How to configure Aspera to use the IAM Assumed roles feature

Summary

This article describes how to configure Aspera On Demand (Server, Application Platform or Shares) to leverage the IAM Assumed role feature.  This feature will enable you to provision an Aspera On Demand Server in one account that has write permissions to an S3 bucket belonging to another account.  The diagram below shows the concept, as well as the name of the accounts being used.

 

Assumed_Role_KB_-_OVERVIEW-2.png

 

Details 

Test Account setup

In the AWS Test account, we will create an S3 bucket and then create an IAMs role that allows the DEMO account to upload to the bucket.

  1. Create a bucket.  In my example, I created a bucket called "aspera-test-data".     awstest_bucket.PNG
  2. Create an IAMs role with the correct Policy ans trust relationship.  In my example, the IAMS role is called "TestBucket".  When the role was created, we used the option "Role for Cross Account access"  The screenshot below show the Role, policy and Trust relationships.    Create_TestBucket_Role.PNGCreate_TestBucket_Role_-_2.PNGCreate_TestBucket_Role_-_3.PNGawstest_rolePNG.PNG

Here is a full description of the Roles Policy (In this example, my bucket name "aspera-test-data" is underlined for convenience): 

{
 "Version": "2012-10-17",
 "Statement": [
{
  "Sid": "AllowGroupToSeeBucketListInTheConsole",
  "Action": [ "s3:ListAllMyBuckets", "s3:GetBucketLocation" ],
  "Effect": "Allow",
  "Resource": [ "arn:aws:s3:::*"  ]
},
{
  "Sid": "AllowRootLevelListingOfTheBucket",
  "Action": ["s3:ListBucket"],
  "Effect": "Allow",
  "Resource": ["arn:aws:s3:::aspera-test-data"],
  "Condition":{
        "StringEquals":{
                "s3:prefix":[""], "s3:delimiter":["/"]
                       }
             }
},    

   {
     "Sid": "Stmt1389034796000",
     "Effect": "Allow",
     "Action": [
       "s3:AbortMultipartUpload",
       "s3:DeleteObject",
       "s3:GetBucketLocation",
       "s3:GetObject",
       "s3:ListAllMyBuckets",
       "s3:ListBucket",
       "s3:ListBucketMultipartUploads",
       "s3:ListMultipartUploadParts",
       "s3:PutObject"
     ],
     "Resource": ["arn:aws:s3:::aspera-test-data",
                  "arn:aws:s3:::aspera-test-data/*" ]
   }
 ]
}

 

  1. Create a Trust relationship with the account that you want to be able to upload content to this Bucket. In my example, that is the DEMO account.  Awstest_role_trust_relationship.PNGawstest_role_Trust_policy.PNG
  2. Capture the ARN (Amazon Resource Name) for this Role.  You can find the ARN by navigating to the "Summary" tab.  See screenshot below for my example.Awstest_role_ARN-GREYED_OUT.PNG

 

Demo account IAMs roles setup

Log into the AWS account that will run the Aspera on Demand server, and create an IAMs role that has full Security Token Service permissions. In my example, I use a role named "TestAccountAssumedRole".

    demo_account_-_Assumed_Role_create_policy.PNGdemo_account_-_Assumed_Role_create_policy_2.PNGawsdemo_account_IAMS_role.PNG

  1. IAMs Role policy, Trust relationship, and trust policy
  2. {
     "Version": "2012-10-17",
     "Statement": [
       {
         "Sid": "Stmt1389115902000",
         "Effect": "Allow",
         "Action": [
           "sts:AssumeRole"
         ],
         "Resource": [
           "*"
         ]
       }
     ]
    }

 

Awsdemo_IAMS_role_trust_relationship.PNG

{
 "Version": "2012-10-17",
 "Statement": [
   {
     "Sid": "",
     "Effect": "Allow",
     "Principal": {
       "Service": "ec2.amazonaws.com"
     },
     "Action": "sts:AssumeRole"
   }
 ]
}

Provision Aspera on Demand

  1. Login to the AWS Console and provision an Aspera AMI using the IAMs Role created in the preceding section (e.g. TestAccountAssumedRole).  See this link for a list of current 3.4 AMIs.

DEMO_Account_-_Provision_with_IAM_Role.PNG

  1. Configure the Docroot of your Aspera Transfer user (e.g. System user), using this syntax:

S3://s3.amazonaws.com/BUCKETNAME?iam-role.arn=ARN

Where ARN is URL encoded (e.g. Substitute "%3A for ":" and "%2F" for "/").  For example, Original syntax:

arn:aws:iam::123412341234:role:TestBucket

 

URL Encoded Syntax:

arn%3Aaws%3Aiam%3A123412341234%3Arole%2FTestBucket

Full example of URL encoded Docroot:     

<absolute>s3://s3.amazonaws.com/aspera-test-data?iam-role.arn=arn%3Aaws%3Aiam%3A%3A123412341234%3Arole%2FTestBucket</absolute>

Have more questions? Submit a request

1 Comments

  • Avatar
    Larbi BELBECIR

    As per the encoded syntax (that shows a %2F) and what's displayed on the AWS console, the ARN ends with something like :role/TestBucket and not :role:TestBucket.

    Besides all that you want to make sure that your instance can reach the STS/IAM service in order to get the token required.

Please sign in to leave a comment.
Powered by Zendesk