Granting Aquarium Read Access to an AWS S3 Bucket

In the case where it is ok for Aquarium to access your data, but the data needs to live on your servers

Overview

There exist many ways for granting others access to data in an S3 Bucket. We recommend the combination of creating a custom IAM Role, and then allowing cross-organization "Assume Role." That allows a different organization (Aquarium) to temporarily (and easily revokably) take on a role in your policies. This gives full control of permissions and usage logs to you, the user / data owner, while limiting the number of secrets you must share with Aquarium.

We're following the recommended AWS practices described here, broken down to include screenshots of relevant AWS console views and minimal permissions for this use case.

Note: S3 bucket access does not support automatic embedding computation at this time. Please reach out if this is a feature you want to see in Aquarium.

Step-by-Step Breakdown

First, reach out to Aquarium for our 12 digit Account ID, which you'll be granting access to.

Navigate to the IAM Roles Page, and create a new role using the button in the top right:

IAM Roles Page

On this screen, create a role where:

• Trusted Entity is "AWS Account"

• Aquarium's 12 digit Account ID is entered as "Another AWS account"

Setting Trusted Entity

On the next screen, you can attach or create an appropriate IAM Policy with the permissions you will grant Aquarium. This should only include s3:GetObject on the S3 Buckets you wish for Aquarium to have access to. Please limit the scope of access to the specific bucket(s) you want to grant Aquarium access to.

If you have not yet created an IAM policy, you can create it on this page, which we will show. To start, click on "Create Policy" in the top right.

Add Permissions Page

You would want a simple policy containing only s3:GetObject read access to a specific bucket. If created with explicit JSON, you want the following policy:

{
  "Version":"2012-10-17",
  "Statement":[
     {
        "Effect":"Allow",
        "Action":[
           "s3:GetObject"
        ],
        "Resource":"arn:aws:s3:::DOC-EXAMPLE-BUCKET1/*"
     }
  ]
}

If created through the visual editor, you want a config like the following, with Resources restricted to just the one bucket you wish to share.

Policy Creation Visual Editor

Set any appropriate tags and descriptions, then create the policy.

Back at the "Add Permissions" screen, press the refresh button next to the "Create Policy" button, then select your newly created policy and press Next.

Add Permissions Page With Role Selected

Add a name, description, tags, etc., review the permissions one last time, and create the role. After creation, you should see a green success banner:

Successful Role Creation

If you view that role by clicking the View Role button on the banner, you can copy the role ARN from the center of the screen:

Role Summary Page with ARN

You're done! Reach back out to Aquarium with:

• the full ARN string you just copied

  • Example: arn:aws:iam::227217811048:role/Aquarium-Customer-Bucket-GetObject-Access-Role

• The AWS region(s) that contains the buckets you want to grant Aquarium access to

  • Example: us-east-1, us-west-2, ap-northeast-1

• The S3 Bucket name(s) you want to grant Aquarium access to

  • Example: example_bucket_name, ground_truth_images

Within 2-3 business days, your images should be visible in the Aquarium app. And as always, please reach out to us if you have any trouble with this process.