Configuring Amazon S3 Cross-Account for Imports
This article describes step-by-step how to configure your Amazon S3 cross-account to import data on the InfoSum Platform using the InfoSum S3 cross-account ICC.
First, create an Amazon S3 bucket. For the steps to do this, see Creating a bucket - Amazon Simple Storage Service. An S3 bucket must contain at least one compatible file for import to the InfoSum Platform to work.
Once you have created an Amazon S3 bucket, you will need to do the following to import into InfoSum Platform:
- Create a policy
- Associate the policy with a role, a user and a bucket
- Trust Relationship & Session Name
- User ARN
- Generating an External ID
To complete these steps, you will need the following information:
- User ARN - this is created by AWS during this process, once the AWS Role has been created
- Principal - this is created by you and InfoSum whereby InfoSum supplies the first part and you supply the Session Name
- Session Name - this is a variable that is entirely chosen by you but must be consistent between the values you input in the InfoSum platform and in AWS
- External ID - this is a value created by InfoSum
The sections below describe the steps to successfully configure AWS to use the s3 cross-account ICC in the InfoSum Platform.
Create a policy
The AWS policy, when attached to an Import Connector Config (ICC), defines the ICC’s permissions.
You will need to manually create the policy to import data into InfoSum as there is no policy to do this within AWS. To create an AWS policy for S3:
In AWS, go to the Identity and Access Management (IAM) Dashboard by searching for IAM in AWS.
Select Policies from the Access Management section.
In the Policies window, click the Create Policy button.
Choose the S3 service (this is the service the policy relates to).
Select the permissions required for the InfoSum Platform to access files in the S3 bucket.
For importing data, you will need to set the policy to allow and enable the following access levels:
- List - Enable ‘ListBucket’
- Read - Enable ‘GetObject’
As an optional step, if you’d like to limit the policy for a specific S3 bucket you can do so by toggling the Specific button under Resources and inputting the ARN for the bucket this policy should apply to.
Click Next, on the following screen give the S3 policy a name (for example, s3-cross-account-demo).
Finally, click Create policy and you have now created the policy permissions.
To review the new policy, go to the IAM Dashboard, select Policies from the Access Management section and click on the policy name. Here you can check that the policy has the correct List and Read permissions.
Next, you will need to create a role, which you will associate with the policy.
Associating the policy with a role, a user and a bucket
In AWS, go to IAM Dashboard and select Roles from the Access Management section.
In the Roles window, click the Create Role button.
Select the ‘AWS Service’ policy from the Trusted entity list as shown below and select S3 as the use case (note: do not select S3 batch operations).
Click the Next button and select the S3 permissions policy you created earlier, i.e. “s3-cross-account-demo” in this example.
Click Next, give the role a name and click Create role.
Once you have created the role, it will have an IAM ARN that can be used in the InfoSum platform (named User ARN in the ICC screen).
Trust Relationship & Session Name
In AWS, go to the IAM Dashboard and select Roles from the Access Management section.
Select the new role and then select the Trust relationships tab. You will now see the option to Edit Trust policy,
Click Edit Trust Policy to open the editor. Copy and paste the below code snippet and paste it into the Trusted entities section.
Important Note: On Line 7 in the policy below, replace the text “Your Session Name” to the Session Name you have created in your ICC in the InfoSum platform. If “Your Session Name” isn’t updated to your session name then the assumed role will not work.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:sts::134928160093:assumed-role/InfoSumImportConnector/Your Session Name"
},
"Action": "sts:AssumeRole",
"Condition": {
"StringEquals": {
"sts:ExternalId": "d68b1db43ed52e7e0297dbaca2bad20f40d4faaf92b5349891f08fddde530e23"
}
}
}
]
}
This is the Infosum assumed role for the import connector.
Once the session name has been updated, take the External ID from your InfoSum ICC. This is available when you click on your created ICC and the box opens on the right-hand side. See Generating an External ID
Replace the text in speech marks on the row with the External ID from the Infosum platform ICC that you have created. This begins with “sts:ExternalId”.
Click the Update Policy button. The trust policy displays the principal, session name and the external ID to use in the InfoSum S3 Cross-Account import.
User ARN
From the summary screen of the Role you have updated you will now need to copy the ARN from the Summary at the top
Note: The User ARN requested by the InfoSum S3 cross-account ICC is not the User ARN shown in a User’s AWS account. The correct ARN to use is the Role ARN shown in IAM > Roles > Summary in AWS.
Note: If you have a bucket policy that restricts which external connections can be made to the s3 bucket, ensure you go to your s3 bucket policy and update the policy to include the ARN generated as part of this process.
Generating an External ID
In AWS IAM (Identity and Access Management), the "external ID" is a security feature used in trust policies to enhance the security of cross-account access. It's a unique identifier that's provided by the entity that's trusting another AWS account to access its resources. To create the relevant external ID to work with InfoSum, you will need to follow these initial steps:
- In the InfoSum platform, go to the Importing > Manage ICCs screen
- Create a new ICC by clicking Create new ICC
- Select the s3 cross-account connector type from the dropdown
- In the details section, enter the role ARN that you’ve just created into the User ARN field See User ARN
- Enter the session name. This is the name updated in the policy, see ‘Your Session Name’.
- Enter the bucket name.
- Optional add Prefix.
-
Click Next and then Submit without entering any more details
- This will take you back to the Manage ICCs page. Click on the ICC you’ve just created to launch the Details panel which will appear on the right hand side of the screen.
The External ID and Principal are now ready to use in the AWS console.