Skip to main content
Configure an Amazon S3 bucket as the storage provider for your Maverics deployment. The Console publishes signed config bundles to S3, and Orchestrator instances poll the bucket for updates.

Prerequisites

  • An active AWS account — with permissions to create and manage S3 buckets, IAM roles, and policies
  • A Maverics Console account — with access to create or edit deployments

AWS Setup

1

Create an S3 Bucket

In the AWS Console, navigate to S3 under the Services menu.Select the AWS region where you want the bucket.Click Create bucket.Enter a globally unique bucket name.Under Object Ownership, select ACLs disabled (recommended).Under Block Public Access settings, keep Block all public access enabled.Click Create bucket.
2

Create IAM Policies

In the AWS Console, navigate to IAM and select Policies.Click Create policy and switch to the JSON editor.Create a Console policy with the following permissions (the Console needs read and write access to publish bundles):
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "s3:PutObject",
        "s3:GetObject",
        "s3:ListBucket",
        "s3:DeleteObject"
      ],
      "Resource": [
        "arn:aws:s3:::YOUR-BUCKET-NAME",
        "arn:aws:s3:::YOUR-BUCKET-NAME/*"
      ]
    }
  ]
}
Name the policy (e.g., “MavericsConsoleBucketAccess”) and click Create policy.Repeat to create an Orchestrator policy with read-only access (the Orchestrator only needs to read configuration):
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "s3:GetObject",
      "Resource": "arn:aws:s3:::YOUR-BUCKET-NAME/*"
    }
  ]
}
Replace YOUR-BUCKET-NAME with your actual bucket name in both policies.
3

Create a Cross-Account IAM Role

In the AWS Console, navigate to IAM and select Roles.Click Create role.Under Trusted entity type, select AWS account.Select Another AWS account and enter the Strata Account ID for your region:
RegionStrata AWS Account ID
USA322849791940
UK339713018853
Check Require external ID and enter a unique identifier. You will use this value in the Console’s External ID field.Click Next and attach the Console policy you created in the previous step.Name the role (e.g., “MavericsConsoleRole”) and click Create role.Open the newly created role and copy the Role ARN — you will enter this in the Console’s Role ARN field.

Storage Configuration

Configure these fields in the Console when creating or editing a deployment with the Amazon S3 Bucket provider.
FieldRequiredDescription
Bucket NameYesThe bucket name in Amazon S3
Role ARNYesThe ARN of the role with access to your bucket
External IDNoA unique ID that ties the assume role request to your role
AWS RegionYesThe AWS region where your bucket is located
Configuration File PathNoThe path to the configuration file within your S3 bucket
The Orchestrator uses the corresponding config source type to retrieve bundles from the deployment provider. If the Console deploys to AWS S3, the Orchestrator uses the S3 config source to poll for updates.

Publishing Deployment Configs Overview

Bundle format, signing, deployment lifecycle, and revision history

S3 Config Source

Orchestrator-side S3 configuration source reference

Deploy to Production

Production deployment guide for the Orchestrator