Using Amazon S3 IAM roles

To avoid setting S3 storage credentials in a transfer user's docroot, you can use your AWS Identity and Access Management (IAM) roles to set docroots to S3 storage.

About this task

Prerequisites:

  • You started your HSTS on an Amazon Machine Image (AMI).
  • You have an S3 bucket.
  • You have permissions to create IAM roles or change the policies of your IAM.

Minimum IAM role permissions required

The IAM role requires certain minimum permissions to enable HSTS to upload, download, browse, or delete content in your AWS S3 bucket. Find these minimum permissions in the following table.

Permission Upload Download Browse Delete
s3:AbortMultipartUpload X X X
s3:DeleteObject X X X
s3:GetBucketLocation1 X X X
s3:GetObject X X
s3:ListBucket X X X
s3:ListBucketMultipartUpload X X X X
ListMultipartUploadParts X
s3:PutObject X
s3:ListAllMyBuckets2 X

1Tuning exists if user wants to remove need for this permission.

2Required if a bucket name is not included on the policy (like *).

Configure the IAM role and policy.

Procedure

  1. Log in to AWS Management Console as admin and create an IAM role that has access to your S3 storage.
  2. Go to Services > IAM > Policies. Click Create Policy.
  3. Click Select for Create Your Own Policy.
  4. Create the policy.
    Name the policy: s3_node_access. Enter the following policy into the Policy Document to allow all actions on all S3 resources:
    {
  "Statement": [
    {
      "Sid": "Stmt1360956435483",
      "Action": [
        "s3:*"
      ],
      "Effect": "Allow",
      "Resource": [
        "*"
      ]
    }
  ]
}
  5. Click Create Policy.
  6. Go to Services > IAM > Roles. Click Create New Role.
  7. Enter s3_access and click Next Step.
  8. On the Select Role Type panel, choose AWS Service Roles, and click Select for the Amazon EC2 role type.
  9. Select the s3_node_access policy. Click Next Step. Then click Create Role.
  10. Start an AMI using the IAM role that has access to S3 storage.
  11. Set the transfer user's docroot.
    Connect to your server through SSH, elevate to the root user, and set the S3 docroot by running the following commands:
    # ssh -i identity_file -p 33001 ec2-user@ec2_host_ip
# sudo su -
# asconfigurator -x "set_user_data;user_name,xfer;absolute,s3://s3.amazonaws.com/my_bucket/
  12. Restart the Aspera® NodeD service. 
    # systemctl restart asperanoded
  13. Test your configuration.
    Perform a test transfer from an Aspera client to the S3 storage.