Integrating with AWS S3
Published on March 29th, 2022Introduction
S3 can be a useful place to store certain resources used by backstage plugins like OpenApi spec files.
This guide describes how to set up access for Roadie to your S3 buckets in your infrastructure and configure it.
To configure autodiscovery of entities from S3 buckets, see documentation about AWS S3 Autodiscovery.
Step 1: Get the roadie IAM details
Navigate to Administration > Settings > AWS S3
and make a note of the Roadie backend role ARN and account ID. This is mentioned on the title text of the AWS S3 integration settings page.
Step 2: Create a federated role in your account for Roadie
Follow the steps here to create the role.
The role needs to follow this naming convention arn:aws:iam::*:role/<your-tenant-name>-roadie-read-only-role
where
You’ll need to attach a policy which allows access to the required S3 buckets such as AmazonS3ReadOnlyAccess
. This policy grants roadie read access to all buckets.
If you do not want to grant this access you can create your own policy
which restricts access to only certain buckets. An example minimal policy needed to retrieve files from S3 buckets is below
An example minimal S3 Read policy
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:GetObject"
],
"Resource": "arn:aws:s3:::my-bucket/*"
},
{
"Effect": "Allow",
"Action": [
"s3:ListBucket"
],
"Resource": "arn:aws:s3:::my-bucket"
}
]
}
Step 3: Configure your Roadie instance to use the new role
On the AWS S3 settings page Administration > Settings > Aws S3
in Roadie click Add Item
and enter the newly created
role ARN and external ID. The S3 host is only required if you’re using different roles for different buckets.
After the role configuration is done, you can click the ‘Test Role’ button to check if integration configuration has succeeded.