Amazon S3 Users & Groups

This document does not purport to be a comprehensive tutorial on configuring the Amazon AWS S3 Storage Service, as Cosync makes the assumption that a developer is familiar with it as a prerequisite. For more detailed information from Amazon on the S3 Service, please consult this link. We shall however discuss the necessary tweaks to S3 that are needed to integrate it into a MongoDB Realm application running with the Cosync Storage module.

Add a User and a Group through IAM

In order for MongoDB Realm functions to talk to the Amazon S3 Storage Service, the developer will need to add a user with Programmatic Access to their AWS account through the IAM service. By Programmatic Access, we mean that the developer will need to create an access Key ID and a secret access key for the MongoDB Realm functions to call into the AWS API. These keys are created as part of the process of adding a new user with programmatic access to AWS. During this process, the developer will need to save the keys to a downloaded CSV file - as these keys cannot be retrieved after the fact. Furthermore, the developer should not share these keys with anyone as they would permit full access to the Amazon S3 account. Although the Cosync Portal uses these keys to configure the MongoDB Realm application, it will not save them to its database. The developer is fully responsible for the safe keeping of these AWS access keys.

The process for creating a group and a user through IAM that is described below is not necessarily the optimal strategy for configuring Amazon S3, but it is simple enough for the average developer to get started.

As a prerequisite for creating a user with programmatic access to AWS, the developer will first create a group with an attached policy of AmazonS3FullAccess that permits full access to AWS.

  1. Create the group

Group1

  1. Attach the policy

Group2

  1. Create and review

Group3

In Amazon S3, the group object essentially bundles a policy with a group entity that can then be referenced by a newly created user. In Amazon S3, users can belong to groups, through which they inherit policies that provide access control to the S3 resources. The creation of a user is detailed below.

  1. Create the user

User1

  1. Add the user to the new group

User2

  1. Add optional tags to the user (default is none)

User3

  1. Review and create user

User4

  1. Download .csv file with keys

User5

  1. Inspect and safeguard .csv file

User6