Enabling S3 Storage Using IAM Roles

Aspera On Demand can use S3 storage for a node transfer user by specifying the storage in the user docroot. Use this user to transfer files to and from your S3 storage. To avoid specifying S3 storage credentials in a docroot, you can use your AWS Identity and Access Management (IAM) roles to set docroots to S3 storage.

The steps below assume the following:

Create a policy for your IAM role.

  1. Log into AWS Management Console as admin and create a new IAM role that has access to your S3 storage.
  2. Go to Services > IAM > Policies. Click Create Policy.
  3. Click Select for Create Your Own Policy.
  4. Name the policy: "s3_node_access". Enter the following policy into the Policy Document to allow all actions on all S3 resources.
    {
      "Statement": [
        {
          "Sid": "Stmt1360956435483",
          "Action": [
            "s3:*"
          ],
          "Effect": "Allow",
          "Resource": [
            "*"
          ]
        }
      ]
    }
  5. Click Create Policy.

Create your IAM role.

  1. Go to Services > IAM > Roles. Click Create New Role.
  2. Enter "s3_access" and click Next Step.
  3. On the Select Role Type panel, choose AWS Service Roles, and click Select for the Amazon EC2 role type.
  4. Select the "s3_node_access" policy. Click Next Step. Then click Create Role.
  5. Launch an AMI using the IAM role that has access to S3 storage.
  6. Connect to your server through SSH, elevate to the root user, and set the S3 docroot using the asconfigurator tool.
    # ssh -i identity_file -p 33001 ec2-user@ec2_host_ip
    # sudo su -
    # asconfigurator -x "set_user_data;user_name,xfer;absolute,S3://s3.amazonaws.com/s3-bucket-name
  7. Restart the Aspera NodeD service.
    # service asperanoded restart
  8. Test your configuration. Perform a test transfer using an Aspera client to the account configured with the S3 docroot. For information on starting a transfer, see Ascp Transfers to Cloud Storage.