Amazon Web Services Simple Storage Service (AWS S3) Volumes

This page contains information on configuring a volume that is associated with an S3 bucket in Amazon Web Services' (AWS) cloud storage.

Seven Bridges Platform authentication and authorization

Seven Bridges Platform provides the option of connecting your Amazon Web Services S3 bucket (volume) to be able to read and write files to and from the Platform. After connection is established, your S3 bucket (volume) behaves like your external storage for the Seven Bridges Platform. Authentication of the Platform is done through AWS Identity and Access Management (IAM) services, using the AWS IAM user authentication method. Authorization of the Platform, which defines the actions that can be done on your volume, is defined in a custom IAM policy that is attached to an IAM user.

About AWS IAM users

An AWS Identity and Access Management (IAM) User is an entity that you create to represent a person or service that uses it to interact with your AWS resources. For each IAM user you need to define one or more policies to determine what actions on which AWS resources and under what conditions that user can do. In order to connect your S3 bucket as a volume to the Seven Bridges Platform, you will need to attach an appropriate policy provided by Seven Bridges to your IAM user and use Access keys (access key ID and secret access key) for authentication to make programmatic calls from the Platform to your AWS resources.

Connecting an S3 bucket to the Platform

Prerequisites:

Procedure:

  1. Create a custom IAM policy
  2. Set up an IAM user

Create a custom IAM policy

The policy should be attached to the IAM user to define permissions that the Seven Bridges Platform will have when connecting with your AWS S3 bucket (volume). So, the first step is to create a custom IAM policy that you will attach to your IAM user later on. To create the policy, follow these steps:

  1. Go to the AWS Management Console.
  2. In the top menu select Services and then choose IAM.
  3. In the left navigation menu select Policies.
  4. Click Create policy and select the JSON tab.
  5. Copy and paste the following custom policy. Make sure to select the right policy depending on whether you're mounting the volume in Read-only or Read-write mode. Also, make sure to replace <BUCKET_NAME> in the policy with the name of your S3 bucket, and either replace <ROOT> with the subdirectory in the bucket to which you want to restrict access when browsing the mounted volume from the Platform, or simply exclude the <ROOT> parameter and set Resource in the policy to  arn:aws:s3:::<BUCKET_NAME> if you want to make the entire content of the bucket available.
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "GrantReadOnBuckets",
            "Action": [
                "s3:ListBucket",
                "s3:GetBucketCORS",
                "s3:GetBucketLocation"
            ],
            "Effect": "Allow",
            "Resource": [
                "arn:aws:s3:::<BUCKET_NAME>"
            ]
        },
        {
            "Sid": "GrantReadOnObjects",
            "Action": [
                "s3:GetObject"
            ],
            "Effect": "Allow",
            "Resource": [
                "arn:aws:s3:::<BUCKET_NAME>/<ROOT>/*"
            ]
        }
    ]
}
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "GrantReadOnBuckets",
            "Action": [
                "s3:ListBucket",
                "s3:GetBucketCORS",
                "s3:GetBucketLocation"
            ],
            "Effect": "Allow",
            "Resource": [
                "arn:aws:s3:::<BUCKET_NAME>"
            ]
        },
        {
            "Sid": "GrantReadOnObjects",
            "Action": [
                "s3:GetObject"
            ],
            "Effect": "Allow",
            "Resource": [
                "arn:aws:s3:::<BUCKET_NAME>/<ROOT>/*"
            ]
        },
        {
            "Sid": "GrantWriteOnObjects",
            "Action": [
                "s3:PutObject",
                "s3:GetObjectAcl",
                "s3:PutObjectAcl",
                "s3:AbortMultipartUpload",
                "s3:ListMultipartUploadParts"
            ],
            "Effect": "Allow",
            "Resource": [
                "arn:aws:s3:::<BUCKET_NAME>/<ROOT>/*"
            ]
        },
        {
            "Sid": "RequestReadOnCopySourceObjects",
            "Action": [
                "s3:GetObject"
            ],
            "Effect": "Allow",
            "Resource": [
                "arn:aws:s3:::sbg-main/*",
                "arn:aws:s3:::sbg-main-us-west-2/*"
            ]
        }
    ]
}
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "GrantReadOnBuckets",
            "Action": [
                "s3:ListBucket",
                "s3:GetBucketCORS",
                "s3:GetBucketLocation"
            ],
            "Effect": "Allow",
            "Resource": [
                "arn:aws:s3:::<BUCKET_NAME>"
            ]
        },
        {
            "Sid": "GrantReadOnObjects",
            "Action": [
                "s3:GetObject"
            ],
            "Effect": "Allow",
            "Resource": [
                "arn:aws:s3:::<BUCKET_NAME>/<ROOT>/*"
            ]
        },
        {
            "Sid": "GrantWriteOnObjects",
            "Action": [
                "s3:PutObject",
                "s3:GetObjectAcl",
                "s3:PutObjectAcl",
                "s3:AbortMultipartUpload",
                "s3:ListMultipartUploadParts"
            ],
            "Effect": "Allow",
            "Resource": [
                "arn:aws:s3:::<BUCKET_NAME>/<ROOT>/*"
            ]
        },
        {
            "Sid": "RequestReadOnCopySourceObjects",
            "Action": [
                "s3:GetObject"
            ],
            "Effect": "Allow",
            "Resource": "arn:aws:s3:::sb-main-eu-central-1/*"
        }
    ]
}
  1. Click Review policy and enter a policy name, e.g. sb-access-policy (remember this policy name as you will need to attach it later to IAM user).
  2. (Optional) Enter the policy description.
  3. Click Create policy to finish process of policy creation.

