(AWS) Configure S3 external access

Instructions

Taking as general guide this AWS article, the step-by-step guide for a user to grant external access is:

1

Annotate the bucket's ARNs

Go to your S3 console and annotate the resource name (ARN) of the bucket or buckets you want to grant access to. You can find the ARN in the bucket's "Properties" tab.

2

Create a new IAM Role

Go to IAM console - Roles and create a new role

3

Trusted entity type

In the Step 1 of the new role creation, "Select Trusted Entity", we select "Custom Trust policy"

4

Set custom trust policy

In the custom trust policy section, we enter the Flashback network AWS's trusted principal ARN descriptor.

  • The AWS Principal must be exactly the same string as indicated below "arn:aws:iam::314146316322:user/flashback"

  • The "Action" must be "sts:AssumeRole"

  • The ExternalId can be one of our choice as long as it contains valid characters.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::314146316322:user/flashback"
            },
            "Action": "sts:AssumeRole",
            "Condition": {
                "StringEquals": {
                    "sts:ExternalId": "flashback-service-3e1f7bd5"
                }
            }
        }
    ]
}

In the "sts:ExternalId" parameter you can write whatever string ID you want, but you have to keep it annotated because it will be necessary when configuring the Storage Bucket in the Platform interface.

5

Permission Policies

In Step 2 of the new role creation, Permissions Policies, we are going to need a custom inline policy. If we don't see any option to add it (normally we only see the standard AWS policies), we can leave this blank for later and skip on to the next step.

6

Enter role name and description

In the final Step 3 of the new role creation process, we give the Role an easily identifiable name and description. We can optionally add one or more tags if we want.

7

Edit the new role to apply the custom inline policy

After creating the new role, we are going to edit it to apply the custom inline security policy:

  • We go to Permissions tab, and in the "Add permissions" menu, we select "Create Inline Policy"

  • We paste the following JSON

    • If we are granting access to a single bucket called "mybucket1":

{
	"Version": "2012-10-17",
	"Statement": [
		{
			"Effect": "Allow",
			"Action": [
				"s3:ListBucket"
			],
			"Resource": "arn:aws:s3:::mybucket1"
		},
		{
			"Effect": "Allow",
			"Action": [
				"s3:GetObject",
				"s3:PutObject",
				"s3:DeleteObject"
			],
			"Resource": "arn:aws:s3:::mybucket1/*"
		}
	]
}

  • If we are granting access to more than one bucket, then we have to indicate the "Resource" field as an array with the list of bucket ARNs and bucket contents (mybucket/*):

{
	"Version": "2012-10-17",
	"Statement": [
		{
			"Effect": "Allow",
			"Action": [
				"s3:ListBucket"
			],
			"Resource": [
				"arn:aws:s3:::mybucket1",
				"arn:aws:s3:::mybucket2",
				...
				"arn:aws:s3:::mybucketN",
			]
		},
		{
			"Effect": "Allow",
			"Action": [
				"s3:GetObject",
				"s3:PutObject",
				"s3:DeleteObject"
			],
			"Resource": [
				"arn:aws:s3:::mybucket1/*",
				"arn:aws:s3:::mybucket2/*",
				...
				"arn:aws:s3:::mybucketN/*",
			]
		}
	]
}

Adapt the delegated role custom policy to your requirements. For example, if you don't want Flashback Network to delete objects from the bucket, remove the "s3:DeleteObject" permission.

The same applies in case you want to grant more Actions permissions to the user.

A list of the currently supported S3 actions in Flashback Network

8

Setting up the maximum session duration to 1 hour

We set up the maximum session duration to 1 hour by editing the Role Summary properties (button "Edit" to the right):

Flashback Network nodes will renew the external access credentials every 1h by default, so indicating a duration higher than 1 hour will make no real impact.

Important: Indicating a custom period of less than 1h can cause premature session termination and connectivity problems in the nodes.

If you require nodes to hold temporary sessions of less than 1h for compliance or other reasons, please contact Flashback Support.

PreviousConfigure external/delegated credentialsNext(GCP) Configuring GCS' external access

Last updated

Was this helpful?