Hyland Connect

Steve_Warner · ‎06-29-2020

Hi all, I've managed to work through setting up an S3 Disk Group in EP3 using AWS. However, the only way I've been able to make it work is by giving full access S3 permissions to the "user" that is making the interaction. Obviously I don't want to use full access permissions so I am looking to pare the permissions down to a reasonable level. When setting up the disk group the permissions are listed in Config but I've found many do not match the permissions in AWS. Has anyone successfully configured this without giving full access permissions? I created a table that outlines the permissions listed in Config, whether it matches an AWS permission, and possible alternate permissions.

Thanks!

AdamShaneHyland · ‎07-02-2020

Hi Steve.

You bring up a good question as this is likely not obvious. The items which you have listed in your spreadsheet as "Specified Permissions" are referred to as "Actions" for AWS S3 API (link). These Actions are applied to the user through a user policy (link) where the terminology is referred to as a permission. If you would like to specify specific AWS S3 Actions to a user, you would do this through a user policy.

Best wishes.

View answer in original post

Steve_Warner · ‎07-15-2020

Thanks to Adam Shane for providing direction in previous post. I'm going to add on here so future searchers don't have to read through our conversation.

I've outlined the steps to configure an S3 disk group using Amazon S3 (note this is not necessarily a strict guide, just the outline of steps as I've worked through them)

General steps

AWS

Create S3 bucket

Each bucket will correspond to an OnBase disk group

Create two policies - one will be used during initial setup the other will be used ongoing. I refer to these as Admin and Ongoing

I chose to create two policies. Could also use the Amazon managed AmazonS3FullAccess policy during initial setup

Create AWS user (programmatic access)

Save credentials - do not lose these and do not store them where someone can get to them

Attach appropriate Admin or AmazonS3FullAccess Policy

OnBase

Configure Provider Settings

Provider URL will be the S3 region. For example: https://s3.us-east-2.amazonaws.com/
Enter Access Key and Secret key obtained when creating AWS user
S3 Provider Type: Moderate Compatibility

Create S3 Disk Group as needed

Select previously created Provider - appears can also create Provider during S3 Disk Group creation - I did these steps separately
Select Bucket

Once configured and tested, take away excess privileges by utilizing the Ongoing policy

Admin Policy - used during initial setup/configuration of disk group(s) - JSON

{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:GetObject",
"s3:GetEncryptionConfiguration",
"s3:ListBucketMultipartUploads",
"s3:AbortMultipartUpload",
"s3:DeleteObject"
],
"Resource": [
"arn:aws:s3:::<your s3 bucket name here>",
"arn:aws:s3:::<your s3 bucket name here>/*"
]
},
{
"Sid": "VisualEditor1",
"Effect": "Allow",
"Action": "s3:ListAllMyBuckets",
"Resource": "*"
}
]
}

Ongoing Policy - used for ongoing usage - JSON

{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:GetObject",
"s3:GetEncryptionConfiguration",
"s3:ListBucketMultipartUploads",
"s3:AbortMultipartUpload",
"s3:ListBucket",
"s3:DeleteObject"
],
"Resource": [
"arn:aws:s3:::<your s3 bucket name here>",
"arn:aws:s3:::<your s3 bucket name here>/*"
]
}
]
}

For clarity: under Resource the <your s3 bucket name here> would look something like onbase-ep3-diskgroup

- no angles 🙂

Hope this helps someone.

Steve

View answer in original post

AdamShaneHyland · ‎07-15-2020

Thank you Steve! This is great information and your work here is appreciated.

Hyland Connect

S3 Disk Group configuration