If your media are stored in a location you can access on AWS S3, you can link that cloud location to your platform account and sync media to use in the platform.
Please note: this is our "digest" version of how to manage access for your AWS account. For the most up-to-date information on how to set up and manage access controls for AWS S3, please visit the S3 documentation center.
Create an S3 bucket
In order to store files on AWS S3, you need to create an S3 bucket.
Go to the “S3” section of your AWS Management Console.
Click Create bucket.
Fill in the unique bucket name (e.g. saab-imagery) and choose the region where you want to store your imagery and click next.
You can optionally tweak the configuration. Click “Next.”
For the highest security, we recommend blocking all public access to your bucket. The Platform will still be able to access your imagery.
Review the bucket configuration and click create bucket.
Create an IAM policy
An IAM policy is used to manage access control. In order to access your files, the platform needs the following permissions:
IAM permission | Description |
s3:ListBucket | List the objects in your S3 location. We need to know the names of your files to be able to import them. |
s3:GetObject | Get a file. We need this permission to initiate a file download request. |
s3:HeadObject | Get metadata. We need this permission to be able to collect additional information about files (e.g., file size, hash, etc.) |
Go to the “IAM” section of your AWS Management Console.
In the sidebar, click Policies.
Click Create policy.
Choose JSON.
Paste the following policy configuration, replacing the bucket name and the path with the location to which you have uploaded the imagery:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowObjectAccess",
"Effect": "Allow",
"Action": [
"s3:HeadObject",
"s3:GetObject"
],
"Resource": [
"arn:aws:s3:::saab-imagery/path/to/files/*"
]
},
{
"Sid": "AllowObjectsListing1",
"Action": [
"s3:ListBucket"
],
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::saab-imagery"
],
"Condition": {
"StringEquals": {
"s3:prefix": [
"path/to/files"
],
"s3:delimiter": [
"/"
]
}
}
},
{
"Sid": "AllowObjectsListing2",
"Action": [
"s3:ListBucket"
],
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::saab-imagery"
],
"Condition": {
"StringLike": {
"s3:prefix": [
"path/to/files/*"
]
}
}
}
]
}
If you plan to store your media in the bucket’s root, you will need to adjust some things. In the AllowObjectAccess statement, put the /* right after the bucket name:
"Resource": [
"arn:aws:s3:::saab-imagery/*"
]
In the AllowObjectsListing1 statement, change the prefix to an empty string in Conditions:
"Condition": {
"StringEquals": {
"s3:prefix": [
""
],
"s3:delimiter": [
"/"
]
}
}
6. Click Review policy.
7. Set a unique name for your new policy. For example, “Saab Platform Access.”
8. Click Create policy to finish.
You're almost there!
Create an IAM user
To access your files, the platform needs credentials, in this case, an access key and a secret key.
Go to the “IAM” section of your AWS Management Console.
In the sidebar, click Users.
Click Add user.
Provide a unique user name. For example,
Saab-platform-access.In the Access type section, select Programmatic access and click Next.
In the Set permissions section, select Attach existing policies directly.
Search for the policy you just created in the previous step, select it, and click Next.
You can optionally add tags to your IAM user. This information can be used to organize your IAM users database. Click Next.
Review the username and the policy attached and click Create user.
Your new credentials will be displayed. Please note that the secret access key is displayed only once. Please save the key somewhere safe! You can click Download CSV to download the credentials to your computer.
For security reasons, we recommend you delete the secret key from your computer as soon as you connect it to your platform account.
With this information in hand, you're ready to use it to create a set of Credentials in your platform account. Here's our article on how to do that.