Introduction
This article describes how to use an Amazon Web Service (AWS) Simple Storage Service (S3) bucket in order to host the Triofox backend storage. In an effort to follow the "principle of least privilege", this configuration will use an AWS Identity and Access Management (IAM) user that is limited to accessing only a single S3 bucket in an AWS account. This IAM account could be thought of as a "service account", for the benefit of the Triofox service.
Configuration
Create a S3 Bucket
- Sign into the AWS portal and navigate to the S3 console.
- Click the Create bucket button:
- Fill out the fields in the Create bucket UI:
- The Bucket name must follow DNS naming conventions and be globally unique. In this example the bucket name "tfshare01-triofox" was used. It indicates the company (triofox).
- Select an AWS Region that is in the same region as the Triofox server if Triofox is hosted at AWS, or a region that is closest geographically to the Triofox server if not hosted in AWS.
- There is likely no need to copy settings from an existing bucket.
- Click the Next button:
- In the next panel:
- Make sure that Versioning is disabled because Triofox has it's own versioning built in. It's normally disabled by default.
- The other settings should most likely be disabled unless you have a business reason to enable them.
- Click the Next button:
- In the next panel,
- Keep the defaults with all options enabled to prevent public access to the bucket.
- Click the Next button:
- Review the settings then click the Create bucket button:
- Click on the bucket name in the S3 console:
- Notice the bucket is currently empty:
- In the AWS portal, navigate to the IAM service.
- Click the Policies node:
- Click the Create policy button
- The "Visual editor" is too slow. Click on the JSON tab:
- AWS provides an example of the necessary IAM policy here:
https://docs.aws.amazon.com/AmazonS3/latest/dev/example-policies-s3.html#iam-policy-ex0 - Copy this text from the AWS documentation:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:ListAllMyBuckets"
],
"Resource": "arn:aws:s3:::*"
},
{
"Effect": "Allow",
"Action": [
"s3:ListBucket",
"s3:GetBucketLocation"
],
"Resource": "arn:aws:s3:::tfshare01-triofox"
},
{
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:PutObjectAcl",
"s3:GetObject",
"s3:GetObjectAcl",
"s3:DeleteObject"
],
"Resource": "arn:aws:s3:::tfshare01-triofox/*"
}
]
} - Paste it into a text editor like Visual Studio Code and save it as a .json file (it will be easier to read).
- Search and replace all occurrences of examplebucket with the name of the S3 bucket that was created (in this example tfshare01-triofox). Note that this is not the name of the IAM user but rather the S3 bucket that the IAM user will be granted access.
- Select all of the text in the text editor and paste it into the JSON text box in the IAM console, replacing any text that was automatically generated, then click the Review policy button:
- Click on "Next Tags"
- Click on "Next Review"
- In the Create policy panel,
- Set the Name text box to something descriptive (spaces are not allowed)
- Set the Description text box to something that explains what this custom policy is allowing
- Click the Create policy button:
- Notice the custom policy is listed:
- Click the Users node:
- Click the Add user button:
- In the Add user panel,
- In the User name field provide some text that indicates what the "service account" will be used for:
- Enable the Programmatic access option
- Disable the AWS Management Console access option as this user will not need access to the AWS console.
- Click the Next: Permissions button:
- Click the Attach existing policies directly tab:
- Review the user and policy that will be attached to the user then click the Create user button:
- Now the user "svc-triofox" is created.
- Click on the user, and click on the "Security credentials" tab, then click on "Create access key"
- Select "Application running outside AWS" or else. Click on "Next"
- Click on "Create access key"
- Click the Download .csv button:
- The recommendation is to store the Access key ID and Secret access key in a secure place such as LastPass or similar. These keys are the information required to sign into AWS programmatically as this IAM user.
Publish the newly created S3 bucket
- Sign into the Triofox console as the cluster admin.
- Enter your share name and storage type "Amazon S3", click on "Next"
- Enter the Amazon Access Key and Secret Key.
- Select the bucket you want to publish, and click on "Finish"
- You can grant user permisson now or later, click "Publish"
- Now the S3 bucket was published.
Comments
0 comments
Article is closed for comments.