Skip to content

AWS S3

Last updated: April 3, 2024

Setting up an S3 Bucket Policy

Enhanced API will deliver imagery to Amazon Web Services S3. The following is a guide on how to add the permissions to the destination bucket so that it will accept the data.

Prerequisites

The following items will need to be in place to receive deliveries from eAPI.

  • You will need an AWS account.
  • An IAM user with sufficient permissions to create and manage bucket instances in S3.
  • If you don’t have an S3 bucket already, create a bucket.
  • The delivery bucket will need to be in an AWS Commercial account (cannot be in AWS GovCloud).
  • In addition, the delivery bucket will need to be created in us-east-1 region

Note: The bucket policy only needs to be set up once per bucket. Any time you create a new bucket for eAPI order delivery, set this policy on the bucket.

Steps

1. Add permissions to bucket

For your new bucket to receive imagery you will have to update the bucket policy to allow the eAPI user role access to copy to and read on your bucket. Below is an example bucket policy that you can add to your bucket.

To copy the bucket example, click the "copy" button in the top right corner of the example block.

Note: Please contact the Mission Support Team to obtain the eAPI AWS Account number and S3 bucket required for the S3 Policy below eapisupport@maxar.com:

Bucket policy (copy this): 

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::<CONTACT_EAPI_MISSION_SUPPORT_TEAM_FOR_ACCOUNT_NUMBER>:role/<CONTACT_EAPI_MISSION_SUPPORT_TEAM_FOR_BUCKET_NAME>"
            },
            "Action": [
                "s3:PutObjectAcl",
                "s3:PutObject",
                "s3:ListBucket",
                "s3:GetObject",
                "s3:GetObjectAttributes",
                "s3:DeleteObject"
            ],
            "Resource": [
                "arn:aws:s3:::<your bucket>/*",
                "arn:aws:s3:::<your bucket>"
            ]
        }
    ]
}

2. Permissions tab

Go to your bucket in AWS and select the “Permissions” tab. S3 Permissions

3. Policy section

Scroll down to the “Policy” section and select “Edit”. S3 Edit

4. Paste Policy

Paste the bucket policy from above into the editor and hit save. S3 Paste Policy

5. 🆕 Check your bucket permission (policy)

Test your bucket permissions by using eAPI's checkBucketPermissions endpoints. We have both a GET endpoint and a POST endpoint for your convenience. For either endpoint, if you receive a true response then we were able to copy to your bucket. If you receive false, then there was an issue accessing your bucket. You will want to make sure you copied the policy correctly.

Request Parameters
Parameter Description
bucket The bucket you want to check the S3 policy on.
prefix Directory on the bucket you wish to test.

Note: You will need to have a valid web token in order to test the permission. For detailed information on requesting a token, see the Getting an access token user guide.

🆕 Example 1 - GET endpoint: 

curl -X GET "https://eapi.maxar.com/e1so/order/checkBucketPermissions/eapi-user-bucket-test/example" \
 -H "Accept: application/json" \
 -H "Authorization: Bearer <ADD_YOUR_ACCESS_TOKEN_HERE>"

Example 2 - POST endpoint: 

curl -X POST "https://eapi.maxar.com/e1so/order/checkBucketPermissions" \
 -H "Accept: application/json" \
 -H "Authorization: Bearer <ADD_YOUR_ACCESS_TOKEN_HERE>" \
 -H "Content-Type: application/json" \
 -d '{"bucket":"eapi-user-bucket-test","prefix":"example"}'

Revoking Maxar eAPI "write" access

"Write" access to the bucket can be revoked by either deleting or editing the policy.

The simplest way to revoke access is by deleting the policy.

However, there may be reasons to edit instead. For example:

  • You may have more than one policy statement in a bucket policy. Deleting it will delete all the statements in that policy. If you only want to remove access for eAPI, choose "edit" and then delete only the statement from above.

  • You may only want to revoke eAPI's access temporarily. If you plan to revoke and reinstate access, you can edit the policy instead of deleting it and re-adding it.

Deleting the bucket policy

Next to the bucket policy block in the AWS console, choose "delete." This will delete the entire policy.

Editing the bucket policy

To edit the bucket policy, choose "edit" from the block in the AWS console.

  • If there are multiple access statements in your policy, and you want to retain the others, remove the policy that gives eAPI access and save changes.

  • If you want to revoke access without deleting the bucket policy, edit the "Effect" field value to say "Deny" and save changes. To reinstate access, change the value back to "Allow."

Example (truncated): 

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "",
            "Effect": "Deny",