Community

S3 and IAM Roles - Where to apply them?

548
1
Jump to solution
03-30-2023 06:57 AM
Labels (1)
Labels
jcarlson
by MVP Esteemed Contributor
MVP Esteemed Contributor
‎03-30-2023 06:57 AM

I'm toying with the idea of adding S3 buckets to our Portal setup for things like tile caches, etc. I've read just about every post here on the Community and in the documentation that I can, and I have a pretty clear understanding of most of the process. Creating buckets, IAM roles, etc., that's all fine.

I'm still a bit confused on one thing, though. There are many references to the specific permissions that would need to be granted to an IAM role for these things to work. But where am I implementing to role itself? Is it being assigned to the EC2 instance running the Server? The Portal? Something else?

I don't want to grant access via a long-term key, I'd rather go the IAM route. So, where am I assigning the role?

- Josh Carlson
Kendall County GIS
0 Kudos
1 Solution

Accepted Solutions
ChristopherPawlyszyn
by Esri Contributor
Esri Contributor
‎03-31-2023 11:06 AM

Each deployed EC2 instance has an IAM role associated with it, you can either add additional policies to the existing role or create a new role that has the required permissions and apply it to the EC2 instance.

 

From an ArcGIS Enterprise perspective, the cache directory would be access by the service referencing the cache, so ArcGIS Server would need to have read access (at minimum) to the bucket and write access if you're generating the cache after publishing the service.

 

https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_switch-role-ec2.html

 


-- Chris Pawlyszyn

View solution in original post

0 Kudos
1 Reply
ChristopherPawlyszyn
by Esri Contributor
Esri Contributor
‎03-31-2023 11:06 AM

Each deployed EC2 instance has an IAM role associated with it, you can either add additional policies to the existing role or create a new role that has the required permissions and apply it to the EC2 instance.

 

From an ArcGIS Enterprise perspective, the cache directory would be access by the service referencing the cache, so ArcGIS Server would need to have read access (at minimum) to the bucket and write access if you're generating the cache after publishing the service.

 

https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_switch-role-ec2.html

 


-- Chris Pawlyszyn
0 Kudos