Merge pull request #345 from stac-utils/pv/add-config-example-for-thu…

…mbnails

add config for thumbnail permissions

README.md

@@ -1,6 +1,6 @@
 # stac-server
 
-![](https://github.com/stac-utils/stac-server/workflows/Push%20Event/badge.svg)
+![push event badge](https://github.com/stac-utils/stac-server/workflows/Push%20Event/badge.svg)
 
 - [stac-server](#stac-server)
   - [Overview](#overview)
@@ -9,6 +9,7 @@
     - [0.4.x -\> 0.5.x](#04x---05x)
       - [Elasticsearch to OpenSearch Migration](#elasticsearch-to-opensearch-migration)
       - [Preferred Elasticsearch to OpenSearch Migration Process](#preferred-elasticsearch-to-opensearch-migration-process)
+      - [Granting Access for Thumbnails](#granting-access-for-thumbnails)
     - [0.3.x -\> 0.4.x](#03x---04x)
       - [Elasticsearch upgrade from 7.9 to 7.10](#elasticsearch-upgrade-from-79-to-710)
       - [Disable automatic index creation](#disable-automatic-index-creation)
@@ -20,8 +21,8 @@
       - [Create collection index](#create-collection-index)
       - [Enable OpenSearch fine-grained access control](#enable-opensearch-fine-grained-access-control)
         - [Configure OpenSearch for fine-grained access control](#configure-opensearch-for-fine-grained-access-control)
-        - [Option 1 - API method:](#option-1---api-method)
-        - [Option 2 - Dashboard method:](#option-2---dashboard-method)
+        - [Option 1 - API method](#option-1---api-method)
+        - [Option 2 - Dashboard method](#option-2---dashboard-method)
         - [Populating and accessing credentials](#populating-and-accessing-credentials)
     - [Proxying Stac-server through CloudFront](#proxying-stac-server-through-cloudfront)
     - [Locking down transaction endpoints](#locking-down-transaction-endpoints)
@@ -243,6 +244,19 @@ Switch the DNS entry for the domain name to the API Gateway endpoint for the new
 
 Double-check that the `DeletionPolicy: Retain` is set on the old Stack for the Elasticsearch/OpenSearch resource, and then delete the old Stack.
 
+#### Granting Access for Thumbnails
+
+The new experimental endpoint `/collections/{c_id}/items/{item_id}/thumbnail` will
+redirect to a URL providing a thumbnail as determined by the assets in an item. If the
+href for this is an AWS S3 ARN, IAM permissions must be granted for the API Lambda to
+generate a pre-signed HTTP URL instead. For example:
+
+```yaml
+- Effect: Allow
+  Action: s3:GetObject
+  Resource: 'arn:aws:s3:::usgs-landsat/*'
+```
+
 ### 0.3.x -> 0.4.x
 
 Create a new deployment, copy the elasticsearch database, and rename indexes.
@@ -401,7 +415,6 @@ There are some settings that should be reviewed and updated as needeed in the se
 | OPENSEARCH_CREDENTIALS_SECRET_ID | The AWS Secrets Manager secret to retrieve the username and password from, to authenticate to OpenSearch with if fine-grained access control is enabled.                                         |                                                                                      |
 | COLLECTION_TO_INDEX_MAPPINGS | A JSON object representing collection id to index name mappings if they do not have the same names.                                         |                                                                                      |
 
-
 | ITEMS_INDICIES_NUM_OF_SHARDS                | Configure the number of shards for the indices that contain Items.                                                                                                                                  | none                                                                                |
 | ITEMS_INDICIES_NUM_OF_REPLICAS                | Configure the number of replicas for the indices that contain Items.                                                                                                                                                                              | none                                                                                |
 
@@ -553,7 +566,7 @@ Redeploy the stack, and this will be updated without re-creating the cluster.
 The next step is to create the OpenSearch user and role to use for stac-server. This can
 either be done through the OpenSearch API or Dashboard.
 
-##### Option 1 - API method:
+##### Option 1 - API method
 
 This assumes the master username is `admin` and creats a user with the name `stac_server`.
 
@@ -617,7 +630,7 @@ curl -X "PUT" "${HOST}/_plugins/_security/api/rolesmapping/stac_server_role" \
 }'
 ```
 
-##### Option 2 - Dashboard method:
+##### Option 2 - Dashboard method
 
 Login to the OpenSearch Dashboard with the master username (e.g. `admin`) and password.
 From the left sidebar menu, select "Security". Select "Internal users", and then "Create
@@ -726,7 +739,8 @@ def lambda_handler(event, context):
 
 ### Locking down transaction endpoints
 
-If you wanted to deploy STAC Server in a way which ensures certain endpoints have restricted access but others don't, you can deploy it into a VPC and add conditions that allow only certain IP addresses to access certain endpoints. Once you deploy STAC Server into a VPC, you can modify the Resource Policy of the API Gateway endpoint that gets deployed to restrict access to certain endpoints. Here is a hypothetical example. Assume that the account into which STAC Server is deployed is numbered 1234-5678-9123, the API ID is ab1c23def, and the region in which it is deployed is us-west-2. You might want to give the general public access to use any GET or POST endpoints with the API such as the "/search" endpoint, but lock down access to the transaction endpoints (see https://github.com/radiantearth/stac-api-spec/tree/master/ogcapi-features/extensions/transaction) to only allow certain IP addresses to access them. These IP addresses can be, for example: 94.61.192.106, 204.176.50.129, and 11.27.65.78. In order to do this, you can impose a condition on the API Gateway that only allows API transactions such as adding, updating, and deleting STAC items from the whitelisted endpoints. For example, here is a Resource Policy containing two statements that allow this to happen:
+If you wanted to deploy STAC Server in a way which ensures certain endpoints have restricted access but others don't, you can deploy it into a VPC and add conditions that allow only certain IP addresses to access certain endpoints. Once you deploy STAC Server into a VPC, you can modify the Resource Policy of the API Gateway endpoint that gets deployed to restrict access to certain endpoints. Here is a hypothetical example. Assume that the account into which STAC Server is deployed is numbered 1234-5678-9123, the API ID is ab1c23def, and the region in which it is deployed is us-west-2. You might want to give the general public access to use any GET or POST endpoints with the API such as the "/search" endpoint, but lock down access to the transaction endpoints (see <https://github.com/radiantearth/stac-api-spec/tree/master/ogcapi-features/extensions/transaction>) to only allow certain IP addresses to access them. These IP addresses can be, for example: 94.61.192.106, 204.176.50.129, and 11.27.65.78. In order to do this, you can impose a condition on the API Gateway that only allows API transactions such as adding, updating, and deleting STAC items from the whitelisted endpoints. For example, here is a Resource Policy containing two statements that allow this to happen:
+
 ```
 {
     "Version": "2012-10-17",

serverless.example.yml

@@ -37,6 +37,9 @@ provider:
             - sqs:DeleteMessage
           Resource:
             Fn::GetAtt: [ingestQueue, Arn]
+        - Effect: Allow
+          Action: s3:GetObject
+          Resource: 'arn:aws:s3:::usgs-landsat/*'
         # - Effect: "Allow"
         #   Action: "lambda:InvokeFunction"
         #   Resource: "arn:aws:lambda:${aws:region}:${aws:accountId}:function:${self:service}-${self:provider.stage}-preHook"