How to share AWS S3 files and folders with external users using NirvaShare
Sharing a file or folder with external users is one of the common use cases across industries for business purposes. When it comes to files in S3, it brings up challenges with respect to security aspects such as granting proper access to users, authentication and authorization. With NirvaShare, it is pretty easy to configure and share files with just a few clicks. In this document, we will look at how to configure NirvaShare with AWS S3 storage and share files to external users using a simple Form-based authentication.
In this blog, we will try to install NirvaShare using the CloudFormation YAML script and get the service up in a couple of minutes.
NirvaShare can be installed directly from AWS Marketplace http://aws.amazon.com/marketplace/pp/B09YHRWKJB and below installation steps can be skipped.
Alternatively, you can also install manually using CloudFormation. Login to AWS console and open the CloudFormation service. To proceed with the NirvaShare installation, create a new Stack and select option to upload a template file as shown below.
For the template file, please create a new file in your local system using below content and select the same. While coping the content make sure, YAML format is maintained.
AWSTemplateFormatVersion: "2010-09-09" Resources: ## Security group for NirvaShare WebInstance enabling port 8080 and 8081 ## Port 22 for console access WebSecurityGroup: Type: AWS::EC2::SecurityGroup Properties: GroupDescription: NirvaShare security group GroupName: WebSecurityGroup # VpcId: vpc-abc01234 SecurityGroupIngress: - IpProtocol: tcp FromPort: 22 ToPort: 22 CidrIp: 0.0.0.0/0 - IpProtocol: tcp FromPort: 8080 ToPort: 8080 CidrIp: 0.0.0.0/0 - IpProtocol: tcp FromPort: 8081 ToPort: 8081 CidrIp: 0.0.0.0/0 ## EC2 Instance WebInstance: Type: AWS::EC2::Instance Properties: BlockDeviceMappings: - DeviceName: "/dev/sda1" Ebs: VolumeSize: 40 VolumeType: gp2 InstanceType: t2.medium ImageId: ami-04505e74c0741db8d # KeyName: my-key Monitoring: true SecurityGroupIds: - !Ref WebSecurityGroup UserData: Fn::Base64: !Sub | #!/bin/bash curl -s https://raw.githubusercontent.com/nirvashare/nirvashare/main/linux/ubuntu/vendors/aws/install_nirvashare.sh -o ns_install.sh && bash ns_install.sh && rm -f ns_install.sh Tags: - Key: Name Value: NirvaShare
Provide a stack name and proceed with the installation with defaults. This cloudFormation script will create a EC2 instance and subsequently will also install and configure NirvaShare.
After installation is completed, wait for 3-4 minutes for server to come up as it takes time to create schema, etc.
Access the url as http://(your EC2 Public IP):8080
This should open up login screen as shown below. Before you could login, let us prepare for configuration.
To configure further, you will require an IAM role that can be assigned to EC2 instance to access S3 storage. To create a new IAM role follow below steps.
- Open IAM service or go to URL https://console.aws.amazon.com/iamv2
- From the left menu, click on Roles and create a new role.
- Select AWS Service and EC2 for use case.
- For the Permissions policies select AmazonS3FullAccess and click on Next.
- Provide a role name and create it. With this a new role is created that have full access to S3 storage.
- Let us assign the newly created role to NirvaShare EC2 instance.
- Go to the EC2 services and select the NirvaShare instance.
- From the Action menu, select Modify IAM Role as shown below.
- Select the newly created role and save it.
With the installation being ready, the next step is to configure NirvaShare to point to your S3 Object Storage and share file/folder using a Form-based authentication.
Assuming, deployment was successful, please open the Admin Console URL -> http://(your ip):8080
Login to admin console with username as admin and password as your EC2 instance id . It is advisable to change the password after your first login. To change the password, please refer to the documentation Change Password. You can also create more than one admin user under Delegated Admin tab given full access to reset another admin user password. To reset forgotten password refer to Password Reset.
NOTE: Please note that the default in-built user store does not support password reset functionality for AdminConsole. For a proper production deployment, you can integrate with any of your identity stores such as AWS SSO, keycloak, Active Directory, etc for better password management policy.
- After login into the application, click on Settings at the left menu tab.
- Click on edit File Storage, select a storage type as AWS S3 and enable the checkbox for Use AWS IAM Role
- Save it.
- Go to the next section, edit User Application URL and provide the user application URL as http://(instance ip):8081, and save it.
Note – During production use, a proper domain with HTTPS is required here.
- Other settings such as email, audit, etc can be configured later and is optional for now. For more detail, refer to Settings