Skip to content

For ReSim to run your tests, it needs to be able to access three types of data, experiences, system build images, and metrics build images.

IAM Roles

By default, ReSim uses a generic role when accessing S3 and ECR data.

This role is only used programmatically by ReSim's internal components.

We also support customer-specific IAM roles. If you would like to use a customer-specific role, speak to your ReSim contact.

Experience data

Cloud Storage Support

We currently only support AWS S3 for cloud storage. Google Cloud is also on our roadmap. If you'd like us to support other blob storage solutions, get in touch.

AWS S3

You can use an existing bucket where you already have input data, or create a new one for ReSim.

If you create a new bucket, we recommend creating it in the us-east-1 region as that's where our app runs. You can follow the AWS documentation for creating a bucket. We don't require any specific settings except that the data isn't stored in Glacier archive.

Whether you have an existing bucket, or have created one specifically for use with ReSim, you need to give a ReSim IAM role access to read from the bucket. As described above, the IAM role to which you need to grant access will either be a generic role or a customer-specific role.

The IAM role is used by components of the ReSim platform if they need to fetch Experience data. The generic role is:

arn:aws:iam::083585393365:role/resim-customer-prod

New bucket, or bucket without existing policy

The following policy needs to be applied to your bucket. Make sure you replace the bucket-name placeholder value with the name of your bucket. Also check whether you are using a generic role or a customer-specific role as described above. 

{
  "Version": "2012-10-17",
  "Id": "ReSimAccess",
  "Statement": [
    {
      "Sid": "ReSimAccess",
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::083585393365:role/resim-customer-prod"
      },
      "Action": ["s3:GetObject", "s3:ListBucket"],
      "Resource": ["arn:aws:s3:::bucket-name", "arn:aws:s3:::bucket-name/*"]
    }
  ]
}

Existing bucket with policy

If your bucket already has a bucket policy set, update the policy to add the following statement. Make sure you replace the bucket-name placeholder value with the name of your bucket. Also check whether you are using a generic role or a customer-specific role as described above.

"Statement": [
  {
      "Sid": "ReSimAccess",
      "Effect": "Allow",
      "Principal": {
          "AWS": "arn:aws:iam::083585393365:role/resim-customer-prod"
      },
      "Action": [
          "s3:GetObject",
          "s3:ListBucket"
      ],
      "Resource": [
          "arn:aws:s3:::bucket-name",
          "arn:aws:s3:::bucket-name/*"
      ]
  }
]

This is the same statement as in the complete policy example above.

Container images

Container Registry Support

We currently only support AWS ECR, Docker Hub, and Google Artifact Registry. If you need us to support other container registries, get in touch

AWS ECR

To use images hosted in AWS Elastic Container Registry (ECR) with ReSim, you can set up access to an existing ECR repository, or create a new ECR repository.

If you're creating a new repository, we recommend creating it in us-east-1 as that's where our app runs. You can follow the AWS documentation for creating ECR repositories.

New repository, or existing repository without policy

The repository you would like to use needs to have the following policy applied so that ReSim components can pull images from it. Check whether you are using a generic role or a customer-specific role as described above.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "AllowReSimToPull",
      "Effect": "Allow",
      "Principal": {
        "AWS": ["arn:aws:iam::083585393365:role/resim-customer-prod"]
      },
      "Action": ["ecr:BatchGetImage", "ecr:GetDownloadUrlForLayer"]
    }
  ]
}

Existing repository with policy

If you have an existing ECR repository with images you would like to test, and that repository already has a policy set, add the below statement to the repository's policy. Check whether you are using a generic role or a customer-specific role as described above.

"Statement": [{
    "Sid": "AllowReSimToPull",
    "Effect": "Allow",
    "Principal": {
        "AWS": [
            "arn:aws:iam::083585393365:role/resim-customer-prod"
        ]
    },
    "Action": [
        "ecr:BatchGetImage",
        "ecr:GetDownloadUrlForLayer"
    ]
}]

Docker Hub

You can use an existing repository or create a new one. Once it's ready, you will need to set up a new service account and share the Docker ID and personal access token (PAT) securely with us.

Docker Image Pull Rate

We use a mechanism to pull and mirror your container images securely inside our platform. This means image retrieval is quicker, and also means that we only make requests to Docker Hub when you publish images we haven't yet mirrored. Thus the limit of 5000 pulls per day Docker imposes should be more than enough.

Google Artifact Registry

You can use an existing repository or create a new one. Once it's ready, you will need to set up a new service account and generate a key for it. ReSim needs the service account to have Artifact Reader access to the repository in question.

To grant ReSim access, please share a base64 encoded version of the key.json, which can be used to login to the artifact registry.

AWS GovCloud or private cloud solutions

Please get in touch with ReSim if you would like to discuss other, more bespoke, access patterns or if you are a user of AWS GovCloud, which we also support.