06-29-2020 06:40 AM
Hi all, I've managed to work through setting up an S3 Disk Group in EP3 using AWS. However, the only way I've been able to make it work is by giving full access S3 permissions to the "user" that is making the interaction. Obviously I don't want to use full access permissions so I am looking to pare the permissions down to a reasonable level. When setting up the disk group the permissions are listed in Config but I've found many do not match the permissions in AWS. Has anyone successfully configured this without giving full access permissions? I created a table that outlines the permissions listed in Config, whether it matches an AWS permission, and possible alternate permissions.
Thanks!
07-02-2020 06:40 AM
Hi Steve.
You bring up a good question as this is likely not obvious. The items which you have listed in your spreadsheet as "Specified Permissions" are referred to as "Actions" for AWS S3 API (link). These Actions are applied to the user through a user policy (link) where the terminology is referred to as a permission. If you would like to specify specific AWS S3 Actions to a user, you would do this through a user policy.
Best wishes.
07-15-2020 10:50 AM
Thanks to Adam Shane for providing direction in previous post. I'm going to add on here so future searchers don't have to read through our conversation.
I've outlined the steps to configure an S3 disk group using Amazon S3 (note this is not necessarily a strict guide, just the outline of steps as I've worked through them)
General steps
AWS
OnBase
Once configured and tested, take away excess privileges by utilizing the Ongoing policy
Admin Policy - used during initial setup/configuration of disk group(s) - JSON
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:GetObject",
"s3:GetEncryptionConfiguration",
"s3:ListBucketMultipartUploads",
"s3:AbortMultipartUpload",
"s3:DeleteObject"
],
"Resource": [
"arn:aws:s3:::<your s3 bucket name here>",
"arn:aws:s3:::<your s3 bucket name here>/*"
]
},
{
"Sid": "VisualEditor1",
"Effect": "Allow",
"Action": "s3:ListAllMyBuckets",
"Resource": "*"
}
]
}
Ongoing Policy - used for ongoing usage - JSON
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:GetObject",
"s3:GetEncryptionConfiguration",
"s3:ListBucketMultipartUploads",
"s3:AbortMultipartUpload",
"s3:ListBucket",
"s3:DeleteObject"
],
"Resource": [
"arn:aws:s3:::<your s3 bucket name here>",
"arn:aws:s3:::<your s3 bucket name here>/*"
]
}
]
}
For clarity: under Resource the <your s3 bucket name here> would look something like onbase-ep3-diskgroup
- no angles 🙂
Hope this helps someone.
Steve
07-02-2020 06:40 AM
Hi Steve.
You bring up a good question as this is likely not obvious. The items which you have listed in your spreadsheet as "Specified Permissions" are referred to as "Actions" for AWS S3 API (link). These Actions are applied to the user through a user policy (link) where the terminology is referred to as a permission. If you would like to specify specific AWS S3 Actions to a user, you would do this through a user policy.
Best wishes.
07-13-2020 08:15 AM
Hi Adam,
Thank you for the information, the links did finally lead me to what I was after. To say this is not obvious is quite the understatement 🙂 and I hope some documentation is produced at some point that outlines the steps. Here is what I've determined by researching the links you provided:
I've updated my table to show what permissions need to be in the policy that is assigned to the user:
You will notice I have the "ListBuckets" action listed twice which brings me to another question. In testing I could not create the disk group in Config unless the user had the s3:ListAllMyBuckets permission. However, after I setup the disk group I could remove that permission, use just s3:ListBucket and still submit/retrieve documents. While I think this is preferred from a security standpoint, with only the s3:ListBucket permission I cannot even view the s3 disk group settings in Config (Error 403 Forbidden) so this would be annoying in a situation where the OnBase admin and the AWS admin are not the same person. What do you think would be best practice...provide the additional permissions or lock it down despite the annoyance? IMHO security is always preferred over convenience but wanted to get your take on it.
Thanks,
Steve
07-13-2020 10:24 AM
Hi Steve.
Thanks for the feedback. You are correct it is not obvious and have brought this up with the Product Owners to see if we can provide better documentation on the needed permissions.
To your additional question, I would say that locking it down is better in this case.
Best wishes.
07-15-2020 10:50 AM
Thanks to Adam Shane for providing direction in previous post. I'm going to add on here so future searchers don't have to read through our conversation.
I've outlined the steps to configure an S3 disk group using Amazon S3 (note this is not necessarily a strict guide, just the outline of steps as I've worked through them)
General steps
AWS
OnBase
Once configured and tested, take away excess privileges by utilizing the Ongoing policy
Admin Policy - used during initial setup/configuration of disk group(s) - JSON
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:GetObject",
"s3:GetEncryptionConfiguration",
"s3:ListBucketMultipartUploads",
"s3:AbortMultipartUpload",
"s3:DeleteObject"
],
"Resource": [
"arn:aws:s3:::<your s3 bucket name here>",
"arn:aws:s3:::<your s3 bucket name here>/*"
]
},
{
"Sid": "VisualEditor1",
"Effect": "Allow",
"Action": "s3:ListAllMyBuckets",
"Resource": "*"
}
]
}
Ongoing Policy - used for ongoing usage - JSON
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:GetObject",
"s3:GetEncryptionConfiguration",
"s3:ListBucketMultipartUploads",
"s3:AbortMultipartUpload",
"s3:ListBucket",
"s3:DeleteObject"
],
"Resource": [
"arn:aws:s3:::<your s3 bucket name here>",
"arn:aws:s3:::<your s3 bucket name here>/*"
]
}
]
}
For clarity: under Resource the <your s3 bucket name here> would look something like onbase-ep3-diskgroup
- no angles 🙂
Hope this helps someone.
Steve
Find what you came for
We want to make your experience in Hyland Connect as valuable as possible, so we put together some helpful links.