Creating the Custom S3 Access IAM Policy
AWS Identity & Access Management (IAM) manages credentials for the ATC Manager and its nodes by assigning IAM roles to them when they are launched. Attaching policies to these roles grant the associated instances permissions such as starting, stopping, and terminating instances in EC2, updating records in the Route 53 service,or associating IAM roles with a new instance.
IAM Roles are also used to provide ATC Manager access to your S3 buckets. If you are not using S3 cloud storage with Cluster Manager, you can skip these instructions. For more information about accessing S3 cloud storage with the Cluster Manager, see Access Key Overview.
Permission | Required for upload? | Required for download? | Required for browse or delete? |
---|---|---|---|
s3:AbortMultipartUpload | X | Browse & Delete | |
s3:DeleteObject | X | Browse & Delete | |
s3:GetBucketLocation | X | X | |
s3:GetObject | X | ||
s3:ListBucket | X | X | Browse |
s3:ListBucketMultipartUploads | X | X | Browse |
s3:ListMultipartUploadParts | X | Browser & Delete | |
s3:PutObject | X |
Aspera recommends attaching the S3 Access IAM policy to an S3 Access Key Management IAM Role (see Creating an IAM Role for S3 Access In the Same AWS Account).
If you want to allow access to all of your S3 buckets, you can use the built in policy, AmazonS3FullAccess, instead of creating a custom policy. Otherwise, follow the instructions below to create the S3 Access IAM policy.