To avoid setting S3 storage credentials in a transfer user's docroot, you can use
your AWS Identity and Access Management (IAM) roles to set docroots to S3
storage.
Prerequisites:
- You launched your IBM Aspera On Demand product or installed HST Server on an Amazon Machine Image (AMI).
- You have an S3 bucket.
- You have permissions to create IAM roles or change the policies of your
IAM.
In the following steps, you create an IAM policy and an IAM role that is then
assigned the IAM policy.
-
Log into AWS Management Console as
admin and create an IAM
role that has access to your S3 storage.
-
Go to Services > IAM > Policies. Click Create
Policy.
-
Click Select for Create Your Own
Policy.
-
Create the policy.
Name the policy: "s3_node_access". Enter the following policy into the Policy
Document to allow all actions on all S3
resources:
{
"Statement": [
{
"Sid": "Stmt1360956435483",
"Action": [
"s3:*"
],
"Effect": "Allow",
"Resource": [
"*"
]
}
]
}
-
Click Create Policy.
-
Go to Services > IAM > Roles. Click Create
New Role.
-
Enter "s3_access" and click Next Step.
-
On the Select Role Type panel, choose AWS Service Roles, and click
Select for the Amazon EC2 role
type.
-
Select the "s3_node_access" policy. Click Next Step.
Then click Create Role.
-
Launch an AMI using the IAM role that has access to S3 storage.
-
Set the transfer user's docroot.
Connect to your server through SSH, elevate to the root user, and set the S3
docroot by running the following
commands:
# ssh -i identity_file -p 33001 ec2-user@ec2_host_ip
# sudo su -
# asconfigurator -x "set_user_data;user_name,xfer;absolute,s3://s3.amazonaws.com/my_bucket/
-
Restart the Aspera NodeD service.
# systemctl asperanoded restart
-
Test your configuration.