Setup guide
- 26 Aug 2024
- 7 Minutes to read
- PDF
Setup guide
- Updated on 26 Aug 2024
- 7 Minutes to read
- PDF
Article summary
Did you find this summary helpful?
Thank you for your feedback!
This article will describe the steps for a Provider to grant Bobsled access to an Amazon S3 bucket to be used as a source in Bobsled.
Prerequisites
To configure Bobsled access to the bucket, your account must have the sufficient permissions to create policies and assign roles in Amazon Web Services (AWS).
Setup instructions
Bobsled has created a cloud formation template that can be used to quickly create the role and trust policy required below. This saves time from having to create the policies manually and makes sure the policies are correctly configured. You can either:
Use Bobsled Quick start AWS Cloud Formation Template or,
Create the IAM policies and roles manually.
Option 1: Quick start with AWS Cloud Formation Template
Bobsled has created a cloud formation template that can be used to quickly create the role and trust policy required below. This saves time from having to create the policies manually and makes sure the policies are correctly configured.
The path parameter is optional. If you want to filter Bobsled's access to a specific path, fill out the path parameter in the stack without leading or trailing slashes. If you want Bobsled to access the full bucket, leave this parameter empty.
Click on the Quick create stack ↗ in the AWS Console to get started. This link allows you to quickly configure and create the required permission for Bobsled.
Alternatively, you can run the stack creation in the AWS CLI using the command below.
ActionScriptActionScriptaws cloudformation create-stack --stack-name BobsledS3BucketSourceAccessSetup --template-url https://bobsled-cloud-formation-templates.s3.us-east-2.amazonaws.com/S3BucketSourceSetup.yaml --parameters ParameterKey=BucketName,ParameterValue=your-bucket-name ParameterKey=BobsledReadAccessRoleArn,ParameterValue=bobsled-role-from-app ParameterKey=BobsledReadExternalId,ParameterValue=bobsled-external-id-from-app ParameterKey=RoleName,ParameterValue=BobsledAccessRole ParameterKey=TrustPolicyName,ParameterValue=BobsledTrustPolicy ParameterKey=Path,ParameterValue=optional-path --region us-east-2 --capabilities CAPABILITY_NAMED_IAM
To complete the setup of the Source in the next step to configure your Amazon S3 Source, you will need to obtain the ARN of the role created by the stack.
You can access this information using the following CLI command. Ensure that the stack name matches the name you used.
ActionScriptActionScriptaws cloudformation describe-stacks --stack-name BobsledS3BucketSourceAccessSetupAlternatively, you can find the output role ARN by locating the stack in the CloudFormation console ↗. You can also see the stack template which includes the details on the policy and role that will be created by accessing the template (.yaml) ↗
Option 2: Grant access to your bucket
Step 1: Create an IAM Policy
Login to AWS Management Console;
From the ‘Services’ dropdown, select IAM under ‘Security, Identify & Compliance’ section;
Click Account Settings on the left-hand panel;
Expand the ‘Security Token Service (STS)’ list, find the AWS region corresponding to the region where your bucket is located, and choose ‘Activate’ if the status is ‘Inactive’;
Choose Policies ↗ from the left-hand navigation pane;
Click Create Policy;
Click the JSON tab;
Add JSON policy that allows Bobsled to read from the S3 bucket. The following policies provide Bobsled with required permissions to read data from a specified list of entire buckets or subfolders. Please replace
placeholderswith your bucket name(s), and pay special attention to the trailing/*. It should be present on the first statement, but not on the second one;Allow Bobsled to read from an entire bucket;
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "s3:GetObject", "s3:GetObjectVersion" ], "Resource": [ "arn:aws:s3:::<bucket-name>/*", "arn:aws:s3:::<bucket-name>/*" ] }, { "Effect": "Allow", "Action": [ "s3:ListBucket", "s3:GetBucketLocation" ], "Resource": [ "arn:aws:s3:::<bucket-name>", "arn:aws:s3:::<bucket-name>" ] } ] }Allow Bobsled to read from subfolders within a bucket.
