This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Hyland Community
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

S3 Disk Group configuration

Go to answer
Steve_Warner
Star Contributor
Star Contributor

‎06-29-2020 06:40 AM

Hi all, I've managed to work through setting up an S3 Disk Group in EP3 using AWS. However, the only way I've been able to make it work is by giving full access S3 permissions to the "user" that is making the interaction. Obviously I don't want to use full access permissions so I am looking to pare the permissions down to a reasonable level.  When setting up the disk group the permissions are listed in Config but I've found many do not match the permissions in AWS. Has anyone successfully configured this without giving full access permissions? I created a table that outlines the permissions listed in Config, whether it matches an AWS permission, and possible alternate permissions.

e6081dec4ce04c39a51e9831452ab7b1

Thanks!

Labels:
2 ACCEPTED ANSWERS

Go to answer
AdamShaneHyland
Employee
Employee

‎07-02-2020 06:40 AM

Hi Steve.

You bring up a good question as this is likely not obvious.  The items which you have listed in your spreadsheet as "Specified Permissions" are referred to as "Actions" for AWS S3 API (link).  These Actions are applied to the user through a user policy (link) where the terminology is referred to as a permission.  If you would like to specify specific AWS S3 Actions to a user, you would do this through a user policy.

Best wishes.

View answer in original post

0 Kudos

Go to answer
Steve_Warner
Star Contributor
Star Contributor

‎07-15-2020 10:50 AM

Thanks to Adam Shane for providing direction in previous post. I'm going to add on here so future searchers don't have to read through our conversation.

I've outlined the steps to configure an S3 disk group using Amazon S3 (note this is not necessarily a strict guide, just the outline of steps as I've worked through them)

General steps

AWS

  • Create S3 bucket
    • Each bucket will correspond to an OnBase disk group
  • Create two policies - one will be used during initial setup the other will be used ongoing. I refer to these as Admin and Ongoing
    • I chose to create two policies. Could also use the Amazon managed AmazonS3FullAccess policy during initial setup
  • Create AWS user (programmatic access)
    • Save credentials - do not lose these and do not store them where someone can get to them
  • Attach appropriate Admin or AmazonS3FullAccess Policy

OnBase

  • Configure Provider Settings
    • Provider URL will be the S3 region. For example: https://s3.us-east-2.amazonaws.com/
    • Enter Access Key and Secret key obtained when creating AWS user
    • S3 Provider Type: Moderate Compatibility
  • Create S3 Disk Group as needed
    • Select previously created Provider - appears can also create Provider during S3 Disk Group creation - I did these steps separately
    • Select Bucket

 

Once configured and tested, take away excess privileges by utilizing the Ongoing policy

 

Admin Policy - used during initial setup/configuration of disk group(s) - JSON

{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:GetObject",
"s3:GetEncryptionConfiguration",
"s3:ListBucketMultipartUploads",
"s3:AbortMultipartUpload",
"s3:DeleteObject"
],
"Resource": [
"arn:aws:s3:::<your s3 bucket name here>",
"arn:aws:s3:::<your s3 bucket name here>/*"
]
},
{
"Sid": "VisualEditor1",
"Effect": "Allow",
"Action": "s3:ListAllMyBuckets",
"Resource": "*"
}
]
}

 

Ongoing Policy - used for ongoing usage - JSON

{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:GetObject",
"s3:GetEncryptionConfiguration",
"s3:ListBucketMultipartUploads",
"s3:AbortMultipartUpload",
"s3:ListBucket",
"s3:DeleteObject"
],
"Resource": [
"arn:aws:s3:::<your s3 bucket name here>",
"arn:aws:s3:::<your s3 bucket name here>/*"
]
}
]
}

 

For clarity: under Resource the <your s3 bucket name here> would look something like onbase-ep3-diskgroup

- no angles 🙂

 

Hope this helps someone.

 

Steve

View answer in original post

5 REPLIES 5

Go to answer
AdamShaneHyland
Employee
Employee

‎07-02-2020 06:40 AM

Hi Steve.

You bring up a good question as this is likely not obvious.  The items which you have listed in your spreadsheet as "Specified Permissions" are referred to as "Actions" for AWS S3 API (link).  These Actions are applied to the user through a user policy (link) where the terminology is referred to as a permission.  If you would like to specify specific AWS S3 Actions to a user, you would do this through a user policy.

