Receiving Portal deliveries automatically to cloud storage
      Back to home
      1. Help Center - MASV
      2. Apps & Integrations
      3. Receiving Portal deliveries automatically to cloud storage

      How to connect to an Amazon S3 bucket

      Integrate MASV with your Amazon S3 bucket

      Amazon S3 from AWS (Amazon Web Services) is a cloud storage service known for providing scalability, data availability, security, and performance. If you have an Amazon S3 cloud storage bucket, follow the steps below to connect it to MASV.

      You can create more than one Amazon S3 integration in MASV, mapping each integration to a specific Storage Class, transfer direction (save to S3 or send from S3), and Target Directory. You can then pair the integration with one or more MASV Portals to send or ingest files exactly where you want them.

      Topics include:

      Overview

      Policies and permissions

      Key-based access

      Role-based access

      Ready? Information you'll need

      To integrate an Amazon S3 bucket with MASV using key-based access

      To integrate an Amazon S3 bucket with MASV using role-based access

      Overview

      You can create more than one Amazon S3 integration in MASV, mapping each integration to a specific Storage Class, transfer direction (save to S3 or send from S3), and Target Directory. You can then pair the integration with one or more MASV Portals to send or ingest files exactly where you want them.

      You can choose from two different access methods when connecting MASV to your Amazon S3 storage:

      • Key-based: The key-based method uses an Access ID and Secret Key.
      • Role-based: IAM role-based access uses a Trust policy. 

      The method you choose depends on how you want to limit and maintain access. For example, keys must be rotated regularly, so they require additional maintenance.

      For more information about IAM roles and role-based access, visit IAM roles.

      For more information about access keys, visit Manage access keys for IAM users.

      Policies and permissions

      Both key-based and role-based access require IAM policies with permissions that allow either saving to or sending from S3. You can create the policies in the AWS Management Console. For information about creating policies for Amazon S3, see Policies and permissions in AWS.

      Saving to S3: The following "Actions" must be allowed to save to Amazon S3:

      AbortMultipartUpload

      DeleteObject

      GetBucketLocation

      ListBucket

      PutObject

      The following S3 Actions must be allowed to send from S3 via MASV:

      GetObject

      ListBucket

      Here is an example of a policy statement for S3 (MASV save to S3):

      {
          "Version": "2012-10-17",
          "Statement": [
              {
                  "Sid": "masvintegration",
                  "Effect": "Allow",
                  "Action": [
                      "s3:AbortMultipartUpload",
                      "s3:DeleteObject",
                      "s3:GetBucketLocation",
                      "s3:ListBucket",
                      "s3:PutObject"
                  ],
                  "Resource": [
                      "arn:aws:s3:::<bucket name>",
                      "arn:aws:s3:::<bucket name>/*"
                  ]
              }
          ]
      }

      Key-based access

      Access keys are created in the AWS Management Console. For key-based access, you must attach the IAM policy to an IAM user. The access keys are then generated for that user. For information about creating access keys, visit How do I create an AWS access key?  Copy and save the ID and Secret to a secure location.

      Role-based access

      For role-based access, the IAM policy is attached to an IAM role and you then create a Custom Trust policy that allows MASV to assume the role during transfers. Here is a JSON code sample you can use as a template:

      {

        "Version": "2012-10-17",

        "Statement": [

          {

            "Effect": "Allow",

            "Principal": {

              "AWS": "arn:aws:iam::496647098526:role/masv_transfer"

            },

            "Action": "sts:AssumeRole",

            "Condition": {

              "StringEquals": {

                "sts:ExternalId": "<randomly generated External ID from MASV>"

              }

            }

          }

        ]

      }

      You’ll need your IAM role ARN to create the connection with MASV.

      Note: The External ID is generated by MASV in the Add Integration window. You can copy and paste it into your Custom Trust policy (edit if you created the policy in advance or create the policy in tandem with the MASV connection). If you choose to use your own External ID, it must adhere to these rules:

      • Minimum of 16 characters and maximum of 1224 characters in length
      • Can include alphanumeric characters and the following non-alphanumeric characters: plus (+), equal (=), comma (,), period (.), at (@), colon (:), forward slash (/), and hyphen (-)
      • Cannot contain spaces

      Warning: The External ID must be unique and kept secret in order to prevent unauthorized access to your bucket via the confused deputy problem.

