You are here

Configuring AWS Identity and Access Management

AWS Identity and Access Management (IAM) enables you to securely control access to AWS services and resources for your users. Using IAM, you can create and manage AWS users and groups, and use permissions to allow and deny their access to AWS resources. The S3 Connector uses AWS IAM's roles to ensure fine-grained control over access to the content stored in the S3 bucket.

In order to use IAM roles, instead of AWS secret and access keys, a new policy must be created that will be used by the IAM role. Policies are used to grant permissions to groups. If there isn't a policy already in place for S3 access, a new policy must be created.

  1. Create a new policy.

    You'll need to add the following IAM policy for the S3 Connector to work properly.

    1. Go to the AWS Console and open the IAM console.
    2. Select Policies from the menu and click Create policy.
    3. Switch to the JSON tab to create the policy using JSON syntax.
    4. Copy the following content, and replace the bucket name with your bucket name:

      1. If an S3 bucket already exists, add:
        {
            "Effect": "Allow",
            "Action": [
                "s3:PutObject",
                "s3:GetObject",
                "s3:DeleteObject"
            ],
            "Resource": "arn:aws:s3:::YourBucket/*"
        }
      2. If no S3 bucket exists, then add the following action:
        "s3:CreateBucket"
        "s3:PutLifecycleConfiguration"
        "s3:GetLifecycleConfiguration"
      3. If lifecycle configuration on the bucket is not required, then see step 8 in Configuring the S3 Connector.

    Follow the steps from the AWS site to Create a New Policy for additional guidance.

  2. Here are additional configuration options that you can apply to the bucket. These IAM policies grant additional permissions to the IAM user.

    To configure and view the encryption of a bucket:

    "s3:PutEncryptionConfiguration",
    "s3:GetInventoryConfiguration"

    To enable object tagging support (available from S3 Connector version 3.1):

    "s3:PutObjectTagging"
    "s3:GetObjectTagging"

    To access information from various metrics:

    "s3:PutMetricsConfiguration"
    "s3:GetMetricsConfiguration"

    To access to the bucket lifecycle policy:

    "s3:PutLifecycleConfiguration"
    This allows the user to set an Infrequent Access (IA) storage class lifecycle rule on the bucket.

    See the AWS site for more documentation on IAM roles:

  3. Use the policy simulator to test the new IAM policy.

    Follow the steps from the AWS site to Test IAM Policies.

  4. Create a new role. You can attach up to 10 policies to each role.

    Follow the steps from the AWS site to Create IAM Roles.

    If an Amazon EC2 configuration is already in place, the new policy that you created is attached to the existing role used on the EC2 instance. Follow the steps from the AWS site to Manage IAM Roles.

  5. Attach the role to the EC2 instance where Alfresco Content Services is running.

    Note that one single role can be applied to an EC2 instance.

  6. Edit alfresco-global.properties to remove the connector.s3.accessKey and connector.s3.secretKey properties.

    By removing these properties, the IAM role that's attached to the EC2 instance takes over the responsibility of accessing the S3 bucket.

    You are now ready to start Alfresco Content Services.

Sending feedback to the Alfresco documentation team

You don't appear to have JavaScript enabled in your browser. With JavaScript enabled, you can provide feedback to us using our simple form. Here are some instructions on how to enable JavaScript in your web browser.