

 

2) Launch an AMI using the IAM role that has access to S3 storage

Select_IAMS_role.PNG

 

 

3) Upgrade both server and client to v.3.3.74992.  If you have AoD v.3.4, you don't need to upgrade your server.

# wget http://download.asperasoft.com/download/sw/entsrv/3.3/aspera-entsrv-3.3.74992-linux-64.rpm --user=your-login  --password=your-password
# rpm -Uvh aspera-entsrv-3.3.74992-linux-64.rpm

 

 4 ) Configure your aspera.conf

a) Connect to your server via SSH as root

 

#  ssh -i [customer's perm] -p 33001 ec2-user@[ec2 host IP]
# sudo su -

 

b) Edit the docroot of transfer user via either /opt/aspera/etc/aspera.conf or Aspera Console Web UI and restart noded

 

<absolute>s3://s3.amazonaws.com/s3-bucket-name</absolute>
   # /etc/init.d/asperanoded restart
Have more questions? Submit a request

0 Comments

Please sign in to leave a comment.
Powered by Zendesk