Skip to content

Connect a Simple Storage Service (S3) System


Simple Storage Service (S3) is used with Amazon Web Services (AWS) for example. In addition or as alternative to MongoDB, the files uploaded by SEAL Operator can be stored in S3.

Here, the configuration settings in AWS S3 concerning SEAL Operator are described in brief. For other S3 systems, refer to the correspondent documentation.

Afterwards, the configuration in SEAL Operator is described.


Set Up and Configure a AWS S3 System for SEAL Operator

For configuring the storage of the uploaded files for SEAL Operator, the following items are required:

  • An S3 bucket where the files will be stored

  • An index and access management (IAM) service user with access to the S3 bucket, its access key and secret

Hint - AWS account

If you do not have an AWS account, go to https://aws.amazon.com/ and create one. This will be the root (admin) of AWS. Using its access keys is not recommended. Create a specific IAM service user instead, see below.


Create the S3 Bucket

  1. Search for the S3 service and create a bucket with the following settings:

    • Name: This will be the root of the filestore. Therefore, specify a meaningful name, for example, seal-operator-fileupload.

    • Region: Select one closest to you, for example, EU (Frankfurt) eu-central-1).

    • Default encryption: Enable Amazon S3 key (SSE-S3).


Create the Policy for Accessing the Bucket

First, create a policy that gives access to only the S3 bucket created before and then create the IAM service user and assign the policy to it.

  1. Search for the IAM service.

  2. Open the Policies tab and create a new one.

  3. Copy & Paste the following policy JSON structure and replace <bucket_name> by the name specified for the S3 bucket above, for example, seal-operator-fileupload:

    {
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "s3:PutObject",
                "s3:GetObject",
                "s3:CreateBucket",
                "s3:ListBucket",
                "s3:DeleteObject",
                "s3:DeleteBucket"
            ],
            "Resource": [
                "arn:aws:s3:::<bucket_name>",
                "arn:aws:s3:::<bucket_name>/*"
            ]
        },
        {
            "Sid": "VisualEditor1",
            "Effect": "Allow",
            "Action": "s3:ListAllMyBuckets",
            "Resource": "*"
        }
    ]
    }
    
  4. Save the policy under a recognizable name, for example, SealFilestoreS3Policy.

Hint - reuse

The permissions policy can be reused for other users.


Create a User and Assign the Policy

  1. Search for the IAM service.

  2. Open the Users tab.

  3. Add a user with the following settings:

    • name: Specify the name of the user, for example, seal-filestore-service-user.

    • AWS credential type: Select Access key - Programmatic access.

    • In the permissions tab, select Attach existing policies directly and search for the policy created before.

    • Create the user and save its access key and secret for specifying it later in the configuration of SEAL Operator (S3_ACCESS_KEY_ID, S3_SECRET_ACCESS_KEY)

    Caution - do not leave the dialog!

    Do not leave the dialog before saving the information. Once you leave this dialog, you won't be able to access the secrets again. Make sure to copy them now. (If you miss to copy them now, you have to generate new ones and mark the old ones as inactive.)


Configure the Connector for S3 and Specify the Keys for the Connection

In SEAL Operator, activate the connector and specify the keys for the connection:

  1. Export the complete configuration of SEAL Operator from Consul to a YAML file in order to ensure that the current configuration settings are used.

    operator config export <filename>.yml --insecure
    
  2. In the section of the S3 connector, set cstatus to on.

    operator:
      connectors:
        ...
          s3:
            cstatus: 'on'
            serviceName: operator-s3
        ...
    
  3. In the env section, specify the following keys for the operator-s3 service:

    • FILESTORE_TYPE: Type how the content of the uploaded files is stored, here s3

    • S3_ACCESS_KEY_ID: ID of the access key to the S3 system as configured in the S3 system

    • S3_SECRET_ACCESS_KEY: Secret of the access key to the S3 system as configured in the S3 system

    • S3_BUCKET: Name of the S3 bucket as configured in the S3 system, seal-operator-fileupload by default

    • S3_REGION: S3 region as configured in the S3 system, eu-central-1 by default

    • MONGO_FILEUPLOAD_URL: URL of the MongoDB for file uploads, for example, mongodb://db:27017/operator-s3

    • DEFAULT_FILEUPLOAD_PANEL: Path to the JSON schema file containing the configuration of the panel, for example, /code/lib/defaultConfig/s3-panel.json. Changing the panel name to My Cloud for example is recommended to avoid confusions.

    env:
      service:
      ...
        operator-s3:
          tag:
            any:
              FILESTORE_TYPE: s3
              S3_ACCESS_KEY_ID: '<s3_access_key_id>'
              S3_SECRET_ACCESS_KEY: '<s3_secret_access_key>'
              MONGO_FILEUPLOAD_URL: '<url_file_upload>'
              DEFAULT_FILEUPLOAD_PANEL: '<path_panel_configuration>'
      ...
    

    Literature - keys

    For further information about the available keys, refer to the description of the Keys.

  4. Save the <filename>.yml file and re-import it to Consul.

    operator config import <filename>.yml --insecure
    

Back to top