Amazon S3 - Prequel

By default, S3 authentication uses role-based access. You create an IAM role in your own AWS account that holds the read permissions described below, and our identity is granted permission to assume it. No long-lived credentials are shared, and you can revoke access at any time through your IAM settings.

Step 1: configure AWS authentication

Choose the authentication method that fits your security policy.

IAM role (recommended)
AWS access keys

Create an IAM policy

In the AWS IAM console, navigate to the Policies tab and click Create policy. Click the JSON tab and paste the following policy, replacing BUCKET_NAME with the name of the bucket you want to read from.

IAM policy

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "s3:GetObject",
            "Resource": "arn:aws:s3:::BUCKET_NAME/*"
        },
        {
            "Effect": "Allow",
            "Action": "s3:ListBucket",
            "Resource": "arn:aws:s3:::BUCKET_NAME"
        }
    ]
}

If your S3 bucket uses KMS encryption (CMK), add the following statement to the Statement array to allow decryption with your KMS key. Replace REGION_NAME, ACCOUNT_ID, and KEY_ID with your values.

KMS decrypt statement

{
  "Effect": "Allow",
  "Action": "kms:Decrypt",
  "Resource": "arn:aws:kms:REGION_NAME:ACCOUNT_ID:key/KEY_ID"
}

Name the policy, add a description, and click Create policy.

Create an IAM role

In the AWS IAM console, navigate to the Roles tab and click Create role. Select Custom trust policy and paste the trust policy below to allow our identity to assume the role. Reach out to your account representative for the value of <some_service_account_identifier>.

Trust policy

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "sts:AssumeRoleWithWebIdentity"
      ],
      "Principal": {
        "Federated": "accounts.google.com"
      },
      "Condition": {
        "StringEquals": {
          "accounts.google.com:sub": "<some_service_account_identifier>"
        }
      }
    }
  ]
}

Click Next, attach the permissions policy you created in the previous step, enter a Role name, for example, source-s3, and click Create role.

Note the role ARN

Once the role is created, search for it in the Roles list, click the role name, and make a note of its ARN (for example, arn:aws:iam::123456789012:role/source-s3). You will provide this ARN in Step 2.

Create an IAM user

In the AWS IAM console, navigate to the Users tab and click Add users. Enter a User name for the service, for example, source-service, and select programmatic access.

Attach the policy

Attach the read policy described in the IAM role tab (s3:GetObject and s3:ListBucket on the target bucket) directly to the user.

Generate access keys

Generate an access key pair for the user and make a note of the access key ID and the secret access key. You will provide these values in Step 2.

If your bucket policy restricts access by IP, allow the static IP so we can reach the bucket. Reach out to your account representative for the static IP address to use.

Step 2: submit your connection details

Provide the following details to complete the source setup:

The name is a descriptive name of the source.
The bucket name of the bucket you want to read from.
The AWS region the bucket is hosted in.
The authentication credentials from Step 1:
- If using an IAM role: the role ARN.
- If using AWS access keys: the access key ID and the secret access key.

​Step 1: configure AWS authentication

​Step 2: submit your connection details

Step 1: configure AWS authentication

Step 2: submit your connection details