Connections > Amazon S3 V2 connection properties > Prepare for authentication
  

Prepare for authentication

You can configure multiple authentication types to access Amazon S3.
Before you configure the connection properties, you need to keep the authentication details handy based on the authentication type that you want to use.

Create a minimal Amazon IAM policy

You can configure an IAM policy through the AWS console. Use AWS IAM authentication to securely control access to Amazon S3 resources.
Use the following minimum required policies for users to read data from an Amazon S3 bucket:
Use the following minimum required policies for users to write data to an Amazon S3 bucket:
The following sample policy shows the minimal Amazon IAM policy to write data to an Amazon S3 bucket:
{
"Version": "2012-10-17",
"Statement":
[
{
"Effect": "Allow",
"Action":[
"s3:PutObject",
"s3:GetObject",
"s3:DeleteObject",
"s3:ListBucket",
"s3:ListBucketMultipartUploads"
],
"Resource": [
"arn:aws:s3:::<bucket_name>/*",
"arn:aws:s3:::<bucket_name>"
]
}
]
}
For bucket level access in advanced mode, you need to provide the AllowListBucketMultipartUploads permission at the bucket level in addition to the ListBucketMultipartUploads permission.
The following sample policy shows the minimal Amazon IAM policy to access the S3 bucket at the bucket level in advanced mode:
{
"Sid": "AllowListBucketMultipartUploads",
"Action": [
"s3:ListBucketMultipartUploads"
],
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::infa.qa.minimum.access.bucket"
]
},
For mappings in advanced mode, you can use different AWS accounts within the same AWS region. Make sure that the Amazon IAM policy confirms access to the AWS accounts used in the mapping.

IAM authentication

To configure IAM authentication, the Secure Agent needs to run on an Amazon Elastic Compute Cloud (EC2) system. If you prefer not to specify the keys or use the IAM role ARN, then assign the minimum policy to the EC2 with access to the S3 bucket.
When you use a serverless runtime environment, you cannot configure IAM authentication.
If you do not provide the access key and the secret key in the connection, Amazon S3 V2 Connector uses AWS credentials provider chain that looks for credentials in the following order:
  1. 1The AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY or AWS_ACCESS_KEY and AWS_SECRET_KEY environment variables.
  2. 2The aws.accessKeyId and aws.secretKey java system properties.
  3. 3The credential profiles file at the default location, ~/.aws/credentials.
  4. 4The instance profile credentials delivered through the Amazon EC2 metadata service.
Perform the following steps to configure IAM authentication on EC2:
  1. 1Create a minimal Amazon IAM policy.
  2. 2Create the Amazon EC2 role. The Amazon EC2 role is used when you create an EC2 system. For more information about creating the Amazon EC2 role, see the AWS documentation.
  3. 3Link the minimal Amazon IAM policy with the Amazon EC2 role.
  4. 4Create an EC2 instance. Assign the Amazon EC2 role that you created in step 2 to the EC2 instance.
  5. 5Install the Secure Agent on the EC2 system.

AssumeRole using EC2 role and IAM user

You can configure AssumeRole using EC2 role or IAM user to connect to Amazon S3.
You can use the temporary security credentials using AssumeRole to access AWS resources from the same or different AWS accounts.
When you configure AssumeRole using EC2 role or IAM user, ensure that you have the sts:AssumeRole permission and a trust relationship established within the AWS accounts to use the temporary security credentials. The trust relationship is defined in the trust policy of the IAM role when you create the role. The IAM role adds the EC2 role or IAM user as a trusted entity allowing the EC2 role or IAM user to use the temporary security credentials and access the AWS accounts.
For more information about how to establish the trust relationship, see the AWS documentation.
When the trusted EC2 role or IAM user requests for the temporary security credentials, the AWS Security Token Service (AWS STS) dynamically generates the temporary security credentials that are valid for a specified period and provides the credentials to the trusted EC2 role or IAM user.

