06-29-2020 06:40 AM
Hi all, I've managed to work through setting up an S3 Disk Group in EP3 using AWS. However, the only way I've been able to make it work is by giving full access S3 permissions to the "user" that is making the interaction. Obviously I don't want to use full access permissions so I am looking to pare the permissions down to a reasonable level. When setting up the disk group the permissions are listed in Config but I've found many do not match the permissions in AWS. Has anyone successfully configured this without giving full access permissions? I created a table that outlines the permissions listed in Config, whether it matches an AWS permission, and possible alternate permissions.
Thanks!
07-02-2020 06:40 AM
Hi Steve.
You bring up a good question as this is likely not obvious. The items which you have listed in your spreadsheet as "Specified Permissions" are referred to as "Actions" for AWS S3 API (link). These Actions are applied to the user through a user policy (link) where the terminology is referred to as a permission. If you would like to specify specific AWS S3 Actions to a user, you would do this through a user policy.
Best wishes.
07-15-2020 10:50 AM
Thanks to Adam Shane for providing direction in previous post. I'm going to add on here so future searchers don't have to read through our conversation.
I've outlined the steps to configure an S3 disk group using Amazon S3 (note this is not necessarily a strict guide, just the outline of steps as I've worked through them)
General steps
AWS
OnBase
Once configured and tested, take away excess privileges by utilizing the Ongoing policy
Admin Policy - used during initial setup/configuration of disk group(s) - JSON
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:GetObject",
"s3:GetEncryptionConfiguration",
"s3:ListBucketMultipartUploads",
"s3:AbortMultipartUpload",
"s3:DeleteObject"
],
"Resource": [
"arn:aws:s3:::<your s3 bucket name here>",
"arn:aws:s3:::<your s3 bucket name here>/*"
]
},
{
"Sid": "VisualEditor1",
"Effect": "Allow",
"Action": "s3:ListAllMyBuckets",
"Resource": "*"
}
]
}
Ongoing Policy - used for ongoing usage - JSON
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:GetObject",
"s3:GetEncryptionConfiguration",
"s3:ListBucketMultipartUploads",
"s3:AbortMultipartUpload",
"s3:ListBucket",
"s3:DeleteObject"
],
"Resource": [
"arn:aws:s3:::<your s3 bucket name here>",
"arn:aws:s3:::<your s3 bucket name here>/*"
]
}
]
}
For clarity: under Resource the <your s3 bucket name here> would look something like onbase-ep3-diskgroup
- no angles 🙂
Hope this helps someone.
Steve
07-15-2020 11:17 AM
Thank you Steve! This is great information and your work here is appreciated.
Find what you came for
We want to make your experience in Hyland Connect as valuable as possible, so we put together some helpful links.