Switching from simplified to normal S3 Integration

Switching from simplified to normal S3 Integration

The following tutorial assumes that you integrated Amazon S3 into webQsee using the simplified integration tutorial.
It will show you how to convert your setup into one that fully supports multiple Cloud Storage users and enforcement of user permissions directly on the Cloud Storage.

This tutorial is right for you, if you for some reason initially followed the simplified integration tutorial but now have a webQsee team consisting of multiple users that should all receive their own credentials for the Cloud Storage, also allowing the Cloud Storage to differentiate between regular users and admins - enforcing the appropriate user rights directly on the storage.

So, instead of a single pair of credentials for the Cloud Storage, at the end of the tutorial each member of your webQsee team will have his own Cloud Storage credentials.
Those separate credentials belong to separate users on the Cloud Storage, that can be part of two user groups on the storage: normal users and admins.

While there are two types of admins in webQsee (content admin, super admin), there will be only one admin group on the Cloud Storage that covers both types of webQsee admins.

Overview

A quick overview what we will do in this tutorial:

  1. we will delete the single existing webQsee Cloud Storage user
  2. we will change the existing policy for webqsee-admins
  3. we will add an additional policy and user group for normal users (non-admins)
  4. we will add multiple Cloud Storage users, one per member of your webQsee team
  5. you will send new Cloud Storage credentials to every member of your team

Now, let's get started.

Signing in to the AWS Console

Sign in at https://console.aws.amazon.com/console/home as "Root user" using the credentials of your AWS account.
Verify, that that you have been logged in correctly and that you have access to the AWS Management Console.

Deleting the existing single webQsee storage user

Open the IAM management page: https://console.aws.amazon.com/iam/home

Then navigate to "Users", find the user webqsee-admin-user (or however you named it) that you created in the simplified integration tutorial.
Click "Delete User". Proceed with deleting the user. Do not worry, we will create new users soon.

Setting up user groups and rights

We will create appropriate user groups, so that we can enforce some user rights for the webQsee users that will use the Cloud Storage. For example webQsee admins (content admins and user admins) will be able to delete all items on the storage, while regular members of the webQsee team will only be able to delete items that they created themselves.

Changing the Policy for webQsee admins

Open the IAM management page: https://console.aws.amazon.com/iam/home

Then navigate to "Policies" and find the policy called webqsee-admin (or however you named it) that you created in the simplified integration tutorial.
Click on this existing policy, then click "Edit Policy", then click on the "JSON" tab, so that in the end you have a JSON Editor that allows you to edit the existing policy.

After changing from "Visual editor" to "JSON", you need to replace the code you see there with the following JSON:

{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"s3:GetObject",
"s3:PutObject",
"s3:DeleteObject",
"s3:AbortMultipartUpload"
],
"Resource": [
"arn:aws:s3:::webqsee/webqsee/*/items-root/shared/*",
"arn:aws:s3:::webqsee/webqsee/*/items-root/protected/*",
"arn:aws:s3:::webqsee/webqsee/*/items-root/private/${aws:PrincipalTag/webqsee-user-id}/*"
],
"Effect": "Allow"
},
{
"Action": [
"s3:DeleteObject"
],
"Resource": [
"arn:aws:s3:::webqsee/webqsee/*/items-root/private/*"
],
"Effect": "Allow"
},
{
"Action": [
"s3:ListBucket"
],
"Resource": [
"arn:aws:s3:::webqsee"
],
"Condition": {
"StringLike": {
"s3:prefix": [
"webqsee/*/items-root/",
"webqsee/*/items-root/*"
]
}
},
"Effect": "Allow"
}
]
}

Please note that in in all occurrences of arn:aws:s3:::webqsee the "webqsee" is the name of your webQsee S3 bucket.
If your bucket has a different name, you need to change the names in the policy from arn:aws:s3:::webqsee to arn:aws:s3:::custombucketname

When you have pasted the JSON into the editor, continue by clicking "Review policy". Make sure to save the changes: continue the the wizard until the changes to the policy are finally saved.

You should probably see a success message, telling you that the policy has been updated.

Creating the Policy for regular webQsee team members

Back in the overview page for the policies, click "Create policy" and switch from the Visual Editor to the JSON tab. Replace the code you see there by the following JSON:

