Skip to content

Managing S3 services in Cloud.gov

Jun Li edited this page Oct 18, 2023 · 10 revisions

Create a public S3 bucket

#Login to cloud.gov

cf login -sso

#Target a space to create the S3 service, such as dev

cf target -s [SPACE]

#Create a public bucket

cf create-service s3 basic-public [SERVICE_NAME]

#Create service key for the bucket

cf create-service-key [SERVICE_NAME] [SERVICE_NAME_KEY]

Retrieve bucket keys

cf service-key [SERVICE_NAME] [SERVICE_NAME_KEY]

Configure public S3 as a public website

#Set bucket credentials locally from keys retrieved, unset these keys when you’re done using them

export AWS_ACCESS_KEY_ID=
export AWS_SECRET_ACCESS_KEY=
export BUCKET_NAME=
export AWS_DEFAULT_REGION=

#Create a new bucket cors.json file and use these open rules

{
    "CORSRules": [
        {
            "AllowedHeaders": [
                "*"
            ],
            "AllowedMethods": [
                "HEAD",
                "GET"
            ],
            "AllowedOrigins": [
                "*"
            ],
            "ExposeHeaders": [
                "ETag"
            ]
        }
    ]
}

#Upload the CORS policy to the bucket (you’ll need the AWS CLI). If you do not have AWS CLI installed, follow these instructions to install on command line: https://docs.aws.amazon.com/cli/latest/userguide/install-cliv2-mac.html#cliv2-mac-install-cmd-all-users

aws s3api put-bucket-cors --bucket $BUCKET_NAME --cors-configuration file://cors.json

#Query for CORS that was just put up and confirm they are there and correct

aws s3api get-bucket-cors --bucket $BUCKET_NAME

#Test upload of a file. Example below.

aws s3 cp /[path-to-file]/[page-name].html s3://${BUCKET_NAME}/[page-name].html

#Set up the S3 as a public website. #Accessible via: http://[$BUCKET_NAME].s3-website-us-gov-west-1.amazonaws.com/[page_name].html

aws s3 website s3://${BUCKET_NAME}/ --region us-gov-west-1 --index-document index.html --error-document error.html

Access the website

http://$BUCKET-NAME.s3-us-gov-west-1.amazonaws.com/index.html

Delete an S3 service:

#You must delete the contents of the bucket first. If you do not, the delete of the service will fail.

#Delete the service key

cf delete-service-key [SERVICE_NAME] [SERVICE_NAME_KEY]

#Delete the service

cf delete-service [SERVICE_NAME]

Rotate S3 service access keys

  • List all s3 services cf services | grep s3
  • Unbind and Bind all applications to the service: fec-s3-snapshot
    Ex: cf unbind-service YOUR-APPLICATION YOUR-SERVICE
    cf bind-service YOUR-APPLICATION YOUR-SERVICE

cf unbind-service celery-beat fec-s3-snapshot
cf unbind-service celery-worker fec-s3-snapshot
cf unbind-service api fec-s3-snapshot

cf bind-service celery-beat fec-s3-snapshot
cf bind-service celery-worker fec-s3-snapshot
cf bind-service api fec-s3-snapshot


* Unbind and bind all applications to the service: **fec-s3-api**
``` cf unbind-service celery-beat fec-s3-api cf unbind-service celery-worker fec-s3-api cf unbind-service api fec-s3-api

cf bind-service celery-beat fec-s3-api cf bind-service celery-worker fec-s3-api cf bind-service api fec-s3-api

<br>
* Restage the applications that bind to **fec-s3-snapshot** and **fec-s3-api**<br>
rerun the latest **openFEC** project build in circleci on develop/release/master branches(without downtime)<br>
OR<br>
`cf restage api` (causes downtime)<br>
<br>
* Unbind and bind all applications to the service: **content-s3**<br>

cf unbind-service cms content-s3 cf unbind-service s3-app content-s3

cf bind-service cms content-s3 cf bind-service s3-app content-s3

<br>
* Restage the applications that bind to **content-s3**<br>
rerun the latest **fec-cms**  project build in circleci on develop/release/master branches(without downtime)<br>
OR<br>
`cf restage cms` (causes downtime)<br>
<br>
* To list service keys for a service instance: `cf service-keys <service_name>` 

cf service-keys fec-s3-snapshot cf service-keys fec-s3-api cf service-keys content-s3

<br>
* To show the service key details, use `cf service-key <service_name> <my_service_key>`

cf service-key fec-s3-snapshot fec-s3-snapshot-key cf service-key fec-s3-api fec-s3-api-key cf service-key content-s3 content-s3-key

<br>
* Delete service keys:

cf delete-service-key fec-s3-snapshot fec-s3-snapshot-key cf delete-service-key fec-s3-api fec-s3-api-key cf delete-service-key content-s3 content-s3-key

<br>
* Create service keys:

cf create-service-key fec-s3-snapshot fec-s3-snapshot-key cf create-service-key fec-s3-api fec-s3-api-key cf create-service-key content-s3 content-s3-key