charts icon indicating copy to clipboard operation
charts copied to clipboard
verified publisher icon jfrog

What are the exact S3 action to allow for S3 backend storage setup?

Open casper-gh opened this issue 4 years ago • 2 comments

Question: Regarding S3 backend for storage, what are the exact actions for IAM role attached to the nodes?

https://github.com/jfrog/charts/tree/master/stable/artifactory-ha#aws-s3

  persistence:
    type: aws-s3
    awsS3:
      bucketName: "my-bucket"
      endpoint: "https://s3.us-east-1.amazonaws.com"
      region: "us-east-1"
      testConnection: false
      path: "artifactory-ha/filestore"
      roleName: "myRole"

I'm looking for the IAM policy, something like:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "s3:PutObject",
                "s3:GetObject",
                "s3:ListBucket",
                "s3:DeleteObject"
            ],
            "Resource": "my-bucket"
        }
    ]
}

I actually tried this policy, but I'm not sure if it's working because objects are copied to S3 after they're written into local storage. And I couldnt find any log that would show the object copy process.

casper-gh avatar Apr 23 '21 20:04 casper-gh

Perfectly valid question. This is what seems to work for us (not tested on production yet):

data "aws_iam_policy_document" "artifactory_policy_data" {
  statement {
    actions = [
      "s3:ListBucket",
      "s3:GetObject",
      "s3:DeleteObject",
      "s3:PutObject",
      "s3:PutObjectAcl",
      "s3:AbortMultipartUpload",
      "s3:ListMultipartUploadParts",
    ]

    effect = "Allow"

    resources = [
      "arn:aws:s3:::mybucket",
      "arn:aws:s3:::mybucket/*"
    ]
  }
}

"I'm not sure if it's working because objects are copied to S3 after they're written into local storage"

This is perfectly valid behavior. Read about eventual provider and cache-fs. They are enabled by default in the S3-v3 chain. You can disable them by providing custom binarystoreXml: file but this is probably not what you want (EBS is faster than direct to S3).

Anyway, here it is:

binarystoreXml: |
      <config version="2">
          <chain>
          <provider id="s3-storage-v3" type="s3-storage-v3">
              <endpoint>s3.amazonaws.com</endpoint>
              <bucketName>mybucket</bucketName>
              <path>artifactory/filestore</path>
              <region>myregion</region>
              <useInstanceCredentials>true</useInstanceCredentials> # USES https://docs.aws.amazon.com/emr/latest/EMR-on-EKS-DevelopmentGuide/setting-up-enable-IAM.html
          </provider>
          </chain>
        </config>

Compare with the one that is generated by the chart and deployed on your cluster.

mkkot-onegini avatar Apr 27 '21 07:04 mkkot-onegini

Thanks @mkkot-onegini

My main concern is the IAM policy, we're currently holding off production release because of it. It'd be great if anyone from Jfrog can confirm the required S3 actions based on the APIs that are used.

casper-gh avatar Apr 27 '21 16:04 casper-gh

It's a shame that this is still unanswered. 😕

pascal-hofmann avatar May 04 '23 13:05 pascal-hofmann

Hi @pascal-hofmann

I apologize this issue was not answered. I'll try to assist with this.

The required permissions described in https://jfrog.com/knowledge-base/artifactory-aws-s3-connectivity-and-troubleshooting-steps/

When deploying Artifactory on the AWS EKS cluster, I'll recommend using the "IAM OIDC" provider to connect Artifactory to the S3 bucket as described here.

Hope it helps.

Yarden JFrog Support.

gitta-jfrog avatar May 04 '23 13:05 gitta-jfrog

Awesome, thanks for the quick answer!

pascal-hofmann avatar May 04 '23 13:05 pascal-hofmann