Multiple S3 Buckets for multiple webQsee teams
If you own / manage multiple webQsee teams, you have the following three variants in setting up an Amazon S3 based Cloud Storage for the Cloud Gallery of each separate team:
- Variant: Create multiple AWS accounts and set up a separate Cloud Storage on each account, following our tutorials.
- Owning multiple AWS accounts as a single company is no problem and even encouraged by Amazon in situations where you want to completely isolate some parts of your company's data from other parts. This variant involves the most setup and maintenance work because you will have separate Cloud Storage Users, Groups and Policies for every one of your webQsee teams.
- Variant: Re-Use a single S3 Bucket of a single AWS account for all of your teams.
- This is the easiest option and explained in a separate tutorial.
- Variant: Use multiple S3 Buckets in a single AWS account for all your teams.
- This is the second easiest option and explained in this tutorial.
In most cases you should prefer variant 2 over variant 3, because variant 3 offers no real advantages other than separating the webQsee Cloud Gallery data in multiple different S3 Buckets. An Exception would be that you want one of your teams to use a Cloud Storage in a different geographical location than your other teams (europe, usa, ...), then variant 3 is the better option, because you can create a separate Bucket at your desired location.
Variant 2 and 3 have the following in common:
Advantages:
- You do not have to create separate User Groups and Policies for all of your teams. Instead, all teams share the same policies and groups.
- Also, each distinct webQsee user of all your teams only needs a single Cloud Storage user (= one Cloud Storage user per webQsee user ID). So if a user is part of multiple of your webQsee teams, he still needs just a single Cloud Storage user in order to access the Cloud Gallery in all teams.
Possible Disadvantages:
- All users of all your webQsee teams could read the data of all Cloud Gallerys of every single one of your webQsee teams, when accessing the API of the Cloud Storage manually, even if the user is not a member of all of your teams.
- However, given that you set up your S3 integration following the normal integration tutorial, regular team members (non-admins) can still just delete or modify items they created themselves, so in many cases this small disadvantage may be acceptable. But you need to be the judge of that yourself - you can still instead switch to variant 1 from above, it does not have this disadvantage.
Possible Disadvantages of Variant 3 only:
- The Cloud Storage Policies are modified in a way that allows all of your webQsee team members to access any S3 Bucket of your AWS account.
- But they will only be able to access, read and write data that is prefixed for webQsee! (= Located in a subfolder called "webqsee"). So any other sensitive data that you might have on other S3 Buckets of your AWS account is still not accessible by webQsee users.
Getting started with Variant 3 - Overview
The following tutorial assumes that you already integrated Amazon S3 for at least one of your webQsee teams, using the normal integration tutorial or the simplified integration tutorial. In case you used the simplified tutorial, you might want to consider switching to the normal S3 integration or using variant 1 instead, or else any member of all of your webQsee teams could technically access the Cloud Storage API manually and delete or modify whatever webQsee Cloud Gallery items he wants (no matter to which of your teams they belong).
At the end of this tutorial, a single user of any of your webQsee teams will be able to use the same Cloud Storage credentials for any Cloud Gallery of any of your teams that he is a member of.
You will also have a separate S3 Bucket per webQsee team (all belonging to the same AWS account).
Now, let's get started.
Signing in to the AWS Console
Sign in at https://console.aws.amazon.com/console/home as "Root user" using the credentials of your AWS account.
Verify, that that you have been logged in correctly and that you have access to the AWS Management Console.
Changing the Policy for webQsee admins
Open the IAM management page: https://console.aws.amazon.com/iam/home
Then navigate to "Policies" and find the policy called webqsee-admin (or however you named it) that you created in the normal or simplified integration tutorial.
Click on this existing policy, then click "Edit Policy", then click on the "JSON" tab, so that in the end you have a JSON Editor that allows you to edit the existing policy.
After changing from "Visual editor" to "JSON", you need to change all occurrences of arn:aws:s3:::webqsee to arn:aws:s3:::*
(If you use a custom bucket name, replace this name instead with an asterisk.)
You can also just replace the complete existing JSON with one of the two samples below, but make sure that you copy and paste the correct example, matching the kind of integration tutorial that you used to set up your Cloud Storage.
