-
Notifications
You must be signed in to change notification settings - Fork 1
Setting up a S3 Bucket
In Pulsar, when a user uploads a given file, whether that be a protocol document or an image, the file will either be stored directly in the database, or in an AWS S3 bucket. Currently, only images associated with cloning_vectors are uploaded into S3. However, protocol documents may make their way into S3 soon instead of the database, and other object types that require the user to upload static assets may end up being stored in the same S3 bucket. Thus, you must have an S3 bucket configured to be able to use Pulsar.
1. Create an Amazon IAM root user
2. Create an S3 bucket
3. Configure your bucket
AWS recommends creating Identity and Access Management (IAM), users for managing access to AWS resources. They are more secure compared to handing over your direct AWS account credentials to clients, as you can delegate with fine detail the specific privileges each IAM user is to possess. Pulsar will use the AWS Access Key ID and AWS Secret Access Key of an IAM user to both upload files to and read files from your dedicated S3 bucket.
Log into your AWS account and create an IAM user for yourself for when working in the AWS Management Console, and give this user administrative privileges. You'll use this admin IAM user to create other IAM users (i.e. one for Pulsar to use), create an S3 bucket, and set user and bucket policies. You should create a group (i.e. "Admins") and add this new user to the group. Using a group is convenient here because there may be other admins (now or in the future) that may need to be added to the group, and you can attach an administrative policy to the group, which each user in the group will inherit.
Once you have an admins group with your admin IAM user in it, attach the AdministratorAccess policy to the group if you have not done so yet using the instructions here. Next, you'll need to logout and then log back in with your admin IAM user account. Before logging out, select the "Dashboard" link in the left navbar of the AWS Management Console. Copy the IAM user sign-in link underneath where it says "IAM users sign-in link:". Now you can sign out and point your web browser to the copied URL and sign in with your admin IAM user credentials. Details instructions at http://docs.aws.amazon.com/IAM/latest/UserGuide/getting-started_create-admin-group.html.
While signed into the AWS IAM Console as the admin IAM user you created in the section above, create a new user that Pulsar can use to access the S3 bucket that you'll create later. Name that user as you see fit. Here that user will be referred to as pulsar.
While signed into the AWS IAM Console as the admin IAM user, follow these instructions to create an S3 bucket. When selecting the "Region", you should choose the same region that Pulsar is deployed in or will be deployed in (if deployed also on AWS). Name it something meaningful, i.e. pulsar-assets.
Now you'll configure the bucket you just created to accept read and write actions carried out by the specified IAM User you created for Pulsar. Click on the bucket you just created, select the "Permissions" tab, select the "Bucket Policy" tab, then paste in the following bucket policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "bucket",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::167194893449:user/pulsarencode"
},
"Action": [
"s3:GetBucketLocation",
"s3:ListBucket"
],
"Resource": "arn:aws:s3:::pulsar-encode-assets"
},
{
"Sid": "object",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::167194893449:user/pulsar"
},
"Action": [
"s3:GetObject",
"s3:PutObject",
"s3:DeleteObject",
"s3:GetObjectAcl",
"s3:PutObjectAcl"
],
"Resource": "arn:aws:s3:::pulsar-assets/*"
}
]
}
You'll need to make a few updates here. The Amazon Resource Names (ARNs) highlighted in yellow need to be updated to reflect what they are for your resources.