Amazon S3

Amazon S3 provides object storage to access data over the internet. The data is stored inside a resource called a “bucket.” Each bucket can hold as many objects as you want. Administrators control access to their storage bucket and who can read, write, or delete data objects in that bucket. For more detailed information, visit the Amazon Web Services website.

Setting Up an Amazon S3 Bucket

After setting up an AWS Account, you will need to create an Amazon S3 bucket to store ProfileUnity files using the following steps:

  1. Log in to the AWS Management Console and open the Amazon S3 console.
  2. Click the Create bucket option.
  3. On the Create bucket screen that appears, complete the following fields:
    • Bucket name. All bucket names must be unique across all regions. Therefore, the recommended name format is yourcompanyname-bucketuse-bucketregion where bucketuse is what this particular bucket is being used for (in this case, ProfileUnity) and bucketregion is the AWS region where this bucket will be stored. Here are a few additional naming requirements:
      • The name must be unique across all existing bucket names in Amazon S3.
      • The name must not contain uppercase characters.
      • The name must start with a lowercase letter or number.
      • The name must be between 3 and 63 characters long.
      • After you create the bucket, you cannot change the name, so choose wisely.
      • Choose a bucket name that reflects the objects in the bucket because the bucket name is visible in the URL that points to the objects that you are going to put in your bucket.
    • Region. Typically, customers choose a region that is close in proximity to reduce latency and costs, or to meet regulatory requirements. Refer to the AWS website for a list of Amazon S3 Regions and Endpoints.
  4. Click Next.
  5. On the Set properties screen that appears, no changes in settings are needed. Click Next.
  6. On the Set permissions screen, complete the following fields:
    1. Leave the default owner with full read and write access.
    2. Set Manage public permissions to “Do not grant public read access to this bucket.”
    3. Set Manage system permissions to “Do not grant Amazon S3 Log Delivery group write access to this bucket.”
  7. Click Next.
  8. On the Review screen, check your settings, then click Create bucket when you are ready to commit your configuration settings.

Creating Folders

After the ProfileUnity bucket is set up, you will want to create folders for different types of data files.

The Amazon S3 structure provides a very flat file structure. Each bucket simply holds your data objects. You cannot have a hierarchy of buckets inside buckets or sub-buckets. However, you can use the Amazon S3 Console to emulate a view of subfolders inside your ProfileUnity bucket.

From the Amazon S3 Console, select the ProfileUnity bucket you created. Then click the Create Folder button and enter the name of your folder. Repeat until all of the following folders have been created:

  • configurations
  • portability
  • flexapp

Granting Access to the ProfileUnity Management Console and Client

In order for ProfileUnity to make use of the Amazon S3 cloud storage, ProfileUnity will have to log in to AWS. We do not want to use the default or root AWS admin account. Instead, we need to set up two separate accounts for ProfileUnity—one for the Management Console and one for the client.

AWS Identity and Access Management (IAM) allows you to securely manage access to all AWS services. IAM allows you to create AWS users and groups while using permissions and roles to control user account access to data. AWS does not charge per IAM account. It only charges for the use of AWS services by those user accounts. Creating two separate AWS users for ProfileUnity allows you to fine-tune permissions and audit ProfileUnity Management Console and Client activity more closely.

To create the ProfileUnity Management Console’s AWS user account, complete the following steps:

  1. Log in to the AWS Management Console.
  2. Open the IAM console.
  3. Click the Users option in the left column.
  4. Click the Add user button at the top of the user list.
  5. In the Set user details section, create a username for the Management Console user, such as profileunity-console.
  6. In the Select AWS access type section, select the Programmatic access checkbox.
  7. Click the Next: Permissions button.
  8. On the Set permissions for <username> page, select the Attach existing policies directly option.
  9. Click the Create Policy button to attach the policies from the option you selected in Step 8.
  10. On the Create policy screen that opens, click the JSON tab.
  11. Go to the following location and copy the JSON code located there:
  12. http://download.liquidwarelabs.com/ProfileUnity.NET/AWS-ProfileUnityConsole-UserPolicyv1.1.txt
  13. Paste the JSON code into the JSON policy tab.
  14. Edit the Amazon S3 bucket information on lines 15, 24, and 33 to match the ProfileUnity bucket name you created earlier.
  15. Click the Review policy button.
  16. Give the policy a name, such as profileunity-console.
  17. Click Create Policy.
  18. Return to the original browser tab to finish creating the user.
  19. Go back to the Set permissions for <username> step for the user and click the Refresh button to update the policy list.
  20. In the Search field, enter the name of the policy you just created; for example, profileunity-console.
  21. Locate the new policy in the list and then select the checkbox next to its name.
  22. Click the Next:Review button.
  23. Review the information for the new user, then click Create User.
  24. The new user will be created. At this time, you will be given the user’s Access Key ID and Secret Access Key.Make sure to document these credentials and keep them in a safe place. You can also download them as a CSV file. If you forget or lose these keys, you will NOT be able to access them again. However, you can create a new Access and Secret key to reset your credentials.

To create the ProfileUnity Client’s AWS user account:

  1. Follow the same steps that you used above for creating the Management Console’s AWS user account.
  2. Use a descriptive name for the user account, such as profileunity-client.
  3. You will need to copy a different policy code for the Client user account. Go to the following location and copy the JSON code located there:
  4. http://download.liquidwarelabs.com/ProfileUnity.NET/AWS-ProfileUnityClient-UserPolicyv1.1.txt
  5. Paste the code into the JSON policy tab.
  6. Edit the Amazon S3 bucket information on lines 15, 20, 25, and 34 to match the ProfileUnity bucket name you created earlier.
  7. Remember to search for and select the new profileunity-client policy for this new ProfileUnity Client user.
  8. After the client user has been created, document and save the Access Key ID and the Secure Access Key.

Configuring IAM Role Access

In addition to AWS user accounts, the policies created in the previous section can be applied to other AWS resources as well through IAM roles under Identity and Access Management (IAM) > Access Management > Roles.

To apply a policy to a role, create, or select a role:

  1. Select Add permissions > Attach policies under the Permissions tab.
  2. Select the desired policy.
  3. Click Add permission.
  4. Once the policy is applied to an IAM role, the role can then be applied to an EC2 instance, AppStream fleet, Workspace, etc., allowing access to the specified S3 buckets defined in the policies without requiring the associated key pairs.

Putting This All Together

After completing all of these instructions to set up your Amazon S3 cloud storage for ProfileUnity, you can install and configure ProfileUnity to make use of your new cloud storage bucket.

When using a cloud storage template, ProfileUnity’s Guided Configuration Wizard prompts you for your Amazon S3 bucket name, your ProfileUnity Console IAM user account credentials, and your ProfileUnity Client IAM user account credentials.

Note that when ProfileUnity refers to Amazon S3 cloud storage paths, they begin with S3://. Here are some examples where what is in brackets is replaced with the specified bucket name:

  • Deployment/Console Path: S3://{bucket}/configurations
  • Portability/Client Path: S3://{bucket}/portability/%username%
  • FlexApp Packages Path: S3://{bucket}/flexapp
  • GPO Settings for INI, ProfileUnity as a Service, Client Settings XML Path:
    S3://{bucket}/startup

You can change your ProfileUnity Console or Client IAM credentials at any time by going to the Cloud Storage Settings section of the Administration screen within the ProfileUnity Management Console.

For more instructions on how to adjust your Licensing and GPO configuration to utilize cloud storage, refer to the ProfileUnity Installation Guide.