Role-based AWS Setup for Mulesoft S3 Connector's On New Object Component (Including Local Run Setup)

This document covers setting up AWS Services when using Mulesoft S3 Connector's On New Object component. We'll cover the minimum permissions required (Least-Privilege Access) by this component. The S3 Connector here is configured to use AWS IAM Role-based authentication which is only applicable for CloudHub 2.0 deployments targeted inside a Private Space. The role-based authentication is only supported by latest versions of this connector viz. 6.2.0+. The On New Object component is an event source which triggers Mule flow whenever a new file is uploaded in a S3 Bucket. It sends metadata of the uploaded file as payload. For this component to work, the S3 Bucket must have a notification configuration attached to it with destination set to an SQS Queue.

In the end, we'll look over how to deploy and run such Mulesoft Application locally.

Let’s begin...

Pre-requisites

  • Anypoint Studio (S3 Connector V6.2.0+)
  • Mulesoft Anypoint Platform Account
  • Private Space in Anypoint Platform
  • AWS Account
  • S3 Bucket and SQS Queue in AWS

Anypoint Platform Setup

First, let's enable AWS Service Role in your Private Space. Login to your Anypoint Platform Account and head over to the Runtime Manager. From the left-hand side menu, click on Private Spaces. Then click on the Private Space that you have created.

Anypoint Platform: Private Space

Here, click on the Advanced tab and scroll to the bottom. Under the AWS Service Role section, check ✔ mark the Enable AWS Service Role box and click Save Changes.

Anypoint Platform: Private Space | Enable Service Role

Copy the Role ARN generated by Mulesoft. We'll use it when setting up Trust policy in AWS Role.

SQS Queue Access Policy

Let's setup the SQS Queue Access Policy first. Login to your AWS Account and head over to the SQS Queue you have. Click on the Access Policy tab and then click on the Edit button.

AWS SQS Queue: Access Policy

Now, modify the policy as shown below and Save changes.

AWS SQS Queue: Access Policy Snippet

Policy Snippet -

{
  "Version": "2012-10-17",
  "Id": "__default_policy_ID",
  "Statement": [
    {
      "Sid": "__owner_statement",
      "Effect": "Allow",
      "Principal": { "Service": "s3.amazonaws.com" },
      "Action": "SQS:SendMessage",
      "Resource": "<YOUR-SQS-QUEUE-ARN-HERE>",
      "Condition": { "ArnLike": { "aws:SourceArn": "<YOUR-S3-BUCKET-ARN-HERE>" } }
    }
  ]
}

S3 Bucket Notification Configuration

Now, let's setup the S3 Bucket Notification Configuration. Open the Properties section of the S3 Bucket you wish to use. 

S3 Bucket

Scroll down to the Event notifications section and click on Create event notification button.

S3 Bucket: Event Notifications

Type in the Event name of your choice (This will be used in On New Object component in Anypoint Studio later). Also, in the Event types section, check ✔ mark the All object create events box.

S3 Bucket: Create Event Notification

Scroll down further to the Destination section and here select the SQS queue you just configured from the drop-down. Click Save changes.

S3 Bucket: Create Event Notification | Destination

Please note that if you have not configured the Access Policy of your SQS Queue before this step, then AWS won't allow you to Save changes here.

IAM Role Setup

Now, we create an IAM Role. In the IAM dashboard, from the left-hand side menu, click on Role and then click on Create role button.

IAM Role

Now, in the Step 1, select Custom trust policy and modify the policy as shown below.

IAM Role: Custom Trust Policy Snippet

Policy Snippet -

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "Statement1",
      "Effect": "Allow",
      "Principal": {
        "AWS": "<YOUR-PRIVATE-SPACE-SERVICE-ROLE-ARN-HERE>"
      },
      "Action": "sts:AssumeRole"
    }
  ]
}

Click Next.

Now, in the Step 2, click on Create policy button.

IAM Role: Create Permission Policy

A new browser tab will open. Here, you'll be creating a new policy. Switch to the JSON format and modify the policy as shown below.

