Amazon Web Services

Connecting your Lab Atlas instance with S3

The Amazon Web Services (AWS) Simple Storage Service (S3) is a powerful cloud storage system that is great for collecting & processing data, but not great for sharing with colleagues in a user-friendly way. Lab Atlas helps bring this service to a wider audience within your organization by allowing you to attach S3 buckets as storage drives and use them for project storage & shared storage folders.

Configuring Lab Atlas Access in AWS

Lab Atlas accesses AWS through the official Java SDK libraries and can authenticate & authorize access to your environment using one of two options: IAM role assumption or user access keys. The most secure way to grant access to Lab Atlas is to create a role that Lab Atlas can assume in your account and attaching the minimum-required permissions to allow the application to read & write from your target buckets. This method allows for simple access management and is easy to turn-off, if desired.

Note: Configuring Lab Atlas access to AWS requires access to the AWS Console with a user with admin privileges. If you do not have access, contact your local IT help desk for help with this process.

Before you get started

Regardless of which authentication option you provide to Lab Atlas, you will first need to create an IAM policy that grants access to the required resources.

Log into the AWS console and navigate to the IAM dashboard.
Select 'Policies' from the Access Management menu and then click 'Create policy'.
A new window will open for creating a new IAM policy. Select the JSON format option and then past the content of the code block below into the policy editor. Change the bucket names to match the buckets you'd like to access in Lab Atlas.
Create a name for the policy, provide a description, and save the policy.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "ListAllBuckets",
      "Effect": "Allow",
      "Action": "s3:ListAllMyBuckets",
      "Resource": "arn:aws:s3:::*"
    },
    {
      "Sid": "AccessSpecificBuckets",
      "Effect": "Allow",
      "Action": [
        "s3:ListBucketVersions",
        "s3:ListBucket",
        "s3:GetBucketLocation"
      ],
      "Resource": [
        "arn:aws:s3:::bucket1",
        "arn:aws:s3:::bucket2"
      ]
    },
    {
      "Sid": "ReadWriteObjectsInSpecificBuckets",
      "Effect": "Allow",
      "Action": [
        "s3:PutObject",
        "s3:GetObject",
        "s3:ListBucketMultipartUploads",
        "s3:PutBucketPublicAccessBlock",
        "s3:AbortMultipartUpload",
        "s3:DeleteObject",
        "s3:PutObjectAcl",
        "s3:GetObjectVersion",
        "s3:ListMultipartUploadParts"
      ],
      "Resource": [
        "arn:aws:s3:::bucket1/*",
        "arn:aws:s3:::bucket2/*"
      ]
    }
  ]
}

If you are going to use role assumption to allow Lab Atlas to authenticate with AWS, you also need to get the unique 'AWS External ID' from the application in order to securely configure the role to be used.

Option 1: Creating an IAM role Lab Atlas can assume

Log into the AWS console and navigate to the IAM dashboard.
Select 'Roles' from the Access Management menu and then click 'Create role'.
On the next screen, select the 'AWS account' trusted entity type (to allow connections from other accounts).
Under the AWS account options, select 'Another AWS account' and provide the account number: 886436948912
Under 'Options', check 'Require external ID' and provide the ID you acquired from Lab Atlas.
Click 'Next' when ready.

On the next screen, select the Policy that you created earlier that will grant access to your buckets and other resources to Lab Atlas. Click 'Next' when ready.

Provide a descriptive name and description for the role. Add a tag with the name LabAtlas and a value of enabled. You can also add tags to the role to allow better tracking of Lab Atlas activity within your account. Complete the creation of the role.

Once complete, the trust policy on the role should look something like this:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::0123456789:root"
            },
            "Action": "sts:AssumeRole",
            "Condition": {
                "StringEquals": {
                    "sts:ExternalId": "la-xxxxxxxxxxxxx"
                }
            }
        }
    ]
}

Option 2: Creating a user access key

Log into the AWS console and navigate to the IAM dashboard.
Select 'Users' from the Access Management menu and then click 'Create user'.
On the next screen, provide a descriptive name for the user. Do not check the box to grant AWS console access. Click 'Next'.

On the next screen, select 'Attach policies directly'.

Search for the policy you created by name and select it. Click 'Next'. On the next screen, add any tags appropriate for your organization, then click 'Create user'.

Back on the IAM user list page, search for and select your new user. In the user summary view at the top of the next page, click 'Create access key'.

On the next screen, you will be presented with a list of use-cases for your key (and recommendations for alternatives). Select 'Third party', then click 'I understand...' at the bottom of the page. Click 'Next'. Optionally provide a key description and then click 'Create access key'.

On the next screen, copy and save the Access Key and Secret Access Key values in a safe place.

Connecting your AWS Account in Lab Atlas

Once you have an access key created that is associated with an IAM user with appropriate privileges, you can register the integration in Lab Atlas.

Open Lab Atlas and go to the Admin Dashboard. In the Settings menu, select Integrations and then Amazon Web Services.
Click the 'Register Integration' button.

In the pop-up window, provide the required information:
- A display name for the integration.
- Your AWS account number (optional).
- The AWS region for the account.
- The access key ID and secret access key you created for the integration.

After clicking 'Submit', Lab Atlas will test the credentials you provided. If access is granted, the window will close and the integration registration details will be displayed.

Adding S3 Buckets

Once you have connected Lab Atlas to your AWS account, you can add S3 Buckets in the same Admin Dashboard window.

Click the 'Add S3 Bucket' button and a popup will appear:

Select a bucket from the list of available buckets. Keep in mind: the IAM policy that grants access to AWS might not allow read/write access to all of the buckets in this list. Provide a display name and the root path you want like to grant access to, and then click 'Submit'.
The new bucket should now appear in the list of connected buckets in the AWS integration settings screen. You can now use this bucket for project storage or creating shared folders.

PreviousMicrosoft 365 NextBenchling

Last updated 3 days ago