Configuring Amazon S3 Cross-Account
Important note |
This functionality isn't available as standard to all users. Please contact your InfoSum representative to learn more about how to gain access. |
You can configure your Amazon S3 cross-account to import data on the InfoSum Platform using the S3 cross-account data connector.
This article describes step-by-step how to configure your Amazon S3 cross-account to import data on the InfoSum Platform using the InfoSum S3 cross-account data connector
First, create an Amazon S3 bucket. For the steps to do this, see Creating a bucket - Amazon Simple Storage Service. An S3 bucket must contain at least one compatible file for import to the InfoSum Platform to work.
Once you have created an Amazon S3 bucket, you will need to do the following to import into InfoSum Platform:
- Create a policy
- Associate the policy with a role, a user and a bucket
- Configure AWS Identity and Access Management (IAM) for the InfoSum S3 cross-account data connector
- Complete the Infosum S3 cross-connect data connector fields
The sections below describe the steps to do this.
Creating a policy
The AWS policy, when attached to a Bunker, defines the Bunker’s permissions. You will need to manually create the policy to import/export data into InfoSum as there is no policy to do this within AWS. To create an AWS policy for S3:
Go to the Identity and Access Management (IAM) Dashboard by searching for IAM in AWS.
Select Policies from the Access Management section.
In the Policies window, click the Create Policy button.
Choose the S3 service (this is the service the policy relates to).
Select the permissions required for InfoSum Platform to access files in the S3 bucket.
The table below shows the minimum permissions from the List, Read and Write access levels you need to select to allow InfoSum Platform to complete the S3 import or export:
Access Level |
Permission |
List |
ListAllMyBuckets ListBucket |
Read |
GetObject |
Write |
DeleteObject PutObject |
Click the Next:Tags button to add extra information to the policy. You do not need to add anything here.
Click the Next:Permissions button to go to the S3 account - Permissions tab.
Give the policy for the S3 account a name (for example, S3-Cross-Account). You have now created the policy permissions.
To review the new policy, go to the IAM Dashboard, select Policies from the Access Management section and click on the policy name. Here you can check that the policy has the correct List, Read and Write permissions.
Next, you will need to create a role, which you will associate with the policy.
Associating the policy with a role, a user and a bucket
Note: If you are pushing data to an S3 bucket, you will need to create a separate role in AWS for the push connector.
Go to IAM Dashboard and select Roles from the Access Management section.
In the Roles window, click the Create Role button.
Select the S3 policy from the list, as shown below.
Scroll down and select S3 as your use case (Do not select S3 Batch Operations):
Click the Next:Permissions button and select the S3 permissions policy you created earlier, i.e. “S3 Cross Account” in this example.
Click the Next: Tags button to add extra information to the policy. You do not need to add anything here.
Click the Next: Review button and give the role a name and optionally add a description of the role.
Check that the policy and trusted entities are correct and then click the Create Role button.
The role now appears in the list of roles, which shows the role's trusted entity as the AWS Service: S3. Click on the role and you can see it is attached to the S3-Cross-Account policy and S3 buckets.
Configuring AWS IAM for the InfoSum S3 cross-account data connector
You will need to configure AWS IAM to obtain the correct field values to use when importing/exporting S3 cross-account files into or from InfoSum Platform.
User ARN
The User ARN requested by the InfoSum S3 cross-account data connector is not the User ARN shown in a user’s AWS account. The correct ARN to use is the Role ARN shown in IAM > Roles > Summary in AWS.
Session Name
You will need to add the S3 session name in AWS. To do this:
Go to the IAM Dashboard and select Roles from the Access Management section.
Select the new role and then select the Trust relationships tab.
If you are importing data to the Platform, click Edit Trust Policy and replace the text with the InfoSum trust relationship policy shown below.
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "AWS": "arn:aws:sts::134928160093:assumed-role/InfoSumImportConnector/ChangeThis" }, "Action": "sts:AssumeRole", "Condition": { "StringEquals": { "sts:ExternalId": "d68b1db43ed52e7e0297dbaca2bad20f40d4faaf92b5349891f08fddde530e23" } } } ] }
Replace the ChangeThis section of the above trust policy with a session name, which can be anything, e.g. InfosumDemo. This is the session name that you will need to add to the Session Name field in the InfoSum S3 cross-account data connector.
If you are pushing data to an S3 bucket, you will also need to change the connector name in the Principal field from InfoSumImportConnector to InfoSumPushConnector, as shown below.
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "AWS": "arn:aws:sts::134928160093:assumed-role/InfoSumPushConnector/ChangeThis" }, "Action": "sts:AssumeRole", "Condition": { "StringEquals": { "sts:ExternalId": "d68b1db43ed52e7e0297dbaca2bad20f40d4faaf92b5349891f08fddde530e23" } } } ] }
External ID
You will need to copy and paste the external ID from the InfoSum S3 cross-account data connector to the Trust Relationships tab section as they will be different.
To do this, replace the text in the AWS Trust Policy text with the external ID from the InfoSum S3 cross-account data connector.
Click the Update Trust Policy button. The trust policy displays the session name and the external ID to use in the InfoSum S3 Cross-Account import/export.
This trusted entity will be allowed to access the Amazon S3 bucket providing the external ID within the InfoSum Platform is the same as in AWS.
Amazon S3 bucket
To find the S3 bucket name to use in the InfoSum S3 cross-account data connector:
In AWS, search for S3 services.
Click on S3 in services to display a list of S3 buckets.
Click on the S3 bucket to display details for the bucket.
Prefix
If your S3 bucket contains folders, you will need to specify the folder(s) to use in the Prefix field of the InfoSum S3 cross-account data connector.
Completing the Infosum S3 cross-connect data connector fields
You can complete the InfoSum S3 cross-connect data connector fields using the session name, external ID, bucket name and prefix provided in AWS as shown:
When you have completed the fields, InfoSum can connect to the files in your Amazon S3 bucket.
For more details, see data connector for Amazon S3 cross-account.