Skip to main content

Generating S3 credentials

note

Starting in ORCA v10.x which uses Aurora v2, users will use IAM role to access archive buckets. Therefore, no access keys are required and this documentation will be obsolete.

Postgres requires access to the ORCA Reports bucket to pull in s3 inventory information. These values are stored in the Required Variables s3_access_key and s3_secret_key. Note that this only impacts Internal Reconciliation reports, which is not required for ingest or recovery, but is helpful for verifying data integrity. If you are unable to follow these instructions, or wish to avoid generating/managing credentials, blank values may be used and the impact will be isolated to Internal Reconciliation.

To generate an access key:

  1. Connect to the NASA VPN.
  2. Go to https://cloud.earthdata.nasa.gov/portal/project
  3. Click the account containing your ORCA Reports bucket
  4. CLOUD MANAGEMENT -> AWS Long-Term Access Keys
  5. Under the revealed AWS Long-Term Access Keys sections, click the three dots, followed by Create AWS long-term access keys
  6. Select an account and role that can access the bucket
  7. Click Generate API Key
  8. Make sure to copy the secret value from this screen. This is your s3_secret_key. The Key ID is your s3_access_key
  9. Note that these keys will eventually expire and will need to be regenerated and redeployed

We are looking into alternatives to this system to remove these manual steps and eliminate the need for manual redeployment of expired keys. Once Cumulus updates their RDS instance (or we decouple) IAM roles may be an option. Details in backlog card.