During cluster provisioning Oracle installation files will be downloaded from an S3 bucket. The list of files that must be placed in the S3 bucket is shown on the Oracle Files tab of the FlashGrid cluster Launcher tool.
Two options are available for allowing access to the files in the S3 bucket for the cluster node instances:
- Enabling public access to each file for the duration of cluster deployment
OR - Assigning the cluster node instances an IAM role that has permissions for accessing files in the bucket
To allow public access to the files in S3
- Create an S3 bucket/folder for uploading the installation files:
- Select ACLs enabled in the Object Ownership section when creating the bucket.
- De-select Block all public access in the Block Public Access settings for this bucket section.
- Upload the required files to the S3 bucket/folder
- In S3 Management Console navigate to the bucket and the folder to see the list of files
- Select the file(s) that you wish to make public, then select Actions -> Make public using ACL
- Review the list of file(s) and select Make public
- You can disable public access to those file(s) after the cluster completes initialization:
- In the S3 console, navigate the the bucket / folder
- click on each file individually in the bucket list
- select Permissions , Edit, and de-select the Read optoin alongside Everyone (public access)
To use an IAM role for access to the files in S3
- Create an S3 bucket/folder for uploading the installation files
- Upload the required files to the S3 bucket/folder
- In IAM Management Console create a new policy named GetOracleFilesFromS3 that allows s3:GetObject action on all uploaded files. See an example below.
- In IAM Management Console create a new role named GetOracleFilesFromS3 for the EC2 service and attach the GetOracleFilesFromS3 policy to it.
Note: If you have to use CLI (instead of Management Console) for creating an IAM Role, then additionally need to create Instance Profile with the same name as the IAM Role: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_switch-role-ec2_instance-profiles.html - Use the GetOracleFilesFromS3 role when configuring cluster parameters in the FlashGrid cluster Launcher tool.
Example of an IAM policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Stmt1508867055000",
"Effect": "Allow",
"Action": [
"s3:GetObject"
],
"Resource": [
"arn:aws:s3:::mybucket/mydirectory/*"
]
}
]
}