Connecting to Amazon S3
A step-by-step guide to connect with Amazon S3
Last updated
Was this helpful?
A step-by-step guide to connect with Amazon S3
Last updated
Was this helpful?
This documentation provides a step-by-step guide on how to connect to Amazon S3 from Tellius.
An Amazon Web Services (AWS) account
AWS Access Key ID and Secret Access Key
Tellius credentials
Navigate to the IAM console at .
From the navigation menu, select Users.
Click on your specific IAM username (avoid clicking the checkbox).
Under the Security credentials tab, opt to Create access key.
Click Show to reveal your new access key. They should look like this:
Access key ID: <ACCESS_KEY_ID>
Secret access key: <SECRET_ACCESS_KEY>
To save the key pair, click Download .csv file and keep the file in a secure place.
If a secret access key is misplaced, it cannot be retrieved, and a new key pair must be created.
To connect with Amazon S3 for the first time,
Navigate to Data → Connect → Create new → Amazon S3.
Provide the following details:
AWS Access Key - Enter the access key ID that was generated that was generated in the previous step.
AWS Secret Key - Enter the secret access key that was generated in the previous step.
S3 Bucket - Provide the Amazon S3 bucket name (globally unique name).
AWS Region - Choose the region from the dropdown. Locations may differ depending on the type of Cloud.
Datasource Name - Provide the name of the datasource
Click on Save and Browse Host to proceed. The connection details will be saved.
To connect with Amazon S3 using an already existing datasource,
Enable Use validated datasource connection details to use the details of the connections already established.
A new field Select Datasource gets added.
Click the dropdown to select from the list of already available connections.
Based on the datasource selected, the fields will be auto-populated.
Click on Browse Host to proceed.
Note: The dataset name can contain only letters, numbers, and underscores. It cannot begin with numbers or underscores or contain special characters, symbols, or spaces.
Role-based access control (RBAC) in AWS for Amazon S3 allows you to configure Tellius to securely access an S3 bucket without the need for access or secret keys. This approach is recommended and provides a secure way to access AWS resources.
To enable RBAC, you first need to identify the role associated with the nodes where Tellius is deployed.
EKS
If you are using EKS, the worker nodes of your EKS cluster will have an associated role. You can access this information using the EKS page on the AWS Console.
Standalone
Once you have identified the role associated with the Tellius deployment nodes, follow these steps to grant access to an S3 bucket:
Sign in to the AWS Management Console and open the IAM console.
In the navigation pane, select Policies and then click on the Create policy button.
On the Create policy page, select the JSON tab to enter the policy document in JSON format.
Enter the following JSON policy document, which provides read-only access to the S3 bucket:
Replace "YOUR_BUCKET_NAME
" with the actual name of the S3 bucket to which you want to grant access. This policy allows the IAM role to perform "Get" and "List" actions on objects within the specified bucket.
Click on the Review policy button to proceed.
Provide a name and description for the policy, and review the policy summary.
Click on the Create policy button to create the IAM policy.
Once the policy is created, you can attach it to the IAM role associated with Tellius. To do this, navigate to the IAM Roles page, select the desired role, click on the Attach policies button, search for and select the policy you just created, and then click the Attach policy button.
To provide a more granular level of control and understandability over the S3 access, here's an extended sample policy with an explanation for each of its attributes:
VisualEditor0 Statement:
Purpose: Grants permission to retrieve the location of the S3 bucket.
Effect: Decision attribute. Specifies whether the policy statement results in an allow or an explicit deny for the specified actions
Action: "s3:GetBucketLocation". Returns the region the bucket resides in.
Resource: Targets all S3 buckets.
VisualEditor1 Statement:
Purpose: Allows the listing of all S3 buckets.
Action: "s3:ListAllMyBuckets". Lists all buckets owned by the authenticated sender of the request.
Resource: Targets all S3 buckets.
VisualEditor2 Statement:
Purpose: Provides permission to get (read) and list (view) all objects and their metadata within a specified S3 bucket.
Action: "s3:Get*" and "s3:List*". These wildcard actions grant permissions for all Get
and List
related actions respectively.
Resource: Specifies which S3 bucket the actions apply to. Replace <BUCKET_NAME>
with the actual name of your S3 bucket.
By following these steps, you can configure Tellius to securely access the designated S3 bucket using the appropriate role-based access control.
When implementing this policy, ensure that the networking components, such as firewalls or VPC settings, do not block the connections required by these permissions. This is vital to ensure seamless access to the specified S3 resources.
If you have a standalone setup where Tellius is directly deployed on AWS EC2 instances, follow the steps outlined to attach an IAM role to an EC2 instance: