Setting up Amazon FSx for Lustre
Before you use Amazon FSx for Lustre for the first time, complete the tasks in the Sign up for Amazon Web Services section. To complete the Getting started tutorial, make sure the Amazon S3 bucket that you'll link to your file system has the permissions listed in Adding permissions to use data repositories in Amazon S3.
Topics
Sign up for Amazon Web Services
To set up for AWS, complete the following tasks:
Sign up for an AWS account
To get started with AWS, you need an AWS account. For information about creating an AWS account, see Getting started with an AWS account in the AWS Account Management Reference Guide.
Adding permissions to use data repositories in Amazon S3
Amazon FSx for Lustre is deeply integrated with Amazon S3. This integration means that applications that access your FSx for Lustre file system can also seamlessly access the objects stored in your linked Amazon S3 bucket. For more information, see Using data repositories with Amazon FSx for Lustre.
To use data repositories, you must first allow Amazon FSx for Lustre certain IAM permissions in a role associated with the account for your administrator user.
To embed an inline policy for a role using the console
-
Sign in to the AWS Management Console and open the IAM console at https://console.aws.amazon.com/iam/
. -
In the navigation pane, choose Roles.
-
In the list, choose the name of the role to embed a policy in.
-
Choose the Permissions tab.
-
Scroll to the bottom of the page and choose Add inline policy.
Note
You can't embed an inline policy in a service-linked role in IAM. Because the linked service defines whether you can modify the permissions of the role, you might be able to add additional policies from the service console, API, or AWS CLI. To view the service-linked role documentation for a service, see AWS Services That Work with IAM and choose Yes in the Service-Linked Role column for your service.
-
Choose Creating Policies with the Visual Editor
-
Add the following permissions policy statement.
After you create an inline policy, it is automatically embedded in your role. For more information about service-linked roles, see Using service-linked roles for Amazon FSx.
How FSx for Lustre checks for access to linked S3 buckets
If the IAM role that you use to create the FSx for Lustre file system does not have the
iam:AttachRolePolicy and iam:PutRolePolicy permissions, then
Amazon FSx checks whether it can update your S3 bucket policy. Amazon FSx can update your bucket
policy if the s3:PutBucketPolicy permission is included in your IAM role to
allow the Amazon FSx file system to import or export data to your S3 bucket. If allowed to
modify the bucket policy, Amazon FSx adds the following permissions to the bucket
policy:
s3:AbortMultipartUploads3:DeleteObjects3:PutObjects3:Get*s3:List*s3:PutBucketNotifications3:PutBucketPolicys3:DeleteBucketPolicy
If Amazon FSx can't modify the bucket policy, it then checks if the existing bucket policy grants Amazon FSx access to the bucket.
If all of these options fail, then the request to create the file system fails. The following diagram illustrates the checks that Amazon FSx follows when determining whether a file system can access the S3 bucket to which it will be linked.
Next step
To get started using FSx for Lustre, see Getting started with Amazon FSx for Lustre for instructions to create your Amazon FSx for Lustre resources.