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "s3:GetObject", "s3:GetObjectVersion" ], "Resource": [ "arn:aws:s3:::<bucket-name>/*", "arn:aws:s3:::<bucket-name>/*" ] }, { "Sid": "AllowListingOfSubFolder", "Action": [ "s3:ListBucket", "s3:GetBucketLocation" ], "Effect": "Allow", "Resource": [ "arn:aws:s3:::<bucket-name>" ], "Condition": { "StringLike": { "s3:prefix": [ "subfolder/*" ] } } } ] }
Click Next: Tags;
Optionally add tags to the policy to help identify, organize, or search for AWS resources;
Create a policy name (e.g. bobsled_access), and optionally add a description;
Click create policy.
Step 2: Create an IAM Role
Login to AWS Management Console;
From the ‘Services’ dropdown, select IAM under the ‘Security, Identity & Compliance’ header';
Click Roles on the left-hand panel;
Click the Create role button;
Under ‘Trusted entity type, select Custom trust policy
Set the trust policy using the following JSON:
Replace the
<awsBobsledReadArn>and<awsBobsledReadExternalId>in the JSON below with the values found in the Bobsled application. These values can be found by visiting Data Sources > Add Source > select Amazon S3.
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "AWS": "<awsBobsledReadArn>" }, "Action": "sts:AssumeRole", "Condition": { "StringEquals": { "sts:ExternalId": "<awsBobsledReadExternalId>" } } } ] }
Click the Next button;
Find the policy you created in the previous section, and select this policy;
Click the Next button;
Enter a name and description for the role, and click the Create role button;
Record the Role ARN value located on the role summary page. You will use the Role ARN to configure your source in Bobsled.
Step 3: For KMS Encrypted Buckets Only
Grant Bobsled Role Access to Encryption Keys:
Navigate to the S3 bucket and click on Properties > Default encryption section.
Click the link for the Encryption key ARN
Copy the Encryption Key ARN and note it separately.
Click Edit to edit the policy
You will need to add the following inline to your key policy, replacing
<awsBobsledReadArn>with the ARN Supplied in the Bobsled UI, and<createdRoleARN>with the ARN of the role you created for Bobsled:{ "Sid": "Allow use of the key", "Effect": "Allow", "Principal": { "AWS": [ "<awsBobsledReadArn>" ] }, "Action": [ "kms:Encrypt", "kms:Decrypt", "kms:ReEncrypt*", "kms:GenerateDataKey*", "kms:DescribeKey" ], "Resource": "*" }, { "Sid": "Allow attachment of persistent resources", "Effect": "Allow", "Principal": { "AWS": [ "<createdRoleARN>" ] }, "Action": [ "kms:CreateGrant", "kms:ListGrants", "kms:RevokeGrant" ], "Resource": "*", "Condition": { "Bool": { "kms:GrantIsForAWSResource": "true" } } }
Navigate to the Policy your created in Step 1.
Add the following inline to the policy, replacing
<kms_key_arn>with the ARN of the S3 bucket key.:
{
"Effect": "Allow",
"Action": [
"kms:decrypt",
"kms:encrypt"
],
"Resource": "<kms_key_arn>"
}Last step: Finish source configuration in Bobsled
Once you have created the relevant roles and access policies, finish granting Bobsled access via the Bobsled app:
From the menu on the left, select Data Sources.
Click Add Source
Enter a human readable name to describe the source.
Select Amazon S3 and the region of your source bucket.
Click Continue to move to the next step.
Enter the
Read-only ARNthat you have created in the AWS Console.Enter the
nameof the bucket. (Optionally, you may also include the path to the root of your source.)Click Save.
Once you’ve successfully configured your Source, you can add it to a Share, choose a Destination, and a create a transfer to start sharing your data.
Was this article helpful?