Configuring Amazon S3 Cross-Account for imports
This article describes step-by-step how to configure your Amazon S3 cross-account to import data on the InfoSum Platform using the InfoSum S3 cross-account data connector or the InfoSum Amazon S3 push connector.
First, create an Amazon S3 bucket. For the steps to do this, see Creating a bucket - Amazon Simple Storage Service. An S3 bucket must contain at least one compatible file for import to the InfoSum Platform to work.
Once you have created an Amazon S3 bucket, you will need to do the following to import into InfoSum Platform:
- Create a policy
- Associate the policy with a role, a user and a bucket
- Generating an External ID
- Configuring AWS IAM for the InfoSum S3 cross-account data connector
To complete these steps, you will need the following information:
- User ARN - this is created by AWS during this process, once the AWS Role has been created
- Principal - this is created by you and InfoSum whereby InfoSum supplies the first part and you supply the Session Name
- Session Name - this is a variable that is entirely chosen by you but must be consistent between the values you input in the InfoSum platform and in AWS
- External ID - this is a value created by InfoSum
The sections below describe the steps to successfully configure AWS to use the s3 cross-account ICC in the InfoSum Platform.
Creating a policy
The AWS policy, when attached to an Import Connector Config (ICC), defines the ICC’s permissions. You will need to manually create the policy to import data into InfoSum as there is no policy to do this within AWS. To create an AWS policy for S3:
In AWS, go to the Identity and Access Management (IAM) Dashboard by searching for IAM in AWS.
Select Policies from the Access Management section.
In the Policies window, click the Create Policy button.
Choose the S3 service (this is the service the policy relates to).
Select the permissions required for InfoSum Platform to access files in the S3 bucket.
For importing data, you will need to set the policy to allow:
- ListBucket
- GetObject
As an optional step, if you’d like to limit the policy for a specific s3 bucket you can do so by toggling the Specific radio button under Resources and inputting the ARN for the bucket this policy should apply to.
Click Next and give the policy for the S3 account a name (for example, S3-Cross-Account). Finally, click Create policy and you have now created the policy permissions.
To review the new policy, go to the IAM Dashboard, select Policies from the Access Management section and click on the policy name. Here you can check that the policy has the correct List and Read permissions.
Next, you will need to create a role, which you will associate with the policy.
Associating the policy with a role, a user and a bucket
In AWS, go to IAM Dashboard and select Roles from the Access Management section.
In the Roles window, click the Create Role button.
Select the S3 policy from the list, as shown below and select S3 as the use case (note: do not select S3 batch operations).
Click the Next button and select the S3 permissions policy you created earlier, i.e. “S3 Cross Account” in this example. Click Next, give the role a name and click Create role.
The role now appears in the list of roles, which shows the role's trusted entity as the AWS Service: S3. Click on the role and you can see it is attached to the S3-Cross-Account policy and S3 buckets.
Once you have created the role, it will have an IAM ARN that can be used in the InfoSum platform (named User ARN in the ICC screen).
Generating an External ID
In AWS IAM (Identity and Access Management), the "external ID" is a security feature used in trust policies to enhance the security of cross-account access. It's a unique identifier that's provided by the entity that's trusting another AWS account to access its resources. To create the relevant external ID to work with InfoSum, you will need to follow these initial steps:
- In the InfoSum platform, go to the Importing > Manage ICCs screen
- Create a new ICC by clicking Create new ICC
- Select the s3 cross-account connector type from the dropdown
- In the details section, enter the role ARN that you’ve just created into the User ARN field
- Enter the session name you wish to use and the Bucket name
- Click Next and then Submit without entering any more details
- This will take you back to the Manage ICCs page. Click on the ICC you’ve just created to launch the Details panel which will appear on the right hand side of the screen.
The External ID and Principal are now ready to use in the AWS console.
Configuring AWS IAM for the InfoSum S3 cross-account data connector
You will need to configure AWS IAM to obtain the correct field values to use when importing/exporting S3 cross-account files into or from InfoSum Platform.
User ARN
The User ARN requested by the InfoSum S3 cross-account data connector is not the User ARN shown in a user’s AWS account. The correct ARN to use is the Role ARN shown in IAM > Roles > Summary in AWS.
Note, if you have a bucket policy that restricts which external connections can be made to the s3 bucket, ensure you go to your s3 bucket policy and update the policy to include the ARN generated as part of this process.
Principal & Session Name
You will need to add the S3 session name in AWS. To do this:
In AWS, go to the IAM Dashboard and select Roles from the Access Management section.
Select the new role and then select the Trust relationships tab. You will now see the option to Edit trust policy, click it to open the editor. Copy and paste the below code snippet and paste it into the trust policy.
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "AWS": "arn:aws:sts::134928160093:assumed-role/InfoSumImportConnector/ChangeThis" }, "Action": "sts:AssumeRole", "Condition": { "StringEquals": { "sts:ExternalId": "d68b1db43ed52e7e0297dbaca2bad20f40d4faaf92b5349891f08fddde530e23" } } } ] }
On the 7th line, replace the text “ChangeThis” to the session name you have created in your ICC in the InfoSum platform. Then take the External ID from your InfoSum ICC and replace the text in speech marks on the row that begins with “sts:ExternalId”.
Click the Update Trust Policy button. The trust policy displays the principal, session name and the external ID to use in the InfoSum S3 Cross-Account import.