Best wishes.

0 Kudos

Go to answer
Steve_Warner
Star Contributor
Star Contributor
In response to AdamShaneHyland

‎07-13-2020 08:15 AM

Hi Adam,

Thank you for the information, the links did finally lead me to what I was after. To say this is not obvious is quite the understatement 🙂 and I hope some documentation is produced at some point that outlines the steps. Here is what I've determined by researching the links you provided:

I've updated my table to show what permissions need to be in the policy that is assigned to the user:

7b9715da2ba04699b9495dbd0c6744bb

You will notice I have the "ListBuckets" action listed twice which brings me to another question. In testing I could not create the disk group in Config unless the user had the s3:ListAllMyBuckets permission. However, after I setup the disk group I could remove that permission, use just s3:ListBucket and still submit/retrieve documents. While I think this is preferred from a security standpoint, with only the s3:ListBucket permission I cannot even view the s3 disk group settings in Config (Error 403 Forbidden) so this would be annoying in a situation where the OnBase admin and the AWS admin are not the same person. What do you think would be best practice...provide the additional permissions or lock it down despite the annoyance? IMHO security is always preferred over convenience but wanted to get your take on it.

Thanks,

Steve

0 Kudos

Go to answer
AdamShaneHyland
Employee
Employee
In response to Steve_Warner

‎07-13-2020 10:24 AM

Hi Steve.

Thanks for the feedback.  You are correct it is not obvious and have brought this up with the Product Owners to see if we can provide better documentation on the needed permissions.

To your additional question, I would say that locking it down is better in this case.

Best wishes.

0 Kudos

Go to answer
Steve_Warner
Star Contributor
Star Contributor

‎07-15-2020 10:50 AM

Thanks to Adam Shane for providing direction in previous post. I'm going to add on here so future searchers don't have to read through our conversation.

I've outlined the steps to configure an S3 disk group using Amazon S3 (note this is not necessarily a strict guide, just the outline of steps as I've worked through them)

General steps

AWS

  • Create S3 bucket
    • Each bucket will correspond to an OnBase disk group
  • Create two policies - one will be used during initial setup the other will be used ongoing. I refer to these as Admin and Ongoing
    • I chose to create two policies. Could also use the Amazon managed AmazonS3FullAccess policy during initial setup
  • Create AWS user (programmatic access)
    • Save credentials - do not lose these and do not store them where someone can get to them
  • Attach appropriate Admin or AmazonS3FullAccess Policy

OnBase

  • Configure Provider Settings
    • Provider URL will be the S3 region. For example: https://s3.us-east-2.amazonaws.com/
    • Enter Access Key and Secret key obtained when creating AWS user
    • S3 Provider Type: Moderate Compatibility
  • Create S3 Disk Group as needed
    • Select previously created Provider - appears can also create Provider during S3 Disk Group creation - I did these steps separately
    • Select Bucket

 

Once configured and tested, take away excess privileges by utilizing the Ongoing policy

 

Admin Policy - used during initial setup/configuration of disk group(s) - JSON

{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:GetObject",
"s3:GetEncryptionConfiguration",
"s3:ListBucketMultipartUploads",
"s3:AbortMultipartUpload",
"s3:DeleteObject"
],
"Resource": [
"arn:aws:s3:::<your s3 bucket name here>",
"arn:aws:s3:::<your s3 bucket name here>/*"
]
},
{
"Sid": "VisualEditor1",
"Effect": "Allow",
"Action": "s3:ListAllMyBuckets",
"Resource": "*"
}
]
}

 

Ongoing Policy - used for ongoing usage - JSON

{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:GetObject",
"s3:GetEncryptionConfiguration",
"s3:ListBucketMultipartUploads",
"s3:AbortMultipartUpload",
"s3:ListBucket",
"s3:DeleteObject"
],
"Resource": [
"arn:aws:s3:::<your s3 bucket name here>",
"arn:aws:s3:::<your s3 bucket name here>/*"
]
}
]
}

 

For clarity: under Resource the <your s3 bucket name here> would look something like onbase-ep3-diskgroup

- no angles 🙂

 

Hope this helps someone.

 

Steve

Getting started

Find what you came for

We want to make your experience in Hyland Connect as valuable as possible, so we put together some helpful links.

Copyright © 2024 Khoros, LLC