3 - Create AWS storage resources
Which S3 buckets you need and how to set them up
General notes on buckets
Access to buckets
Each S3 bucket needs to be created with different permissions:
the S3-push bucket should be accessible for both the HCMS satellitte and the censhare Server
the Image Cache S3 bucket should be only accessible for the satellitte
However, how exactly this access is granted depends on if the censhare Server already uses AWS. The rule is that the IAM user with access to buckets needs to be in the same AWS account where your S3 bucket lives. Consequently, two options are possible:
You create a new IAM user and grant it access to buckets
You create a new role and grant access to the existing EC2 instance using this role
Note the CloudFormation template provides both of these options, i.e. it creates both a user and a role, and it's up to you which one to use.
Let‘s go through the scenarios and more detail and look what applies to each.
censhare Server does not use AWS
If the censhare Server neither runs on AWS EC2 nor uses an S3 bucket as its file system, you will need to create the buckets and an IAM user.
Note that in this guide we assume this particular scenario, with no AWS services yet used. For other options we provide a general overview, but please refer to the official AWS documentation for specific details!
censhare Server uses S3 buckets
If the censhare Server does not run on AWS EC2, but uses an S3-bucket as its file system, you can re-use that bucket and make it shared with the HCMS satellitte. Permissions will be bound to your ECS task/container. No need for a separate IAM user.
Warning This is quite an advanced setup and is not covered by this guide. Please refer to this documentation.
censhare Server runs on EC2
If the Server runs on EC2, it will mean that it also uses S3 buckets as its file system. If you want to use the same AWS account, you do not need to create a separate IAM user for the installation. Acces is granted by roles as in the previous case.
Indeed, you may want to have its own account for the HCMS Client, e.g., for billing reasons, but we consider this case a bit too complex and do not recommend it. Please refer to the official AWS documentation for instructions.
Expiration Policy for Image Cache S3 bucket
Since this S3 bucket is used to cache generated image variants, it needs to have an expiration policy in place, with the following recommended values:
Expire the current version of object after 30 days
Permanently delete previous versions after 30 days
Naming convention for buckets
There is no specific naming convention: bucket name can be anything that is allowed by AWS.
CloudFormation template
Bucket creation can be handled using the CloudFormation template deployment/aws/hcms-data.yml
.
Steps
In the
hcms-data.yml
, depending on your setup:use the
S3PushUser
property to create a new AWS useruse the
ServerRole
property to create a new role; in this case, make sure to remove theS3PushUser
property
In your AWS account, go to the CloudFormation console
Upload your template
Warning On each upload, right after you selected the file, pay attention to the S3 URL on the bottom of the console: copy and save it, it will be gone later!
Add the saved S3 URL to the
root.yml
template, to theHcmsStorage::Properties::TemplateURL
If you kept the user part and created a new IAM user:
Go to the IAM console and get the access key and the secret key: you will need them on the server preparation step
If you want to use
ServerRole
:Go to AWS Console or other management tool you are using (CloudFormation, Terraform, etc.) and attach that role to the corresponding EC2 instance