Connect a Simple Storage Service (S3) System¶

Simple Storage Service (S3) is used with Amazon Web Services (AWS) for example. In addition or as alternative to MongoDB, the files uploaded by SEAL Operator can be stored in S3.

Here, the configuration settings in AWS S3 concerning SEAL Operator are described in brief. For other S3 systems, refer to the correspondent documentation.

Afterwards, the configuration in SEAL Operator is described.

Set Up and Configure a AWS S3 System for SEAL Operator¶

To configure the storage for the file upload the following items are required:

an S3 bucket where the files will be stored
an index and access management (IAM) service user with access to the S3 bucket, its access key and secret

Hint - AWS account

If you do not have an AWS account, go to https://aws.amazon.com/ and create one. This will be the root (admin) of AWS. Using its access keys is not recommended. Create a specific IAM service user instead as described below.

Create the S3 Bucket¶

Search for the S3 service and create a bucket with the following settings:
- Name: This will be the root of the filestore. Therefore, specify a meaningful name, for example, seal-operator-fileupload.
- Region: Select one closest to you, for example, EU (Frankfurt) eu-central-1).
- Default encryption: Enable Amazon S3 key (SSE-S3).

Create the Access Policy¶

First, create a policy that gives access to only the S3 bucket created before.

Search for the IAM service.
Open the Policies tab and create a new one.

Copy & paste the following policy JSON structure. Replace <bucket_name> by the name specified for the S3 bucket above, for example, seal-operator-fileupload:

{
"Version": "2012-10-17",
"Statement": [
    {
        "Sid": "VisualEditor0",
        "Effect": "Allow",
        "Action": [
            "s3:PutObject",
            "s3:GetObject",
            "s3:CreateBucket",
            "s3:ListBucket",
            "s3:DeleteObject",
            "s3:DeleteBucket"
        ],
        "Resource": [
            "arn:aws:s3:::<bucket_name>",
            "arn:aws:s3:::<bucket_name>/*"
        ]
    },
    {
        "Sid": "VisualEditor1",
        "Effect": "Allow",
        "Action": "s3:ListAllMyBuckets",
        "Resource": "*"
    }
]
}

Save the policy under a recognizable name, for example, SealFilestoreS3Policy.

Hint - reuse

The permissions policy can be reused for other users.

Create the IAM Service User¶

Next, create the IAM service user and assign the policy to it.

Search for the IAM service.
Open the Users tab.
Create a user with the following settings:
- name: Specify the name of the user, for example, seal-filestore-service-user.
- AWS credential type: Select Access key - Programmatic access.
- In the permissions tab, select Attach existing policies directly and search for the policy created before.
- Create the user. Save its access key and secret for specifying it later in the configuration of SEAL Operator (S3_ACCESS_KEY_ID, S3_SECRET_ACCESS_KEY)
Caution - do not leave the dialog!

Do not leave the dialog before saving the information. Once you leave this dialog, you won't be able to access the secrets again. Make sure to copy them now. (If you miss to copy them now, you have to generate new ones and mark the old ones as inactive.)

Configure the S3 Connector¶

In SEAL Operator, activate the connector and specify the keys for the connection:

Open a Command Prompt or PowerShell.
Export the complete configuration of SEAL Operator from Consul to a YAML file with the following command. So you're making sure the current configuration settings are being used.
```
operator config export <filename>.yml --insecure
```
Edit the exported file <filename>.yml.

In the section for the S3 connector, set cstatus to on.

operator:
  connectors:
    ...
      s3:
        cstatus: 'on'
        serviceName: operator-s3
    ...

In the env section, specify the following keys for the operator-s3 service:
- FILESTORE_TYPE: type how the content of the uploaded files is stored, here s3
- S3_ACCESS_KEY_ID: ID of the access key to the S3 system as configured in the S3 system
- S3_SECRET_ACCESS_KEY: secret of the access key to the S3 system as configured in the S3 system
- S3_BUCKET: name of the S3 bucket as configured in the S3 system
- S3_REGION: S3 region as configured in the S3 system
- MONGO_FILEUPLOAD_URL: URL of the MongoDB for file uploads
- DEFAULT_FILEUPLOAD_PANEL: path to the JSON schema file containing the configuration of the panel
```
env:
  service:
  ...
    operator-s3:
      tag:
        any:
          FILESTORE_TYPE: s3
          S3_ACCESS_KEY_ID: '<s3_access_key_id>'
          S3_SECRET_ACCESS_KEY: '<s3_secret_access_key>'
          S3_BUCKET: 'seal-operator-fileupload'
          S3_REGION: 'eu-central-1'
          MONGO_FILEUPLOAD_URL: 'mongodb://<mongodb_server>:27017/operator-s3'
          DEFAULT_FILEUPLOAD_PANEL: '/code/lib/defaultConfig/s3-panel.json'
  ...
```
Literature - keys

For further information about available keys, refer to the Key Reference.
Save the <filename>.yml file.

Re-import the configuration to Consul.

operator config import <filename>.yml --insecure

!!! hint "Hint - change panel name in panel.json"

    Changing the S3 panel name to `My Cloud` for example is recommended to avoid confusions. You can do that by editing the correcponding S3 configuration file `panel.json`.

    For the file location of the `panel.json`, refer to [Directories and Files under Windows](../reference/directories_and_files/directories_and_files_windows.md) or [Directories and Files under Linux](../reference/directories_and_files/directories_and_files_linux.md).