Skip to content

Commit

Permalink
Merge pull request #334 from nasa/feature/ORCA-552
Browse files Browse the repository at this point in the history 
ORCA-552 Update cross-account access docs
  • Loading branch information
@AndrewDorn
AndrewDorn committed Oct 12, 2022
1 parent 33e0a91 commit 30066d1
Showing 1 changed file with 31 additions and 26 deletions.
57 changes: 31 additions & 26 deletions website/docs/developer/deployment-guide/creating-orca-glacier-bucket.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -82,16 +82,16 @@ Error: Error putting S3 notification configuration: AccessDenied: Access Denied

:::

### Filling out the form
### Via NGAP form

First, create a NASD ticket for cross account bucket access. This is a turn key
request to NGAP. The link to create a ticket is available
[here](https://bugs.earthdata.nasa.gov/servicedesk/customer/portal/7/create/80).
If your accounts are both within EDC, you may skip to [the primary method](#via-aws-gui).
Otherwise, create a NASD ticket for cross account bucket access.
This is a turn key request to NGAP. The link to create a ticket is available
[here](https://bugs.earthdata.nasa.gov/servicedesk/customer/portal/7/create/85).

Next, fill out the form. The sections below provide information on the data needed
The sections below provide information on the data needed
for each of the fields and where to look for information.


#### Project Name

This is the name of the Disaster Recover OU where the ORCA archive bucket resides.
Expand All @@ -100,13 +100,11 @@ account and is usually in the format of \[project name\]-app-\[application name\
For example, an ORCA disaster recovery OU project name may look like the following
orca-app-dr-sandbox-1234.


#### Account Type:

This is the OU environment the bucket resides in. Typical values for this field
are Sandbox, SIT, UAT, and Production.


#### Business Justification:

This is the business justification for the cross account bucket access. Below is
Expand All @@ -119,7 +117,6 @@ an example of a justification.
> seamlessly perform these functions and provide operators with the capability to
> test and verify disaster recovery scenarios.

#### Bucket Names(s):

This is the name of the ORCA archive bucket created in the Disaster Recover OU.
Expand All @@ -132,6 +129,14 @@ Below is an example name of an ORCA archive bucket and ORCA report bucket.

The policy section is the JSON policy requested for the ORCA archive bucket in
the Disaster Recovery OU.
See [the section below](#via-aws-gui) for policy document examples.

### Via AWS GUI

For each of the buckets listed below
go to AWS, open the bucket in question, click "Permissions",
then under "Bucket policy" click "Edit".
The policy given, once modified, can be pasted into this form.

##### Archive Bucket:

Expand All @@ -140,13 +145,13 @@ modifications, which will be detailed below.

```json
{
"Version":"2012-10-17",
"Statement":[
"Version": "2012-10-17",
"Statement": [
{
"Sid":"Cross Account Access",
"Effect":"Allow",
"Principal":{
"AWS":"arn:aws:iam::012345678912:root"
"Sid": "Cross Account Access",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::012345678912:root"
},
"Action":[
"s3:GetObject*",
Expand All @@ -158,25 +163,25 @@ modifications, which will be detailed below.
"s3:PutInventoryConfiguration",
"s3:ListBucketVersions"
],
"Resource":[
"Resource": [
"arn:aws:s3:::PREFIX-orca-archive",
"arn:aws:s3:::PREFIX-orca-archive/*"
]
},
{
"Sid":"Cross Account Write Access",
"Effect":"Allow",
"Principal":{
"AWS":"arn:aws:iam::012345678912:root"
"Sid": "Cross Account Write Access",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::012345678912:root"
},
"Action":"s3:PutObject*",
"Resource":[
"Action": "s3:PutObject*",
"Resource": [
"arn:aws:s3:::PREFIX-orca-archive/*"
],
"Condition":{
"StringEquals":{
"s3:x-amz-acl":"bucket-owner-full-control",
"s3:x-amz-storage-class":[
"Condition": {
"StringEquals": {
"s3:x-amz-acl": "bucket-owner-full-control",
"s3:x-amz-storage-class": [
"GLACIER",
"DEEP_ARCHIVE"
]
Expand Down

0 comments on commit 30066d1

Please sign in to comment.