AWS S3 - Key Access

  1. Create a bucket and share its name and region with Aampe.
  2. Grant the IAM user created by Aampe permissions to your events bucket by using the following JSON:
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "Stmt1663173416756",
      "Effect": "Allow",
      "Principal": {
        "AWS": "<the_aampe_user_arn_that_we_will_provide>"
      },
      "Action": [
        "s3:GetObject",
        "s3:ListBucket",
        "s3:GetBucketLocation"
      ],
      "Resource": [
        "arn:aws:s3:::<bucket_name_goes_here>",
        "arn:aws:s3:::<bucket_name_goes_here>/*"
      ]
    }
  ]
}

AWS S3 - Delegate Access

The Aampe team will provide you with a service account subject identifier.
  1. Create a bucket and share its name and region with Aampe.
  2. Create an IAM policy using this JSON:
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "s3:Get*",
        "s3:List*"
      ],
      "Resource": [
        "arn:aws:s3:::<bucket_name_goes_here>",
        "arn:aws:s3:::<bucket_name_goes_here>/*"
      ]
    }
  ]
}
  1. Create a WebIdentity IAM role using this Custom JSON trust policy and the Aampe provided service account subject identifier:
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Federated": "accounts.google.com"
      },
      "Action": "sts:AssumeRoleWithWebIdentity",
      "Condition": {
        "StringEquals": {
          "accounts.google.com:sub": "<service_account_subject_identifier_goes_here>"
        }
      }
    }
  ]
}
The Aampe team is happy to help with providing alternatives if the above is in conflict with your IT policies. Please send an email to support@aampe.com and we’ll find a solution.