Uploading objects to an Amazon S3 Object Ownership environment

This section explains how to configure the settings to allow Account B to upload objects to the Amazon S3 Object Ownership environment owned by Account A.

In this example, the permissions for Account A are granted to Account B on AWS (cross-account), and Account B uploads objects using the permissions for Account A.

Additionally, when Account B uploads objects, the permissions to access the Amazon S3 Object Ownership environment owned by Account A are granted to the objects.

This function is supported by the following optional products:

HULFT8 Cloud Storage Option(Amazon S3) for Windows
HULFT8 Cloud Storage Option(Amazon S3) for Linux

In this example, the values retrieved after configuring the settings for AWS are assumed to be as shown in Table D.13 AWS Setting Value.

Table D.13 AWS Setting Value
AWS Field	Value
Amazon Resource Name (ARN) of the IAM role for Account A	arn:aws:iam::123456789012:role/s3user
External ID when the IAM role for Account A is shared with Account B	abcdefgh
AWS access key for Account B	ABCDEFGH
AWS secret access key for Account B	123456789
Predetermined ACL applied to uploaded objects	bucket-owner-full-control

The procedure to register the following values in the default information for the Storage Authentication Information is shown below:

Table D.14 Example of setting values in default information for the Storage Authentication Information
Field Name in Receive Storage Management Information	Setting Value	Register or Not
AWS Access Key	ABCDEFGH	✓
AWS Secret Access Key	123456789	✓
Session Token	Not specified	-
Enable IAM Role	Not specified	-
Switch Role ARN	arn:aws:iam::123456789012:role/s3user	✓
External ID	abcdefgh	✓
Role Session Name	hulftauth	✓

✓	:	Register the setting value
-	:	Do not register the setting value

Switch the IAM roles using "Authenticate IAM user" that uses an AWS access key and AWS secret access key.

For Role Session Name, specify a value that can be identified when you check the access logs on the AWS service.

Note

For the user with whom the AWS access key and AWS secret access key are associated, adequate permissions are required in order to switch to the switch role ARN.

For details, refer to Access permissions for IAM in Settings for using Amazon S3.

Register the settings for IAM user authentication using the registration command of the default information for the Storage Authentication Information.

utls3infoadd -t auth --default --access-key ABCDEFGH --secret-access-key 123456789 \ 
 --switch-role-arn arn:aws:iam::123456789012:role/s3user --external-id abcdefgh --role-session-name hulftauth

For details on the registration command of the default information for the Storage Authentication Information for Amazon S3, refer to Registration command of the default information for the Storage Authentication Information (Amazon S3).

Note

All the information specified by the registration command is overwritten in the default information.

For a field that is not specified with the option, the value "Use the default value." is set.

In this case, the value in the downward-compatible settings is used.

However, only in cases when you do not specify a Storage Authentication Information ID with the option, the value registered in the default information for the Storage Authentication Information is used instead of the downward-compatible settings.

The following list is output:

$ utls3infoadd -t auth --default --access-key ABCDEFGH --secret-access-key 123456789 \ 
    --switch-role-arn arn:aws:iam::123456789012:role/s3user --external-id abcdefgh --role-session-name hulftauth 
The default information for Storage Authentication Information will be changed. 
Access Key: ABCDEFGH 
Secret Access Key: 123456789 
Session Token:     Use the default value. 
Enable IAM Role:   Use the default value.  
Switch Role ARN:   arn:aws:iam::123456789012:role/s3user 
External ID:       abcdefgh 
Role Session Name: hulftauth

Check whether the values specified for IAM user authentication and the values specified for Switch Role ARN and External ID are registered.

If you do not specify "-f" or "--force" with the registration command of the default information for the Storage Management Information, the following confirmation message is output:

Are you sure to register? [y/n]:

After the confirmation message is output, input "y" or "Y" to execute the registration command of the default information for the Storage Management Information.

The registration of the authentication information to use the IAM role for Account A when uploading files to the default information for the Storage Management Information is completed.

Next, the procedure to register the following values in the Receive Storage Management Information is shown below:

Table D.15 Example of setting values for the Receive Storage Management Information
Field Name in Receive Storage Management Information	Setting Value	Register or Not
Receive Storage Management Information ID	bucket01	✓
Bucket Name	Not specified	-
Storage Timeout	Not specified	-
Maximum number of parallels per transfer	Not specified	-
Part Size	Not specified	-
Region (*1)	Not specified	-
Endpoint URL (*1)	Not specified	-
ACL that is applied to upload files (*1)	bucket-owner-full-control	✓
Storage Authentication Information ID	Not specified	-

✓	:	Register the setting value
-	:	Do not register the setting value
*1	:	This field can be set only when you use Amazon S3.

To delegate permissions for objects to the bucket owner, specify "bucket-owner-full-control" for the Access Control List (ACL).

Note

When you specify the ACL that is applied to upload files, adequate permissions are required in order to modify the Access Control List (ACL).

For details, refer to Access permissions for buckets and objects in Settings for using Amazon S3.

Register the setting value for the ACL that is applied to upload files using the registration command of the Receive Storage Management Information.

utls3infoadd -t rcv --id bucket01 --acl bucket-owner-full-control

For details on the registration command of the Storage Management Information on Amazon S3, refer to Registration command of the Storage Management Information (Amazon S3).

Note

For a field that is not specified with the option, the value "Use the default value." is set.

In this case, the value in the downward-compatible settings is used.

To check the values set in the default information for the Receive Storage Management Information on Amazon S3, refer to Output command of the Cloud Storage DB Information List (Amazon S3).

The following list is output:

$ utls3infoadd -t rcv --id bucket01 --acl bucket-owner-full-control 
The Receive Storage Management Information "bucket01" will be registered.  
Bucket:            Use the default value.  
Timeout:           Use the default value.  
Parallels:         Use the default value.  
Part Size:         Use the default value.  
Default Region:    Use the default value.  
Endpoint:          Use the default value. 
ACL:               bucket-owner-full-control 
Auth ID:           Use the default value.

Check whether the value specified for the ACL that is applied to upload files is registered.

If you do not specify "-f" or "--force" with the registration command of the Storage Management Information, the following confirmation message is output:

Are you sure to register? [y/n]:

After the confirmation message is output, input "y" or "Y" to execute the registration command of the Storage Management Information.

The registration of the settings to allow Account B to switch to the IAM role for Account A and upload files to the bucket in the Amazon S3 Object Ownership environment owned by Account A is completed.