Amazon Web Services Simple Storage Service (AWS S3) Volumes

📘

Navigation

This page contains information on configuring a volume that is associated with an S3 bucket in Amazon Web Services' (AWS) cloud storage.

Cavatica authentication and authorization

Cavatica provides the option of connecting your Amazon Web Services S3 bucket (volume) to be able to read and write files to and from Cavatica. After connection is established, your S3 bucket (volume) behaves like your external storage for Cavatica. Authentication of Cavatica is done through AWS Identity and Access Management (IAM) services and you can choose between two authentication options, IAM user or IAM role which will be explained in detail on this page. Authorization of Cavatica, which defines the actions that can be done on your volume, is defined in a custom IAM policy that is attached to an IAM user or IAM role.

About AWS IAM roles

An IAM Role is an entity, similar to an IAM user, that represents an AWS identity for which you set permission policies to define what other identity associated with your role can and cannot do with your AWS resources. For connecting Cavatica with your S3 bucket, we recommend creating a role only for that purpose. A role does not have standard long-term credentials such as a password or access keys associated with it. Instead, when you assume a role, it provides temporary security credentials for your role session. Cavatica automatically renews these IAM role temporary credentials, so authorized Cavatica users can use the volume without interruption.

We also use an IAM Role on our side to assume the user’s role when a connection with a volume is requested. The Cavatica role can be assumed only by volume services that are necessary for connecting with the user's S3 bucket.

Prerequisites for connecting an S3 bucket to Cavatica

Procedure:

  1. Create a custom IAM policy
  2. Set up an IAM role

Create a custom IAM policy

For the IAM role authentication method, a policy should be generated and attached to the role in order to define permissions that Cavatica will have when connecting with your AWS S3 bucket (volume). So, the first step is to create a custom IAM policy that you will attach to your IAM role later on. To create the policy, follow these steps:

  1. Go to the AWS Management Console.
  2. In the top menu select Services and then choose IAM.
  3. In the left navigation menu select Policies.
  4. Click Create policy and select the JSON tab.
  5. Copy and paste the following custom policy, taking into account the following:
    • Make sure to select the right policy depending on whether you're mounting the volume in Read-only or Read-write mode.
    • Make sure to replace <BUCKET_NAME> in the policy with the name of your S3 bucket.
    • Either replace <ROOT> with the subdirectory in the bucket to which you want to restrict access when browsing the mounted volume from Cavatica, or simply exclude the <ROOT> parameter and set Resource in the policy to  arn:aws:s3:::<BUCKET_NAME> if you want to make the entire content of the bucket available.
    • If you are using multiple project locations, make sure that all regions where your analyses will be run are included within your Read-write IAM policy.
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "GrantReadOnBuckets",
            "Action": [
                "s3:ListBucket",
                "s3:GetBucketCORS",
                "s3:GetBucketLocation"
            ],
            "Effect": "Allow",
            "Resource": [
                "arn:aws:s3:::<BUCKET_NAME>"
            ]
        },
        {
            "Sid": "GrantReadOnObjects",
            "Action": [
                "s3:GetObject"
            ],
            "Effect": "Allow",
            "Resource": [
                "arn:aws:s3:::<BUCKET_NAME>/<ROOT>/*"
            ]
        }
    ]
}
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "GrantReadOnBuckets",
            "Action": [
                "s3:ListBucket",
                "s3:GetBucketCORS",
                "s3:GetBucketLocation"
            ],
            "Effect": "Allow",
            "Resource": [
                "arn:aws:s3:::<BUCKET_NAME>"
            ]
        },
        {
            "Sid": "GrantReadOnObjects",
            "Action": [
                "s3:GetObject"
            ],
            "Effect": "Allow",
            "Resource": [
                "arn:aws:s3:::<BUCKET_NAME>/<ROOT>/*"
            ]
        },
        {
            "Sid": "GrantWriteOnObjects",
            "Action": [
                "s3:PutObject",
                "s3:GetObjectAcl",
                "s3:PutObjectAcl",
                "s3:AbortMultipartUpload",
                "s3:ListMultipartUploadParts"
            ],
            "Effect": "Allow",
            "Resource": [
                "arn:aws:s3:::<BUCKET_NAME>/<ROOT>/*"
            ]
        },
        {
            "Sid": "RequestReadOnCopySourceObjects",
            "Action": [
                "s3:GetObject"
            ],
            "Effect": "Allow",
            "Resource": [
                "arn:aws:s3:::sbg-main/*",
                "arn:aws:s3:::sbg-main-us-west-2/*"
            ]
        }
    ]
}
  1. Click Next: Tags.
  2. (Optional) Add tags that will help you identify the policy.
  3. Click Next: Review.
  4. Enter a policy name, e.g. sb-access-policy (remember this policy name as you will need to attach it later to your IAM role).
  5. (Optional) Enter the policy description.
  6. Click Create policy to finish process of policy creation.

