Configure Aspera On Demand to Access a Third Party Account Using an External ID


This article describes how to configure Aspera On Demand (Server, Application Platform or Shares) to leverage the IAM Assumed Roles and External ID features.  These features will enable you to provision an Aspera On Demand Server in one account that has write permissions to an S3 bucket belonging to another account. Two accounts will be used as examples: "My Account" (Your AWS account) and "Other Account" (the third party's AWS account).



My Account Setup

In "My Account" you will setup the S3 bucket(s) and IAM role that will give "Other Account" access to your S3 bucket(s).

  1. In "My Account", go to IAM, then Roles, then click "Create New Role".
  2. Enter a name for your role (i.e. thirdpartyaccess) then click "Next Step".
  3. In this step, select "Role for Cross-Account Access" and then click "Select" for "Allows IAM Users from a 3rd party AWS account to access the account." This will then take you to Step 3.
  4. In Step 3, enter the third party's AWS account ID as well as their External ID. The External ID will be some number that is made up by the the third party, such as 123456 or 234235923. Click "Next Step".
  5. In Step 4, choose the policy that will be attached to this role. For example, if you want to give the third party account full access to your S3 buckets, you would select "AmazonS3FullAccess". Once you have selected a policy, click "Next Step".
  6. Click "Create Role".
  7. We will now go to the third party account to create a role that can assume this role that we just created in "My Account".

Other Account Setup

  1. In "Other Account", go to IAM, then Policies, then click "Create Policy".
  2. Click "Select" on "Create Your Own Policy".
  3. Enter a name for the policy, such as "thirdpartyaccess". Also enter a description of what this policy does (i.e. Access "My Account"). In policy document, copy and paste the following, replacing "arn:aws:iam:234678456278:role/thirdpartyaccess" with the Role ARN from the Role that was created in "My Account":
    • {
        "Version": "2012-10-17",
        "Statement": [
            "Effect": "Allow",
            "Action": "sts:AssumeRole",
            "Resource":  "arn:aws:iam::234678456278:role/thirdpartyacccess"
    • To find the Role ARN of the role that was created in "My Account", go to IAM, then Roles, then click on the role that was created. The Role ARN will be under Summary.
  4. Click "Create Policy". We will now need to create a Role to which we will attach this policy.
  5. Still in "Other Account", click IAM, then Roles, then "Create New Role".
  6. Enter a name for this Role, then click "Next Step".
  7. Select "Amazon EC2" under "AWS Service Roles".
  8. Select the policy that we just created and click "Next Step".
  9. Click "Create Role".
  10. Copy the "Role ARN" of this role. We will be pasting it into "My Account".

Back to My Account

  1. In "My Account", go to IAM, then Roles, then select the role that was created at the beginning of this article.
  2. Click on the tab "Trust Relationships".
  3. Click "Edit Trust Relationship".
  4. In the policy document, paste in the Role ARN from "Other Account". Click "Update Trust Policy".
  5. We will now configure the Aspera Server in "Other Account" so that it can write to/from the buckets in "My Account".

Configuring Aspera Instance in "Other Account"

In this section we will need the Role ARN and S3 bucket name from "My Account" as well as the External ID.

  1. SSH into the Aspera instance. See this article to learn about SSHing into your instance.
  2. Edit the Aspera transfer user's docroot in /opt/aspera/etc/aspera.conf using a text editor. If you were to use xfer2 as your transfer user, then xfer2's docroot would need to look like this:
    1. <absolute>s3://;iam-role.external-id=123123</absolute>
    2. In the above example, replace BUCKETNAME with the name of your S3 bucket, 345784908923 with the account number from "My Account", thirdpartyaccess with the role name, and replace 123123 with the External ID. Note that part of the above is the ARN Role from "My Account" URL encoded.
    3. For more information on the aspera.conf file, please see the On Demand documentation.
  3. Restart asperanoded:
    • service asperanoded restart

You are now ready to begin transferring.


Powered by Zendesk