{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"s3:GetObject",
"s3:PutObject",
"s3:DeleteObject",
"s3:AbortMultipartUpload"
],
"Resource": [
"arn:aws:s3:::webqsee/webqsee/*/items-root/shared/*",
"arn:aws:s3:::webqsee/webqsee/*/items-root/protected/${aws:PrincipalTag/webqsee-user-id}/*",
"arn:aws:s3:::webqsee/webqsee/*/items-root/private/${aws:PrincipalTag/webqsee-user-id}/*"
],
"Effect": "Allow"
},
{
"Action": [
"s3:GetObject"
],
"Resource": [
"arn:aws:s3:::webqsee/webqsee/*/items-root/protected/*"
],
"Effect": "Allow"
},
{
"Action": [
"s3:ListBucket"
],
"Resource": [
"arn:aws:s3:::webqsee"
],
"Condition": {
"StringLike": {
"s3:prefix": [
"webqsee/*/items-root/shared/",
"webqsee/*/items-root/shared/*",
"webqsee/*/items-root/protected/",
"webqsee/*/items-root/protected/*",
"webqsee/*/items-root/private/${aws:PrincipalTag/webqsee-user-id}/",
"webqsee/*/items-root/private/${aws:PrincipalTag/webqsee-user-id}/*"
]
}
},
"Effect": "Allow"
}
]
}

Please note that in in all occurrences of arn:aws:s3:::webqsee the "webqsee" is the name of your webQsee S3 bucket.
If your bucket has a different name, then change all occurrences of arn:aws:s3:::webqsee to arn:aws:s3:::custombucketname

When you have pasted the JSON into the editor, continue by clicking "Review policy". As policy name insert webqsee-user

(In case you are using an AWS account that already has a policy with this name, define an alternative name for the policy.)

Click "Create policy" after entering the policy name. You should see a success message, telling you that the policy has been created.

Creating the Group for regular webQsee team members

In the IAM Console, open "Groups", then click "Create New Group". Enter webqsee-user as a group name, then click "Next Step".

(If you are using an AWS account that already has a group called "webqsee-user", choose an alternative name.)

In the next step, called "Attach Policy", search for the Regular-User-Policy you created before and check it. Then click "Next Step".

Review the changes, then click "Create Group".

After creating the group, you should see the new group in the overview table of the Groups page. You should see both webQsee Groups there, one for admins and one for regular team members.

Creating Users

Each member of your webQsee team, that wants to use the Cloud Gallery, needs a user on Amazon AWS as well. In the following example, we will create an admin user for you (the person that is working through this tutorial). Any other users that you might need, you must also create.

First, navigate to the "Users" overview page of the IAM console and click "Add user":

Set an appropriate user name. In this example we use my-webqsee-admin-user, but you should probably choose a different name.
Make sure to enable the checkbox for programmatic access! Click the "Next" button after setting a name and enabling the checkbox.

In the next step, search for the admin group you edited previously in this tutorial and check this group.
Make sure to only select ONE group when adding new users! If you want to add a regular team member, check the group for the regular user. And in case of admins only the admin group, not both!

After checking the appropriate group, click the "Next" button.
On the next screen, add a new tag with the key webqsee-user-id and in the value of this tag, you need to insert the user-id of your webQsee user!
You own webQsee user id can be found in the "Current User and Team"-Tab of the webQsee browser extension's main window and the user id of other team members can be found in the "Team Management" Sub-tab of the "Current User and Team"-Tab (rightmost column of the top table there).

Click "Next" after setting your user id. Then review the changes and click "Create user" afterwards.

In the final screen, that confirms the creation of the user, it is important that you copy the Access key ID and the Secret access key and store it somewhere safe. You will need these credentials later to sign into the Cloud Storage in the webQsee browser extension.

Click the "Close" button after you copied the Access key ID and the Secret access key and stored them in a secure location.

Now we are nearly done and can start using the new credentials.

Open the webQsee Gallery and switch to the tab "Cloud Gallery". Then click "Edit Settings".

There you need to change the following personal settings:

  1. Access Key Id: The access key id you noted down previously for your AWS IAM user that you created in this tutorial.
  2. Secret Access Key: The secret access key you noted down previously for your AWS IAM user that you created in this tutorial.

The new personal settings need to be provided by each webQsee member of your team that is using the Cloud Gallery.
This means that each user of your team needs to be provided with his own Access Key Id and a Secret Access Key (= you need to create additional users in the IAM console, just like you created your own user).

After changing your own personal settings, click the "Save" button.

Congratulations! You successfully switched to the normal integration of Amazon S3!
You should be able to use the Cloud Gallery like before but now every team members has to use his own storage credentials and his user rights are checked and enforced by the storage itself.

Keep in mind, that you need to create storage-users for the other members of your webQsee team as well. One storage-user per webQsee team member. You can do that in Amazon's IAM Console, as shown above, where you created your own user.
If you create a storage-user for a regular team-member, assign the group for regular users and if you create a storage-user for a webqsee admin (content admin or super admin), assign the group for admins. Do NOT assign both groups!

After creating storage-users for the other members of your webQsee team, you need to send them their new Cloud Storage credentials (for example via email) and ask them to update their Cloud Storage settings of the webQsee Cloud Gallery (just like you did in this tutorial).

Feel free to contact us if you have any troubles setting up the cloud storage.

If a team member leaves your team at some point in the future, you should also delete his Cloud Storage user, so he loses complete access to your Cloud Storage. Also, if you promote / demote a team member to / from admin, you need to change the user group for his Cloud Storage user as well.