IAM Role: Permission Policy Snippet

Policy Snippet -

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "Statement1",
      "Effect": "Allow",
      "Action": [
        "sqs:DeleteMessage", "sqs:ReceiveMessage"
      ],
      "Resource": "<YOUR-SQS-QUEUE-ARN-HERE>"
    },
    {
      "Sid": "Statement2",
      "Effect": "Allow",
      "Action": [
        "s3:ListBucket", "s3:GetBucketNotification"
      ],
      "Resource": "<YOUR-S3-BUCKET-ARN-HERE>"
    },
    {
      "Sid": "Statement3",
      "Effect": "Allow",
      "Action": [
        "s3:GetObject", "s3:DeleteObject", "s3:PutObject"
      ],
      "Resource": "<YOUR-S3-BUCKET-ARN-HERE>/*"
    }
  ]
}

Please note that the Statement3 here grants Full Read Write access to the contents of S3 Bucket and you can modify/remove this as per you requirements.

Click Next. Give this policy a Name and then click Create policy.

IAM Role: Policy Create Finish

Now, go back to the previous tab. Click on the Refresh button and then find the policy you just created using the search field. Check ✔ mark the box in front of the policy to attach it to your role and click Next.

IAM Role: Attach Policy

Give this role a Name and then click Create role.

IAM Role: Create Finish

Now, the IAM Role is created, let's copy its ARN as we will use it in Anypoint Studio.

S3 Connector Configuration

In your Anypoint Studio, drag and drop the On New Object component from S3 Connector (V6.2.0+). In the Connector configuration, set Try Default AWSCredentials Provider Chain to True. Choose Edit inline option in Role drop-down and in the ARN field, paste the ARN of IAM Role that you just created in previous step.

S3 Connector Configuration: Role ARN

Scroll down and set a dummy value in Access Key and Secret Key fields. Also, check the AWS Region Endpoint field. It must be the same region where your S3 Bucket and SQS Queue lives.

S3 Connector Configuration: Keys & Region

In the On New Object component's General section, enter your S3 Bucket name as highlighted below.

S3 On New Object: General

Also, under the Advanced section, in Configuration Name field, enter your S3 Bucket's Event Notification Configuration Name.

S3 On New Object: Advanced

Please note that, if you try to run the code in local environment it will not work. The role-based authentication will only work for the code deployed in CloudHub 2.0 and Private Space.

Local Run Setup

As previously mentioned, the role-based authentication won't work when code is deployed locally. To run this code in local environment, we need an IAM user which can assume an IAM role. For authentication, we will need to generate Access keys in IAM user configuration and for authorization, we will attach a permission policy to the IAM role.

So, let's create the IAM user as shown -

Local Run | IAM User Creation Step 1

There is no need to add this user to any User groups or attach any permissions to it. Click Next.

Local Run | IAM User Creation Step 2

Review and click Next.

Local Run | IAM User Creation Step 3

Copy the IAM user ARN as we'll need it when we create the IAM role. Scroll down to the Access keys section and click Create access key button.

Local Run | IAM User ARN | Creating Access Key

Select Other in the Use case section and click Next. Add any description tag if you want and then click Create access key button to finish creating access keys for this IAM user.

Local Run | IAM User | Create Access Key Step 1
Local Run | IAM User | Create Access Key Step 2

Copy or Download the Access key and Secret access key as we'll need them later. Click Done.

Local Run | IAM User | Create Access Key Step 3

Next, we create another IAM role and setup its Trust policy such that our above created IAM user can assume it.

Local Run | IAM Role Creation Step 1

Policy Snippet -

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "Statement1",
      "Effect": "Allow",
      "Principal": {
        "AWS": "<YOUR-IAM-USER-ARN-HERE>"
      },
      "Action": "sts:AssumeRole"
    }
  ]
}

Click Next. On the Add permissions step, attach the same Permission policy here that we attached to our previously created IAM role and click Next.

Local Run | IAM Role Creation Step 2

Give this IAM role a Name and click Create role.

Local Run | IAM Role Creation Step 3

Once created, copy the IAM role ARN and save it somewhere.

Local Run | IAM Role ARN

Finally, open the S3 Connector Configuration in Anypoint Studio. Turn the following fields value into Property Placeholders (Link) -

  • Try Default AWSCredentials Provider Chain (Switch to Configuration XML mode to turn this field into a property)
  • Role ARN
  • Access Key
  • Secret Key

Now, whenever you run the code in local environment, just use Runtime variables to override those properties with the following values -

  • Try Default AWSCredentials Provider Chain = False
  • Role ARN = IAM role ARN that we just created
  • Access Key = Access Key of the IAM user we just created
  • Secret Key = Secret Access Key of the IAM user we just created

Remember that for CloudHub deployments, the values of those Runtime variables will be different as explained in previous sections.

That's it.

Troubleshooting Common Issues

I don’t think anyone will encounter any issues using this guide so I will leave the common issues part blank this time :)

Comments

Post a Comment