The custom IAM policy you have created can be attached to the IAM role you will use to connect your AWS S3 bucket with Cavatica.

Set up an IAM role 

Follow these steps to create an AWS IAM role that you will to connect an S3 bucket (volume) to Cavatica:

  1. Log in to the AWS Management Console.
  2. In the top menu select Services and then choose IAM.
  3. In the left navigation menu select Roles, and then chooseCreate role.
  4. In the Select type of trusted entity section, choose Another AWS account.
  5. Enter the following values:
    • Account ID: 151136852077
    • Check Require External ID and enter at least 6 characters (strongly recommended).
  6. Click Next: Permissions.
  7. Use the search bar to find and select the policy you created earlier (e.g. sb-access-policy)
  8. Click Next: Tags.
  9. (Optional) Add tags to the role. These are key-value pairs that contain additional information about the IAM role and are not necessary for the process of attaching a volume to Cavatica.
  10. Click Next: Review
  11. Enter Role name and its optional description.
  12. Click Create role to complete the process of role creation. List of all available roles opens.
  13. Click the name of your newly created role to see the necessary details.
  14. Under the Trust relationships tab, click Edit trust relationship and replace the Policy Document with the policy shown below. Make sure to select the right policy depending on whether you have set an External ID in step 5 above. If you have configured an External ID, make sure to use its value instead of the <EXTERNAL_ID> placeholder in the policy below.
{
    "Version": "2012-10-17",
    "Statement": {
        "Effect": "Allow",
        "Principal": {
            "AWS": "arn:aws:iam::151136852077:role/volume-connection"
        },
        "Action": "sts:AssumeRole",
        "Condition": {
            "StringEquals": {
                "sts:ExternalId": "<EXTERNAL_ID>"
            }
        }
    }
}
{
    "Version": "2012-10-17",
    "Statement": {
        "Effect": "Allow",
        "Principal": {
            "AWS": "arn:aws:iam::151136852077:role/volume-connection"
        },
        "Action": "sts:AssumeRole"
    }
}
  1. Click Update Trust Policy to save the update.

If you followed all the steps described above you are ready now to connect your S3 bucket as a volume to Cavatica using the newly created IAM role. The credentials you will need are:

  • Role ARN - click the name of your role in the list of all roles and copy Role ARN.
  • External ID - click the Trust relationships tab. In the Conditions section, this is the value of the sts:ExternalId key.

External ID is an additional security parameter that will be used to authenticate Cavatica when accessing your AWS bucket. This parameter is not mandatory but is highly recommended.

Additional configuration

The IAM policy is usually sufficient to permit Cavatica to access your S3 bucket. In certain situations, however, it may be necessary to set up additional configuration on the bucket itself. Read how to do this by enabling cross-origin resource sharing (CORS).

Next steps

After you have completed all prerequisites, you can attach your volume to Cavatica through the visual interface or the API.