👍

Estimated setup time

1 hour

📘

The Aampe team is happy to help with providing alternatives if any of the below are in conflict with your IT policies. For example, Aampe can provision the bucket itself and provide an IAM role of your own access to it. All you need to do is shoot an email to [email protected]

AWS S3 - Key Access

  1. Create a bucket and share its name and region with Aampe.
  2. Grant the IAM user created by Aampe permissions to your events bucket by using the following JSON
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "Stmt1663173416756",
            "Effect": "Allow",
            "Principal": {
                "AWS": "<the_aampe_user_arn_that_we_will_provide>"
            },
            "Action": [
                "s3:GetObject",
                "s3:ListBucket",
                "s3:GetBucketLocation"
            ],
            "Resource": [
                "arn:aws:s3:::<bucket_name_goes_here>",
                "arn:aws:s3:::<bucket_name_goes_here>/*"
            ]
        }
    ]
}

AWS S3 - Delegate access

The Aampe team will provide you with a service account subject identifier.

  1. Create a bucket and share its name and region with Aampe.
  2. Create an IAM policy using this JSON:
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "s3:Get*",
                "s3:List*"
            ],
            "Resource": [
                "arn:aws:s3:::<bucket_name_goes_here>",
                "arn:aws:s3:::<bucket_name_goes_here>/*"
            ]
        }
    ]
}
  1. Create a WebIdentity IAM role using this Custom JSON trust policy and the Aampe provided
    service account subject identifier:
{
    "Version": "2012-10-17",
    "Statement": [
      {
        "Effect": "Allow",
        "Principal": {
          "Federated": "accounts.google.com"
        },
        "Action": "sts:AssumeRoleWithWebIdentity",
        "Condition": {
          "StringEquals": {
            "accounts.google.com:sub": "<service_account_subject_identifier_goes_here>"
          }
        }
      }
    ]
  }

What’s Next