      Ready? Information you'll need

      To make the process go smoothly, have the following information on hand:

      • Amazon S3 bucket name
      • Region of bucket
      • Key-based or Role-based access credentials:
        • Key-based: Access key ID and Access key Secret with the appropriate associated permission policies.
        • Role-based: Role ARN with the required associated trust and permission policies. If you created your Custom Trust policy in advance and want to use an External ID that you generated, you’ll also need a copy of the External ID.
      • Know which AWS Storage Class you want to choose if creating a MASV to Cloud connection.
      • Know your S3 path (which folder you want to connect with).

      To integrate an Amazon S3 bucket with MASV using key-based access

      1. In the MASV Web App, as a Team Owner or Admin (role), from the sidebar on the left, select Integrations.

      2. On the Integrations page, select the Available Integrations tab.

      3. Select Amazon S3.
      4. In the Add Integration window, enter or select the information required: 

        • Connection Name: Type a meaningful name. This name will display in the My Integrations list.

        • Bucket (Name of the Amazon S3)

        • Access Key ID: Copy and paste the AWS Access Key ID.

        • Secret Access Key: Copy and paste the AWS Secret.

        • Region: Choose the AWS Region for your bucket.
        • Storage Class: Choose from Standard, Glacier, Intelligent Tiering, One-Zone, and more.
        • Transfer Direction: Select one of the following options:

          • Save to storage: For inbound files (Write)--MASV transfers files to the storage device.

          • Send from storage: For outbound files (Read)--MASV transfers files out of the storage device.

      5.  Choose any of the following optional settings:

        1. (Optional for Save to storage) In the Target Directory box, type a relative path. You will be able to edit this directory from the MASV Web App as needed.

        2. (Optional for Save to storage) In the Parent Folder Options, leave the checkbox unselected if you want to save the files in a directory that uses the package name. To deliver directly into the Target Directory, select the checkbox.

        3. (Optional for Send from storage) In Source Directories, type a relative path to limit access to a specific folder/directory. You will be able to edit this directory from the MASV Web App as needed.

      6.  Select the Connect button.

      7.  Refresh the page to update the list and status of the connections.

      To integrate an Amazon S3 bucket with MASV using IAM role-based access

      1. In the MASV Web App, as a Team Owner or Admin (role), from the sidebar on the left, select Integrations.

      2. On the Integrations page, select the Available Integrations tab.

      3. Select Amazon S3.

      4. In the Add Integration window, select the Role-based radio button.

      5. Enter or select the information required for the following fields: 

        1. Connection Name: Type a meaningful name. This name will display in the My Integrations list.
        2. Bucket: Name of the Amazon S3 bucket that you want to connect.
        3. Role ARN: Copy and paste the Role ARN from AWS.
        4. External ID: Copy this ID and save it to the Custom Trust policy for the IAM Role in AWS.
        5. Region: Choose the AWS Region for your bucket.
        6. Storage Class: Choose from Standard, Glacier, Intelligent Tiering, One-Zone, and more.
        7. Transfer Direction: Select one of the following options

          • Save to storage: For inbound files (Write)--MASV transfers files to the storage device.

          • Send from storage: For outbound files (Read)--MASV transfers files out of the storage device.
      6. Choose any of the following optional settings:
        1. (Optional for Save to storage) In the Target Directory box, type a relative path. You will be able to edit this directory from the MASV Web App as needed.
        2. (Optional for Save to storage) In the Parent Folder Options, leave the checkbox unselected if you want to save the files in a directory that uses the package name. To deliver directly into the Target Directory, select the checkbox.
        3. (Optional for Send from storage) In Source Directories, type a relative path to limit access to a specific folder/directory. You will be able to edit this directory from the MASV Web App as needed.

      7. Select the Connect button.

      8. Refresh the page to update the list and status of the connections.

      That's it! After authentication, the service is connected with MASV. You can now: