Introduction
This article describes how to use an Amazon Web Service (AWS) Simple Storage Service (S3) bucket in order to host the CentreStack backend storage for a single CentreStack tenant. In an effort to follow the "principle of least privilege", this configuration will use an AWS Identity and Access Management (IAM) user that is limited to accessing only a single S3 bucket in an AWS account. This IAM account could be thought of as a "service account", for the benefit of the CentreStack service.
Configuration
Create a S3 Bucket
- Sign into the AWS portal and navigate to the S3 console.
- Click the Create bucket button:
- Fill out the fields in the Create bucket UI:
- The Bucket name must follow DNS naming conventions and be globally unique. In this example the bucket name "cstack-bes-hadroncloud" was used. It indicates the company (cstack), that's its purpose is backend storage (bes), and the tenant name (hadroncloud). it may be wise to use some sort of bucket naming convention when there are mutiple CentreStack tenants with buckets in the same AWS account.
- Select an AWS Region that is in the same region as the CentreStack server if CentreStack is hosted at AWS, or a region that is closest geographically to the CentreStack server if not hosted in AWS.
- There is likely no need to copy settings from an existing bucket.
- Click the Next button:
- In the next panel:
- Make sure that Versioning is disabled because CentreStack has it's own versioning built in. It's normally disabled by default.
- The other settings should most likely be disabled unless you have a business reason to enable them.
- Click the Next button:
- In the next panel,
- Keep the defaults with all options enabled to prevent public access to the bucket.
- Click the Next button:
- Review the settings then click the Create bucket button:
- Click the on the bucket name in the S3 console:
- Notice the bucket is currently empty:
- In the AWS portal, navigate to the IAM service.
- Click the Policies node:
- Click the Create policy button:
- The "Visual editor" is too slow. Click on the JSON tab:
- AWS provides an example of the necessary IAM policy here:
https://docs.aws.amazon.com/AmazonS3/latest/dev/example-policies-s3.html#iam-policy-ex0 - Copy this text from the AWS documentation:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "s3:ListAllMyBuckets" ], "Resource": "arn:aws:s3:::*" }, { "Effect": "Allow", "Action": [ "s3:ListBucket", "s3:GetBucketLocation" ], "Resource": "arn:aws:s3:::examplebucket" }, { "Effect": "Allow", "Action": [ "s3:PutObject", "s3:PutObjectAcl", "s3:GetObject", "s3:GetObjectAcl", "s3:DeleteObject" ], "Resource": "arn:aws:s3:::examplebucket/*" } ] }
- Paste it into a text editor like Visual Studio Code and save it as a .json file (it will be easier to read).
- Search and replace all occurrences of examplebucket with the name of the S3 bucket that was created (in this example cstack-bes-hadroncloud). Note that this is not the name of the IAM user but rather the S3 bucket that the IAM user will be granted access to.
- Select all of the text in the text editor and paste it into the JSON text box in the IAM console, replacing any text that was automatically generated, then click the Review policy button:
- In the Create policy panel,
- Set the Name text box to something descriptive (spaces are not allowed)
- Set the Description text box to something that explains what this custom policy is allowing
- Click the Create policy button:
- Notice the custom policy is listed:
- Click the Users node:
- Click the Add user button at the top of the console:
- In the Add user panel,
- In the User name field provide some text that indicates what the "service account" will be used for:
- Enable the Programmatic access option
- Disable the AWS Management Console access option as this user will not need access to the AWS console.
- Click the Next: Permissions button:
- Click the Attach existing policies directly tab:
- Click on the check box next to the "Customer managed" policy that was recently created then click the Next:Review button:
- Review the user and policy that will be attached to the user then click the Create user button:
- Click the Download .csv button:
- The recommendation is to store the Access key ID and Secret access key in a secure place such as LastPass or similar. These keys are information required to sign into AWS programmatically as this IAM user.
- Sign into the CentreStack console as the cluster admin.
- The tenant backend storage can be configured either when the tenant is created or the backend storage can be migrated from the CentreStack server's local disk after the tenant was created with default settings. This article will demonstrate the steps related to the later but the basic configuration of IAM user credentials (Access Key and Secret Key) are very similar.
- In the Dashboard for the cluster admin, click on the tenant whose backend storage will be moved to the S3 bucket then click on the ellipsis icon in the Backend Storage section in the lower right corner of the page, then click on the Migrate to new storage option:
- Enable the Use Cloud Storage as enterprise storage option then click the drop down and select Amazon S3 then click the Continue button
- Paste in the Access Key ID and Secret Access Key from the .csv file that was downloaded from the AWS IAM console. In this way, CentreStack will authenticate to AWS as the IAM user that was created specifically to access the S3 bucket. Leave the Enable Inplace Versioning option enabled, then click the Continue button at the bottom of the page:
- Note that in this panel, the {Create New Bucket} is a drop-down control because the UI allows the user to either create a new S3 bucket, or select an existing bucket. For this case, we will select an existing bucket, so click on the drop down:
- Once the existing S3 bucket is selected from the drop-down the UI will change to reflect the selection, then click the Finish button at the bottom of the page:
- The defaults are most likely sufficient. Click the Continue button to perform the migration:
- The migrate task will be displayed:
- If a large amount of data is being migrated this process could take some time. Click the Refresh button to update the current status. When the task is complete, there will be a green check mark displayed:
- Click the Download log file button:
- View the log in a text editor:
[info]Started:3/21/2018 11:03:26 AM
[info]Finished:3/21/2018 11:03:27 AM - Once you are confident the task is complete, delete the task by clicking the X button:
- If you view the S3 bucket in the AWS portal you will see that it is no longer empty.
- A process similar to this could be used to create a CentreStack Team Folder that points to an AWS S3 bucket.
Comments
0 comments
Please sign in to leave a comment.