Object Store Configuration
The Istari platform uses an S3 bucket or Azure Blob Storage container to store files and file-like entities. This object store is used to store files that are uploaded by users, and files that are generated by the Istari Digital platform.
You only need to create one object store of your choice: AWS S3 or Azure Blob Storage today (support for GCP object storage is planned for a later date).
All end users wishing to use the Istari platform must have network access to the object store "Data Plane" of choice. The backend "Control Plane" component of the Istari installation is the only component of the tech stack that requires privileged access to the S3 bucket (this type of access is detailed later in this page). End users will be granted, after access check enforcement, presigned one time use S3 URLs which they will use to access the object store directly.
AWS S3 Bucket
Create S3 Bucket
To create an S3 bucket, follow these steps:
- Log in to the AWS Management Console.
- Choose the region where you want to create the bucket.
- Navigate to the S3 service.
- Click on Create bucket.
- Under General configuration, make sure to keep the General purpose option selected.
- Enter a unique name for the bucket. The name should be globally unique across all AWS accounts.
- Under Object Ownership, make sure to keep the ACL disabled option selected.
- Under Block Public Access settings for this bucket, make sure to keep the Block all public access option selected.
- Tune the Versioning and Encryption settings according to your needs. For example, you can enable versioning to keep multiple versions of an object in the bucket.
- Under Advanced settings, you can leave the default settings or configure them according to your needs.
- Click on Create bucket.
For more information, refer to the AWS documentation.
S3 Bucket Configuration
This bucket should use the default “block all public access” ACL. It should also include the following Cross Origin Resource Sharing (CORS) permissions:
[
{
"AllowedHeaders": [
"*"
],
"AllowedMethods": [
"GET",
"POST",
"HEAD",
"PUT",
"DELETE"
],
"AllowedOrigins": [
"https://istari.customer_domain.com",
"https://v2.istari.customer_domain.com"
],
"ExposeHeaders": []
}
]
istari.customer_domain.com should be replaced with the customer’s domain and Istari Digital subdomain, e.g. istari.example.com.
The name of this bucket should be used to populate the environment variable FILE_SERVICE_OBJECT_STORE_NAME in later steps.
Create User & Credentials
Create an IAM user with full privileges for the S3 bucket. Then generate access credentials, whose values will be used to populate the environment variables FILE_SERVICE_OBJECT_STORE_ACCESS_KEY and FILE_SERVICE_OBJECT_STORE_SECRET_KEY in later steps.
Registry Service Machine User IAM permissions for Object Stores
The Istari Registry Service controls access for all Istari users wishing to access or upload files, Models and artifacts in an Istari installation. The Registry Service Machine User identity must have specific permissions on any object stores associated with tenants in an Istari installation.
These permissions allow the Registry Service Machine User to generate presigned URLs that can be used by Istari users for access to files and models, without having to expose object store credentials directly to users.
For object stores configured as AWS S3 buckets, the Registry Service Machine User must have the following permissions:
- s3:AbortMultipartUpload
- s3:GetObject
- s3:ListBucket
- s3:PutObject