Skip to main content

AWS S3 - Key Access

  1. Create a bucket and share its name and region with Aampe.
  2. Grant the IAM user created by Aampe permissions to your events bucket by using the following JSON:
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "Stmt1663173416756",
      "Effect": "Allow",
      "Principal": {
        "AWS": "<the_aampe_user_arn_that_we_will_provide>"
      },
      "Action": [
        "s3:GetObject",
        "s3:ListBucket",
        "s3:GetBucketLocation"
      ],
      "Resource": [
        "arn:aws:s3:::<bucket_name_goes_here>",
        "arn:aws:s3:::<bucket_name_goes_here>/*"
      ]
    }
  ]
}

AWS S3 - Delegate Access

The Aampe team will provide you with a service account subject identifier.
  1. Create a bucket and share its name and region with Aampe.
  2. Create an IAM policy using this JSON:
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "s3:Get*",
        "s3:List*"
      ],
      "Resource": [
        "arn:aws:s3:::<bucket_name_goes_here>",
        "arn:aws:s3:::<bucket_name_goes_here>/*"
      ]
    }
  ]
}
  1. Create a WebIdentity IAM role using this Custom JSON trust policy and the Aampe provided service account subject identifier:
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Federated": "accounts.google.com"
      },
      "Action": "sts:AssumeRoleWithWebIdentity",
      "Condition": {
        "StringEquals": {
          "accounts.google.com:sub": "<service_account_subject_identifier_goes_here>"
        }
      }
    }
  ]
}

AWS S3- Role Based Access.

  1. Customer creates their bucket and shares:
  • Bucket name (e.g., customer-events-bucket)
  • Region (e.g., us-east-1) Customer Creates an IAM Policy
  1. Customer creates a policy with read permissions for their bucket:
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "s3:GetObject",
                "s3:ListBucket",
                "s3:GetBucketLocation"
            ],
            "Resource": [
                "arn:aws:s3:::customer-events-bucket",
                "arn:aws:s3:::customer-events-bucket/*"
            ]
        }
    ]
}
They should name this policy something like AampeS3ReadAccess.
  1. Customer Creates an IAM Role with Cross-Account Trust
Customer creates a new IAM role with this trust policy: 
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::<AAMPE_AWS_ACCOUNT_ID>:root"
            },
            "Action": "sts:AssumeRole",
            "Condition": {
                "StringEquals": {
                    "sts:ExternalId": "<EXTERNAL_ID_PROVIDED_BY_AAMPE>"
                }
            }
        }
    ]
}
Important fields to replace:
  • <AAMPE_AWS_ACCOUNT_ID>: AWS account ID will be provided by Aampe
  • <EXTERNAL_ID_PROVIDED_BY_AAMPE>: Will be provided by Aampe
The customer should name this role something like AampeS3AccessRole
  1. Customer Attaches the Policy to the Role
Customer attaches the AampeS3ReadAccess policy (created in step 3) to the AampeS3AccessRole (created in step 4).
  1. Customer Shares Role ARN with Aampe
Customer provides you with:
  • The full role ARN (e.g., arn:aws:iam::987654321098:role/AampeS3AccessRole)
The Aampe team is happy to help with providing alternatives if the above is in conflict with your IT policies. Please send an email to support@aampe.com and we’ll find a solution.