This article describes how to configure Aspera On Demand (Server, Application Platform or Shares) to leverage the IAM Assumed Roles and External ID features. These features will enable you to provision an Aspera On Demand Server in one account that has write permissions to an S3 bucket belonging to another account. Two accounts will be used as examples: "My Account" (Your AWS account) and "Other Account" (the third party's AWS account).
My Account Setup
In "My Account" you will setup the S3 bucket(s) and IAM role that will give "Other Account" access to your S3 bucket(s).
- In "My Account", go to IAM, then Roles, then click "Create New Role".
Other Account Setup
- In "Other Account", go to IAM, then Policies, then click "Create Policy".
- To find the Role ARN of the role that was created in "My Account", go to IAM, then Roles, then click on the role that was created. The Role ARN will be under Summary.
Back to My Account
- In "My Account", go to IAM, then Roles, then select the role that was created at the beginning of this article.
- Click on the tab "Trust Relationships".
- Click "Edit Trust Relationship".
Configuring Aspera Instance in "Other Account"
In this section we will need the Role ARN and S3 bucket name from "My Account" as well as the External ID.
- SSH into the Aspera instance. See this article to learn about SSHing into your instance.
- Edit the Aspera transfer user's docroot in /opt/aspera/etc/aspera.conf using a text editor. If you were to use xfer2 as your transfer user, then xfer2's docroot would need to look like this:
- In the above example, replace BUCKETNAME with the name of your S3 bucket, 345784908923 with the account number from "My Account", thirdpartyaccess with the role name, and replace 123123 with the External ID. Note that part of the above is the ARN Role from "My Account" URL encoded.
- For more information on the aspera.conf file, please see the On Demand documentation.
- Restart asperanoded:
- service asperanoded restart
You are now ready to begin transferring.