Same S3 Bucket for multiple teams

Same S3 Bucket for multiple webQsee teams

If you own / manage multiple webQsee teams, you have the following three variants in setting up an Amazon S3 based Cloud Storage for the Cloud Gallery of each separate team:

  1. Variant: Create multiple AWS accounts and set up a separate Cloud Storage on each account, following our tutorials.
    • Owning multiple AWS accounts as a single company is no problem and even encouraged by Amazon in situations where you want to completely isolate some parts of your company's data from other parts. This variant involves the most setup and maintenance work because you will have separate Cloud Storage Users, Groups and Policies for every one of your webQsee teams.
  2. Variant: Re-Use a single S3 Bucket of a single AWS account for all of your teams.
    • This is the easiest option and explained in this tutorial.
  3. Variant: Use multiple S3 Buckets in a single AWS account for all your teams.

In most cases you should prefer variant 2 over variant 3, because variant 3 offers no real advantages other than separating the webQsee Cloud Gallery data in multiple different S3 Buckets. An Exception would be that you want one of your teams to use a Cloud Storage in a different geographical location than your other teams (europe, usa, ...), then variant 3 is the better option, because you can create a separate Bucket at your desired location.

Variant 2 and 3 have the following in common:
Advantages:

  • You do not have to create separate User Groups and Policies for all of your teams. Instead, all teams share the same policies and groups.
  • Also, each distinct webQsee user of all your teams only needs a single Cloud Storage user (= one Cloud Storage user per webQsee user ID). So if a user is part of multiple of your webQsee teams, he still needs just a single Cloud Storage user in order to access the Cloud Gallery in all teams.

Possible Disadvantages:

  • All users of all your webQsee teams could read the data of all Cloud Gallerys of every single one of your webQsee teams, when accessing the API of the Cloud Storage manually, even if the user is not a member of all of your teams.
    • However, given that you set up your S3 integration following the normal integration tutorial, regular team members (non-admins) can still just delete or modify items they created themselves, so in many cases this small disadvantage may be acceptable. But you need to be the judge of that yourself - you can still instead switch to variant 1 from above, it does not have this disadvantage.

Possible Disadvantages of Variant 3 only:

  • The Cloud Storage Policies are modified in a way that allows all of your webQsee team members to access any S3 Bucket of your AWS account.
    • But they will only be able to access, read and write data that is prefixed for webQsee! (= Located in a subfolder called "webqsee"). So any other sensitive data that you might have on other S3 Buckets of your AWS account is still not accessible by webQsee users.

Getting started with Variant 2 - Overview

The following tutorial assumes that you already integrated Amazon S3 for at least one of your webQsee teams, using the normal integration tutorial or the simplified integration tutorial. In case you used the simplified tutorial, you might want to consider switching to the normal S3 integration or using variant 1 instead, or else any member of all of your webQsee teams could technically access the Cloud Storage API manually and delete or modify whatever webQsee Cloud Gallery items he wants (no matter to which of your teams they belong).

At the end of this tutorial, a single user of any of your webQsee teams will be able to use the same Cloud Storage credentials for any Cloud Gallery of any of your teams that he is a member of.

Now, let's get started.

There is nothing more to do!

All of your webQsee teams can just use the same team-wide settings for the Cloud Storage in their Cloud Gallery.
You just need to set the team-wide settings in the Cloud Gallery of each team.

The members of all your webQsee teams can use the same Cloud Storage credentials in the Cloud Gallerys of all your teams that they are a part of.

Even though all teams will use the same S3 bucket for storing their Cloud Gallery data, they will use a distinct subfolder with their team-id as folder name.
This way there won't be any collisions between the cloud data of your different teams.

Feel free to contact us if you have any troubles setting up the cloud storage.