Skip to main content
Skip table of contents

3 - Create AWS storage resources

Which S3 buckets you need and how to set them up

General notes on buckets

Access to buckets

Each S3 bucket needs to be created with different permissions:

  • the S3-push bucket should be accessible for both the HCMS satellitte and the censhare Server

  • the Image Cache S3 bucket should be only accessible for the satellitte

However, how exactly this access is granted depends on if the censhare Server already uses AWS. The rule is that the IAM user with access to buckets needs to be in the same AWS account where your S3 bucket lives. Consequently, two options are possible:

  • You create a new IAM user and grant it access to buckets

  • You create a new role and grant access to the existing EC2 instance using this role

Note the CloudFormation template provides both of these options, i.e. it creates both a user and a role, and it's up to you which one to use.

Let‘s go through the scenarios and more detail and look what applies to each.

censhare Server does not use AWS

If the censhare Server neither runs on AWS EC2 nor uses an S3 bucket as its file system, you will need to create the buckets and an IAM user.

Note that in this guide we assume this particular scenario, with no AWS services yet used. For other options we provide a general overview, but please refer to the official AWS documentation for specific details!

censhare Server uses S3 buckets

If the censhare Server does not run on AWS EC2, but uses an S3-bucket as its file system, you can re-use that bucket and make it shared with the HCMS satellitte. Permissions will be bound to your ECS task/container. No need for a separate IAM user.

Warning This is quite an advanced setup and is not covered by this guide. Please refer to this documentation.

censhare Server runs on EC2

If the Server runs on EC2, it will mean that it also uses S3 buckets as its file system. If you want to use the same AWS account, you do not need to create a separate IAM user for the installation. Acces is granted by roles as in the previous case.

Indeed, you may want to have its own account for the HCMS Client, e.g., for billing reasons, but we consider this case a bit too complex and do not recommend it. Please refer to the official AWS documentation for instructions.

Expiration Policy for Image Cache S3 bucket

Since this S3 bucket is used to cache generated image variants, it needs to have an expiration policy in place, with the following recommended values:

  • Expire the current version of object after 30 days

  • Permanently delete previous versions after 30 days

Naming convention for buckets

There is no specific naming convention: bucket name can be anything that is allowed by AWS.

CloudFormation template

Bucket creation can be handled using the CloudFormation template deployment/aws/hcms-data.yml.

Steps

  • In the hcms-data.yml, depending on your setup:

    • use the S3PushUser property to create a new AWS user

    • use the ServerRole property to create a new role; in this case, make sure to remove the S3PushUser property

  • In your AWS account, go to the CloudFormation console

  • Upload your template

Warning On each upload, right after you selected the file, pay attention to the S3 URL on the bottom of the console: copy and save it, it will be gone later!

  • Add the saved S3 URL to the root.yml template, to the HcmsStorage::Properties::TemplateURL

  • If you kept the user part and created a new IAM user:

    • Go to the IAM console and get the access key and the secret key: you will need them on the server preparation step

  • If you want to use ServerRole:

    • Go to AWS Console or other management tool you are using (CloudFormation, Terraform, etc.) and attach that role to the corresponding EC2 instance

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.