The custom IAM policy you have created can be attached to the IAM user you will use to connect your AWS S3 bucket with the Seven Bridges Platform.

Set up an IAM user 

Follow these steps to create an AWS IAM user that you will use to connect an S3 bucket (volume) to the Seven Bridges Platform:

  1. Log in to the AWS Management Console.
  2. In the top menu select Services and then choose IAM.
  3. In the left navigation menu select Users, and then chooseAdd user.
  4. Enter the User name for the user you are creating.
  5. In the Access type section, select Programmatic access.
  6. Click Next: Permissions.
  7. In the Set permissions section select Attach existing policies directly.
  8. Use search bar to find and select the policy you created earlier (e.g. sb-access-policy)
  9. Click Next: Tags.
  10. (Optional) Add tags to the user. These are key-value pairs that contain additional information about the IAM user and are not necessary for the process of attaching a volume to the Seven Bridges Platform.
  11. Click Next: Review. The user details screen is displayed. Check once again that all entered information is correct.
  12. Click Create user. You will see a message that the user is successfully created.
  13. On the confirmation screen, copy the provided Access key ID and Secret access keyand use them for volume creation on the Seven Bridges Platform
  14. Click Close.

With the created IAM user you can connect your AWS S3 bucket as a volume to the Seven Bridges Platform. As stated in step 13 above, the credentials you will need are:

  • Access key ID 
  • Secret access key
    If you forget your Secret access key, you can still create new Access keys:
  1. Click on the name of your IAM user in the list of all available users
  2. Click theSecurity credentials tab
  3. In the Access keys section click Create access key. Newly created Access key ID and Secret access key are displayed in the pop-up window . Use them for connecting your S3 bucket to the Seven Bridges Platform.

Amazon S3 FIPS endpoints

In order to have a FIPS compliant connection with your buckets located in AWS US East/West regions, you should use FIPS endpoints provided by AWS, when attaching your volume to the Platform. This is done by entering the corresponding FIPS endpoint when configuring additional options in the Volume Connection Wizard. Depending on the AWS region where your bucket is located, use one of the following endpoints:

  • Buckets located in the US East 1 region:
    • s3-fips.us-east-1.amazonaws.com
    • s3-fips.dualstack.us-east-1.amazonaws.com
  • Buckets located in the US East 2 region:
    • s3-fips.us-east-2.amazonaws.com
    • s3-fips.dualstack.us-east-2.amazonaws.com
  • Buckets located in the US West 1 region:
    • s3-fips.us-west-1.amazonaws.com
    • s3-fips.dualstack.us-west-1.amazonaws.com
  • Buckets located in the US West 2 region:
    • s3-fips.us-west-2.amazonaws.com
    • s3-fips.dualstack.us-west-2.amazonaws.com

Additional configuration

The IAM policy is usually sufficient to permit the Platform to access your S3 bucket. In certain situations, however, it may be necessary to set up additional configuration on the bucket itself. Read how to do this by enabling cross-origin resource sharing (CORS).