AssumeRole using EC2 role

To configure an EC2 role to assume the IAM role provided in the IAM Role ARN connection property, select the Use EC2 Role to Assume Role check box in the Amazon S3 V2 connection properties.
The Amazon EC2 role can assume another IAM role from the same or different AWS account without requiring a permanent access key and secret key. The Amazon EC2 role can also assume another IAM role from a different region.
Consider the following prerequisites before you configure AssumeRole using EC2 role:

AssumeRole using IAM user

To configure AssumeRole using IAM user, provide the value of the IAM Role ARN connection property when you create an Amazon S3 V2 connection. The IAM Role ARN uniquely identifies the AWS resources. Then, specify the time duration in seconds during which you can use the temporarily security credentials in the Temporary Credential Duration advanced source and target properties.
You need to follow some guidelines when you configure AssumeRole using IAM user. For more information, see .

External ID

You can specify the external ID of your AWS account for a more secure access to the Amazon S3 bucket when the Amazon S3 bucket is in same or different AWS account.
You can optionally specify the external ID in the AssumeRole request to the AWS Security Token Service (STS).
The external ID must be a string.
The following sample shows an external ID condition in the assumed IAM role's trust policy:
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::AWS_Account_ID : user/user_name"
},
"Action": "sts:AssumeRole",
"Condition": {
"StringEquals": {
"sts:ExternalId": "dummy_external_id"
}
}
}
]

AssumeRole policy

To use the temporary security credentials to access the AWS resources, both the IAM user and IAM role require policies.
The following section lists the policies required for the IAM user and IAM role:
IAM user
An IAM user must have the sts:AssumeRole policy to use the temporary security credentials in the same or different AWS account.
The following sample policy allows an IAM user to use the temporary security credentials in an AWS account:
{
"Version":"2012-10-17", "Statement":{ "Effect":"Allow", "Action":"sts:AssumeRole", "Resource":"arn:aws:iam::<ACCOUNT-HYPHENS>:role/<ROLE-NAME>" }
}
The following sample policy allows an IAM user for the China region to use the temporary security credentials in an AWS account:
{
"Version":"2012-10-17", "Statement":{ "Effect":"Allow", "Action":"sts:AssumeRole", "Resource":"arn:aws-cn:iam::<ACCOUNT-HYPHENS>:role/<ROLE-NAME>" }
}
IAM role
An IAM role must have a sts:AssumeRole policy and a trust policy attached with the IAM role to allow the IAM user to access the AWS resource using the temporary security credentials. The policy specifies the AWS resource that the IAM user can access and the actions that the IAM user can perform. The trust policy specifies the IAM user from the AWS account that can access the AWS resource.
The following policy is a sample trust policy:
{
"Version":"2012-10-17", "Statement":[{ "Effect":"Allow", "Principal":{ "AWS":"arn:aws:iam::AWS-account-ID:root" },
"Action":"sts:AssumeRole" }
]
}
}
Here, in the Principal attribute, you can also provide the ARN of IAM user, which allows the designated user to dynamically generate temporary security credentials and helps to restrict further access.
For example,
"Principal" : { "AWS" : "arn:aws:iam:: AWS-account-ID :user/ user-name " }

Credential profile file authentication

You can provide the credentials required to establish the connection with Amazon S3 through the credential profile file.
If you do not specify the credential profile file path, the default credential file path is used. If you do not specify the profile name, the credentials are used from the default profile in the credential file.
Consider the following rules for a credential profile file:
The following sample shows a credential profile file:
[default]

aws_access_key_id = 1233333

aws_secret_access_key = abcabcabc


[test-profile]

aws_access_key_id = 1233333

aws_secret_access_key = abcabcabc

aws_session_token = jahaheieomdrtflmlioerp
The aws_access_key_id and aws_secret_access_key are the AWS access key and secret key used as part of credentials to authenticate the user.
The aws_session_token is the AWS session token used as part of the credentials to authenticate the user. A session token is required only if you specify temporary security credentials.