Setting Up S3 Credentials for Ingest Cluster
Info
These instructions apply only when using the --cluster
option to run fw ingest
in the Flywheel cluster.
In order to take advantage of cluster-based ingest, the cluster must be able to read the contents of the bucket. If the source bucket is encrypted with KMS, then the cluster will also need the ability to decrypt objects using that key.
Before you start, you will need to request the ARN of the ingest worker role from Flywheel Support.
Instruction Steps
Add Read Access to the Source S3 Bucket
-
Log in to the AWS console and find your source bucket in the Amazon S3 services.
-
Go to the Permissions tab:
-
Click the Edit button next to Bucket Policy:
-
Add read access for the ingest worker role.
In this example, we'll use a role ARN of arn:aws:iam::784277622827:role/example-fwapp-ingest-role
{ "Version": "2012-10-17", "Id": "Policy1580769485782", "Statement": [ { "Sid": "ListBucket", "Effect": "Allow", "Principal": { "AWS": [ "arn:aws:iam::784277622827:role/example-fwapp-ingest-role" ] }, "Action": [ "s3:GetBucketLocation", "s3:ListBucket" ], "Resource": "arn:aws:s3:::dev-import-testing" }, { "Sid": "GetObject", "Effect": "Allow", "Principal": { "AWS": [ "arn:aws:iam::784277622827:role/example-fwapp-ingest-role" ] }, "Action": "s3:GetObject", "Resource": "arn:aws:s3:::dev-import-testing/\*" } ] }
-
Save the bucket policy. If your bucket has a default encryption policy, move on to the next section.
Add Decrypt Access to the KMS Key
If your bucket has a default encryption policy, then you'll also need to add decrypt access to the associated KMS key.
-
Navigate to the bucket settings to view the default encryption policy
-
If encryption is enabled, click on the encryption key ARN to go to the settings for that key.
-
Click Edit on the key policy:
Here we're adding a new statement that allows decryption using the KMS key:
(NOTE: Just the second statement was added)
{ "Version": "2012-10-17", "Id": "key-default-1", "Statement": [ { "Sid": "Enable IAM User Permissions", "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::784277622827:root" }, "Action": "kms:\*", "Resource": "\*" }, { "Sid": "Enable Decrypt for Flywheel Ingest", "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::784277622827:role/example-fwapp-ingest-role" }, "Action": "kms:Decrypt", "Resource": "\*" } ] }
-
Click Save
This completes the changes needed to enable cluster-based ingest for your source bucket. Repeat these steps for any additional buckets you'd like to import data from.