Storages

Customer Access to iMerit Owned Dedicated Bucket

By default, iMerit provides Cross-account IAM roles for programmatic access to upload customer data into a predesignated S3 bucket.

These steps are for a customer trying to upload data.

  1. Create an IAM role or user in the customer AWS account (role_1).

  2. Give the role_1 download permission (GetObject) and upload (PutObject) objects to and from the predefined S3 bucket.

{ 
  "Version": "2012-10-17",
  "Statement": [
    {
     "Effect": "Allow",
     "Action": [
       "s3:GetObject",
       "s3:PutObject"
      ],
     "Resource": "arn:aws:s3:::<to be communicated by iMerit team>"
    }
  ]
}

IAM Cross Account Access

The following steps apply when the customer prefers to retain the data within their own infrastructure.

  1. Create four S3 buckets with default settings. The bucket names can be chosen as per your internal naming conventions.

    • {CUSTOMERNAME}-content.tasking.imerit-prod.io

    • {CUSTOMERNAME}-tasking-app-prod-delivery-bucket

    • {CUSTOMERNAME}-tasking-app-prod-import-bucket

    • {CUSTOMERNAME}-pct-content.tasking.imerit-prod.io

  2. Apply the appropriate CORS (Cross-Origin Resource Sharing) configuration to each of the below mentioned buckets:

    • {CUSTOMERNAME}-content.tasking.imerit-prod.io and

    • {CUSTOMERNAME}-pct-content.tasking.imerit-prod.io

Bucket CORS Policy
[
    {
        "AllowedHeaders": [
            "*"
        ],
        "AllowedMethods": [
            "GET",
            "HEAD"
        ],
        "AllowedOrigins": [
            "https://tools.tasking.imerit-prod.io"
        ]
    }
]
  1. Upload the pre-processed data to s3://{CUSTOMERNAME}-tasking-app-prod-import-bucket/quickserve_uploads/

  2. Set up an IAM role with the necessary assume role policy and permissions, as outlined in the code snippet provided below.:

Assume Role Policy
{
    "Version": "2012-10-17",
        "Statement": [
            {

                "Effect": "Allow",
                "Action": "sts:AssumeRole",
                "Principal": {
                    "AWS": [
                        "arn:aws:iam::797913408994:role/import-manager-prod",
                        "arn:aws:iam::797913408994:role/pointcloud-converter-prod",
                        "arn:aws:iam::797913408994:role/metafile-generator-prod",
                        "arn:aws:iam::797913408994:role/pointcloud-deliverables-prod",
                        "arn:aws:iam::797913408994:role/tv2-delivery-adapter-prod",
                        "arn:aws:iam::797913408994:role/template-output-generator-prod",
                        "arn:aws:iam::797913408994:role/delivery-manager-prod",
                        "arn:aws:iam::797913408994:role/delivery-manager-api-prod",
                        "arn:aws:iam::797913408994:role/tv2-delegator-api-prod",
                        "arn:aws:iam::797913408994:role/job-builder-prod",
                        "arn:aws:iam::797913408994:role/tv2-delegator-prod"
                    ]
                },
                "Condition": {
                    "StringEquals": {
                        "sts:ExternalId": "imerit-prod"
                    }
                }
            }]
}
Permissions
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "CustomerBucketAccess",
            "Effect": "Allow",
            "Action": [
                "s3:PutObject",
                "s3:GetObject",
                "s3:ListBucket"
            ],
            "Resource": [
                "arn:aws:s3:::{CUSTOMERNAME}-content.tasking.imerit-prod.io",
                "arn:aws:s3:::{CUSTOMERNAME}-tasking-app-prod-delivery-bucket",
                "arn:aws:s3:::{CUSTOMERNAME}-tasking-app-prod-import-bucket",
                "arn:aws:s3:::{CUSTOMERNAME}-pct-content.tasking.imerit-prod.io",
                "arn:aws:s3:::{CUSTOMERNAME}-content.tasking.imerit-prod.io/*",
                "arn:aws:s3:::{CUSTOMERNAME}-tasking-app-prod-delivery-bucket/*",
                "arn:aws:s3:::{CUSTOMERNAME}-tasking-app-prod-import-bucket/*",
                "arn:aws:s3:::{CUSTOMERNAME}-pct-content.tasking.imerit-prod.io/*"
            ]
        }
    ]
}
  1. After the above steps are completed and a role is generated, share the following information with iMerit:

    1. Role ARN

    2. CUSTOMERNAME

    3. Region the S3 bucket is set up in

Last updated