Here is an example for the modified admin policy based on the normal integration tutorial:
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"s3:GetObject",
"s3:PutObject",
"s3:DeleteObject",
"s3:AbortMultipartUpload"
],
"Resource": [
"arn:aws:s3:::*/webqsee/*/items-root/shared/*",
"arn:aws:s3:::*/webqsee/*/items-root/protected/*",
"arn:aws:s3:::*/webqsee/*/items-root/private/${aws:PrincipalTag/webqsee-user-id}/*"
],
"Effect": "Allow"
},
{
"Action": [
"s3:DeleteObject"
],
"Resource": [
"arn:aws:s3:::*/webqsee/*/items-root/private/*"
],
"Effect": "Allow"
},
{
"Action": [
"s3:ListBucket"
],
"Resource": [
"arn:aws:s3:::*"
],
"Condition": {
"StringLike": {
"s3:prefix": [
"webqsee/*/items-root/",
"webqsee/*/items-root/*"
]
}
},
"Effect": "Allow"
}
]
}
And here is an example for the modified admin policy based on the simplified integration tutorial:
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"s3:GetObject",
"s3:PutObject",
"s3:DeleteObject",
"s3:AbortMultipartUpload"
],
"Resource": [
"arn:aws:s3:::*/webqsee/*/items-root/shared/*",
"arn:aws:s3:::*/webqsee/*/items-root/protected/*",
"arn:aws:s3:::*/webqsee/*/items-root/private/*"
],
"Effect": "Allow"
},
{
"Action": [
"s3:ListBucket"
],
"Resource": [
"arn:aws:s3:::*"
],
"Condition": {
"StringLike": {
"s3:prefix": [
"webqsee/*/items-root/",
"webqsee/*/items-root/*"
]
}
},
"Effect": "Allow"
}
]
}
When you have modified the JSON in the editor, continue by clicking "Review policy". Make sure to save the changes: continue the the wizard until the changes to the policy are finally saved.
You should probably see a success message, telling you that the policy has been updated.
Changing the Policy for regular webQsee team members
(You can skip this step if your Cloud Storage is set up following the simplified integration tutorial, because then you won't have a Policy for regular team members.)
Back on the overview page for Policies find the policy called webqsee-user (or however you named it) that you created in the normal or simplified integration tutorial.
Click on this existing policy, then click "Edit Policy", then click on the "JSON" tab, so that in the end you have a JSON Editor that allows you to edit the existing policy.
After changing from "Visual editor" to "JSON", you need to change all occurrences of arn:aws:s3:::webqsee to arn:aws:s3:::*
(If you user a custom bucket name, replace this name instead with an asterisk.)
You can also just replace the complete existing JSON with the following:
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"s3:GetObject",
"s3:PutObject",
"s3:DeleteObject",
"s3:AbortMultipartUpload"
],
"Resource": [
"arn:aws:s3:::*/webqsee/*/items-root/shared/*",
"arn:aws:s3:::*/webqsee/*/items-root/protected/${aws:PrincipalTag/webqsee-user-id}/*",
"arn:aws:s3:::*/webqsee/*/items-root/private/${aws:PrincipalTag/webqsee-user-id}/*"
],
"Effect": "Allow"
},
{
"Action": [
"s3:GetObject"
],
"Resource": [
"arn:aws:s3:::*/webqsee/*/items-root/protected/*"
],
"Effect": "Allow"
},
{
"Action": [
"s3:ListBucket"
],
"Resource": [
"arn:aws:s3:::*"
],
"Condition": {
"StringLike": {
"s3:prefix": [
"webqsee/*/items-root/shared/",
"webqsee/*/items-root/shared/*",
"webqsee/*/items-root/protected/",
"webqsee/*/items-root/protected/*",
"webqsee/*/items-root/private/${aws:PrincipalTag/webqsee-user-id}/",
"webqsee/*/items-root/private/${aws:PrincipalTag/webqsee-user-id}/*"
]
}
},
"Effect": "Allow"
}
]
}
When you have modified the JSON in the editor, continue by clicking "Review policy". Make sure to save the changes: continue the the wizard until the changes to the policy are finally saved.
You should probably see a success message, telling you that the policy has been updated.
Adding additional S3 Buckets
You can now add an additional S3 Bucket for every one of your webQsee teams that you want to set up the Cloud Gallery & Cloud Storage for.
Do it as shown in the normal integration tutorial or the simplified integration tutorial, but choose a name different from "webqsee" for the new Buckets, because "webqsee" is already the name of your existing Bucket - so the new Buckets need different names.
Setting the team-wide Cloud Storage settings
After setting up the additional S3 Buckets, you need to set up the team-wide Cloud Storage settings inside the Cloud Gallery of each of your webQsee teams that are going to use the new Buckets you just set up.
Make sure that you enter the correct Bucket Name for each team, so that each team connects to the correct S3 Bucket.
Done! You are now using multiple S3 Buckets for your multiple webQsee teams!
The members of all your webQsee teams can use the same Cloud Storage credentials in the Cloud Gallerys of all your teams that they are a part of.
Feel free to contact us if you have any troubles setting up the cloud storage.