You are here

Configuring AWS Identity and Access Management

AWS Identity and Access Management (IAM) enables you to securely control access to AWS services and resources for your users. With IAM, you can create and manage AWS users and groups, and use permissions to allow and deny their access to AWS resources. Intelligence Services uses AWS IAM roles to ensure fine-grained control over access to the AI services and content stored in the S3 bucket.

Access to AWS services, such as Amazon Comprehend, requires that you provide credentials when you access them. The best way to provide those credentials is through AWS Identity and Access Management (IAM).

  1. Follow the steps in Creating Your First IAM Admin User and Group to create and configure an IAM user.
  2. Next, create an S3 bucket to use with the Amazon AI Services.

    Note: If you have an existing deployment that uses Alfresco Content Connector for AWS S3, it is recommended that you create a separate S3 bucket to use with Intelligence Services. Make sure that it's in the same region as you intend to deploy Alfresco Intelligence Services.
    Note: The bucket name must be unique among all AWS users globally. See S3 bucket restrictions for more information on bucket naming.

    See Cleaning up in S3 for guidance.

  3. Go to the AWS Console and open the IAM console.
  4. Select Policies from the menu and click Create policy.

  5. Switch to the JSON tab to create the policy using JSON syntax.
  6. Copy the following content, replace the bucket name, alfrescoai, with your AI bucket name:

    {
        "Version": "2012-10-17",
        "Statement": [
            {
                "Effect": "Allow",
                "Action": "s3:GetObject",
                "Resource": [
                    "arn:aws:s3:::alfrescoai/*"
                ]
            },
            {
                "Effect": "Allow",
                "Action": "s3:ListBucket",
                "Resource": [
                    "arn:aws:s3:::alfrescoai"
                ]
            },
            {
                "Effect": "Allow",
                "Action": "s3:PutObject",
                "Resource": "arn:aws:s3:::alfrescoai/*"
            }
        ]
    }
  7. Click Review policy.
  8. Type a name for your policy and click Create policy.

    For example, ComprehendAsyncJobs.

    The policy name must be unique across your organization.

  9. Select Roles from the menu and click Create role.

    Next, you'll select the type of trusted entity (for example, an AWS service, another AWS account, etc.). Since Amazon Comprehend isn't an available AWS service, you can select EC2 and change the Trust Relationship later.

  10. Choose EC2 and click Next: Permissions.
  11. Choose one or more policies to attach to your new role (including the one you created in step 8).
  12. Click Next until you reach the Review page.
  13. Type a name for the role and click Create role.

    For example, ComprehendAsyncJobs.

    The role name must be unique across your organization.

  14. Select the role you just created, and copy the Role ARN field.

    You'll use this later when configuring environment variables.

    Next, change the Trust Relationship to Amazon Comprehend instead of EC2.

  15. Switch to the Trust Relationship tab, and select Edit Trust Relationship.
  16. Replace ec2.amazonaws.com in the policy document:

     "Service": "comprehend.amazonaws.com"
  17. Click Update Trust Policy to complete this stage.

    Now that the role has been created, the IAM user needs to be given the ability to assign this role to Amazon Comprehend. You have two options:
    • Give the IAM user full ability to assign any role using Role-Based Permissions Required for Asynchronous Operations.
    • Alternatively, you can give the IAM user only access to the role you created. Here is an example:
      {
          "Version": "2012-10-17",
          "Statement": [
              {
                  "Effect": "Allow",
                  "Action": [
                      "iam:GetRole",
                      "iam:PassRole"
                  ],
                  "Resource": "arn:aws:iam::XXXXXXXXXXXX:role/ComprehendAsyncJobs"
              }
          ]
      }

Now you can use asynchronous operations by configuring the ROLE_ARN property with the ARN of this configured role. The Transform Engine can now split input documents larger than 125KB, upload the chunks to the configured S3 bucket, start the job, and poll the result until it finishes. The chunks are deleted after the process is completed.

Sending feedback to the Alfresco documentation team

You don't appear to have JavaScript enabled in your browser. With JavaScript enabled, you can provide feedback to us using our simple form. Here are some instructions on how to enable JavaScript in your web browser.