Roles

These are the roles that are needed:

  • Admin
  • Read storage
  • Write storage
  • Reindex storage

Links

Adding S3 Storage

Prepare for adding the storage.

To start with please ensure you have the following details ready to configure your S3 storage (your AWS administrator should be able to provide these if you don't have them):

  • Access Key
  • Secret Key
  • Bucket Name
  • Region

If you are setting up a third party bucket we strongly recommend you read our knowledgebase article Controlling Costs as using iconik with third party buckets may cause costs for you.

Permissions

The access key you use need to have the necessary permissions to the bucket content and to the bucket itself to be able to set the CORS settings.

Example:

{
    "Version": "2012-10-17",
    "Id": "Policy12345576",
    "Statement": [
        {
            "Sid": "Stmt123456",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::1233456778:user/demoUser"
            },
            "Action": "s3:*",
            "Resource": [
                "arn:aws:s3:::iconik-demo",
                "arn:aws:s3:::iconik-demo/*"
            ]
        }
    ]
}

Granular Permissions

In the event that you cannot open the entirety of your bucket for security reasons, here is more granular set of bucket policies that will provide basic functionality for uploads/downloads, transfers, scan, and delete.

{
    "Version": "2012-10-17",
    "Id": "Policy1665193826690",
    "Statement": [
        {
            "Sid": "Stmt1665193792269",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::059235635594:user/demoUser"
            },
            "Action": [
                "s3:DeleteObject",
                "s3:GetObject",
                "s3:PutObject",
                "s3:RestoreObject"
            ],
            "Resource": "arn:aws:s3:::iconik-demo-s3-file/*"
        },
        {
            "Sid": "Statement1",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::059235635594:user/demoUser"
            },
            "Action": [
                "s3:GetBucketCORS",
                "s3:GetBucketLocation",
                "s3:ListBucket",
                "s3:PutBucketCORS"
            ],
            "Resource": "arn:aws:s3:::iconik-demo-s3-file"
        }
    ]
}

Here we see that the following permissions should apply to the bucket contents:

  • s3:DeleteObject - To delete files.
  • s3:GetObject - To read and retrieve files.
  • s3:PutObject - To write files.
  • s3:RestoreObject - To restore files from Glacier archive buckets.

While these permissions should apply to the bucket itself:

  • s3:GetBucketCORS - To read the CORS policy on the bucket.
  • s3:GetBucketLocation - To read bucket region.
  • s3:ListBucket - A part of s3:HeadObject in order to list the bucket.
  • s3:PutBucketCORS - To set the CORS policy on the bucket. This can be removed once the CORS policy is set on the bucket.

Where to add storage

  1. Click on ADMIN in the top navigation.
  2. Choose Storages from the left navigation bar.
  3. Click on + NEW STORAGE to open the form to create a storage.

iconik aws storage configuration

Start filling out the parameters

  1. Choose the purpose for the storage.
    • Files - for general storage of files.
    • Keyframes - The storage stores only keyframes generated by iconik.
    • Proxies - The storage stores only proxies generated by iconik
    • Export - The storage is a destination for export jobs.
    • Archive - The storage is an archive destination
  2. Select Amazon S3 as the Storage Type
  3. Input your Access Key, Secret Key and Bucket name or optionally select iconik Managed Credentials.
  4. Optionally add a root Path if you don't want iconik to use the whole storage.
  5. Add the Region for where the storage bucket is located
  6. If you are using a unique end-point enter this in the EndPoint field
  7. If your bucket has been configured for Acceleration turn on Use Acceleration. If in doubt leave this off.
  8. Add unique id to the filenames - turn this on to avoid filename collisions. This setting will be inactive for archive storages - and the filename will be kept as it is on the source storage
  9. Select Read if you want iconik to be able to read files on the storage.
  10. Select Write if you want iconik to be able to write files to the storage.
  11. Select Delete if you would like iconik to have the ability to delete files on this storage. Please note, that if this is set to true, that when an asset is deleted in iconik it will also be removed from this storage when Purging
  12. Select Enable Scan if you wish to enable scanning for new files on this storage. A label "SCAN" will be visible next to the storage in the list. Click on SCAN to scan through the cloud storage and add the new files to iconik.
  13. If you only wish to scan a subset of the directories on this bucket, you can enter in Scan Directories which will limit the scanning to these directories only.
  14. Click to continue.

iconik will verify that is has access to the storage and report back if it finds that it doesn't have the necessary requirements or the credentials do not work.

Next steps

There are more parameters that can be configured, and these are detailed under: editing AWS S3

Learn more.