Amazon Web Services S3 Connector
Last Updated: October 27, 2017
The Globus AWS S3 Connector can be used for access and sharing of data on AWS S3. The connector is available as an add-on subscription to organizations with a Globus Standard subscription - please contact us for pricing.
This document describes the steps needed to install an endpoint, and the AWS S3 Connector needed to access the storage system. This installation should be done by a system administrator, and once completed users can use the endpoint to access AWS S3 via Globus to transfer, share and publish data on the system.
For adding AWS S3 connector to Globus Connect Server v5 endpoint, please refer to Amazon Web Services S3 Connector for GCSv5
Prerequisites
A functional Globus Connect Server installation is required for installation and use of the AWS S3 Connector. The server can be hosted on any machine that can connect to the AWS S3 system. The Globus Connect Server Installation Guide provides detailed documentation on the steps for installing and configuring a server endpoint.
The AWS S3 Connector is available for all distributions supported by Globus Connect Server.
Installation
Install the package globus-gridftp-server-s3 from the Globus repository.
For Red Hat-based systems:
$ yum install globus-gridftp-server-s3For Debian-based systems:
$ apt-get install globus-gridftp-server-s3For SLES 11-based systems:
$ zypper install globus-gridftp-server-s3Configuration
The AWS S3 Connector requires the following steps for configuration:
-
Configure the AWS S3 Connector
-
Create a gridmap to S3 credentials
-
Restart the GridFTP server
Configure the AWS S3 Connector
Create the file /etc/gridftp.d/gridftp-s3 containing these lines:
threads 2 load_dsi_module s3
Edit the file /etc/globus/globus-gridftp-server-s3.conf and set the 'host_name'
option to be the appropriate Amazon S3 endpoint hostname for the desired default Amazon region. While buckets in all regions will be accessible, buckets created by the AWS S3 Connector connector will be created in this region. This would generally be the closest region geographically.
For example, to configure the AWS S3 Connector to use the US Standard Region:
host_name = s3.amazonaws.com
A list of Amazon S3 endpoint hostnames by region can be found here:
Create a file for each user containing their AWS S3 credentials
Each user will need to have a special file created which specifies the S3 credentials associated with their local user account. The default s3_map_filename configuration for the AWS S3 Connector looks in $HOME/.globus/s3 for a file mapping the current user’s ID to S3 access keys. Each user who will be using the AWS S3 Connector must create such a file with their credentials. This file can be created and populated by the user with the following commands:
$ mkdir -m 0700 -p ~/.globus
$ (umask 077; echo "$(id -un);$S3_ACCESS_KEY_ID;$S3_SECRET_ACCESS_KEY" \
> ~/.globus/s3)The S3_ACCESS_KEY_ID and S3_SECRET_ACCESS_KEY correspond to the Access Key ID and Secret Access Key for the user’s S3 credentials that have been granted access to the S3 buckets the user intends to access.
Optionally create a service user account
Since AWS S3 users need not have user accounts on the local endpoint, AWS S3 transfers can be configured to run under a local service user account. Create a user named globus-s3, and add the following line to the /etc/gridftp.d/gridftp-s3 configuration file:
process_user globus-s3
The s3_map_filename credential file configuration, and Globus Connect Server configuration that refers to $HOME, such as SharingStateDir, will be using the home directory of this account. Ensure that these files are only accessible by the globus-s3 account.
All credentials must be stored in a single s3_map_filename in the format above, by default in the file ~globus-s3/.globus/s3. The username must correspond to the username based on the Globus Connect Server AuthorizationMethod i.e. CILogon or Gridmap.
Debugging Tips
To enable a debugging log for the AWS S3 Connector, set the environment variable GLOBUS_S3_DEBUG "1023,/tmp/s3.log" to enable a highly verbose log of the connector. This can be easily done for a gridftp configuration by creating a file /etc/gridftp.d/s3-debug with the contents
$GLOBUS_S3_DEBUG "1023,/tmp/s3.log"
Basic Endpoint Functionality Test
After completing the installation, you should do some basic transfer tests with your endpoint to ensure that it is working. We document a process for basic endpoint functionality testing here.
Known Limitations of the AWS S3 Connector
At the present time, rename operations are not supported for the AWS S3 Connector.
Required S3 Permissions
In order for the AWS S3 Connector to properly access S3 resources on a user’s behalf, credentials that have been granted the following S3 permissions are required.
s3:ListAllMyBuckets is required on the * resource to automatically populate the root listing. This is not required when the storage-gateway --bucket option is used, or when a collection base path includes the bucket.
s3:ListBucket and s3:ListBucketMultipartUploads on the buckets: resource arn:aws:s3:::[bucket-name].
s3:GetObject, s3:PutObject, s3:DeleteObject, s3:ListMultipartUploadParts and s3:AbortMultipartUpload on the objects: resource arn:aws:s3:::[bucket-name]/*.
Example JSON policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllBuckets",
"Effect": "Allow",
"Action": [
"s3:ListAllMyBuckets"
],
"Resource": "*"
},
{
"Sid": "Bucket",
"Effect": "Allow",
"Action": [
"s3:ListBucket",
"s3:ListBucketMultipartUploads"
],
"Resource": "arn:aws:s3:::example-bucket"
},
{
"Sid": "Objects",
"Effect": "Allow",
"Action": [
"s3:GetObject",
"s3:PutObject",
"s3:DeleteObject",
"s3:ListMultipartUploadParts",
"s3:AbortMultipartUpload"
],
"Resource": "arn:aws:s3:::example-bucket/*"
}
]
}