To configure AssumeRole authentication for S3 staging, you need to attach the minimum permission policies and trust policies for the IAM user and IAM role in the AWS console.
An IAM user can use the AssumeRole to temporarily gain access to the Amazon S3 resources. For more information about using an assume role for Amazon S3 resources, you can also refer to the How-to-Library article:
Using an assume role for Amazon S3 resourcesYou can generate temporary security credentials using AssumeRole for Amazon S3 staging to access the Amazon S3 staging bucket. If you want EC2 instances to assume an IAM role to gain access to the S3 staging bucket securely, use the temporary security credentials generated using AssumeRole for EC2 instances.
Generate the temporary security credentials based on your requirement.
Generate temporary security credentials using AssumeRole for Amazon S3 staging
You can use the temporary security credentials using AssumeRole to access the Amazon S3 staging bucket from the same or different AWS accounts.
Ensure that you have the sts:AssumeRole permission and a trust relationship established within the AWS accounts to use the temporary security credentials. The trust relationship is defined in the trust policy of the IAM role when you create the role. The IAM role adds the IAM user as a trusted entity allowing the IAM users to use the temporary security credentials and access the AWS accounts. For more information about how to establish the trust relationship, see the AWS documentation.
When the trusted IAM user requests for the temporary security credentials, the AWS Security Token Service (AWS STS) dynamically generates the temporary security credentials that are valid for a specified period and provides the credentials to the trusted IAM users. The temporary security credentials consist of access key ID, secret access key, and secret token.
To use the dynamically generated temporary security credentials, provide the value of the S3 IAM Role ARN connection property when you create an Amazon Redshift V2 connection. The IAM Role ARN uniquely identifies the AWS resources. Then, specify the time duration in seconds during which you can use the temporarily security credentials in the Temporary Credential Duration advanced source and target properties.
External ID
You can specify the external ID for a more secure access to the Amazon S3 bucket when the Amazon S3 bucket is in a different AWS account than the IAM user or EC2 instance.
Note: Application ingestion and database ingestion tasks do not support use of External ID.
You can optionally specify the external ID in the AssumeRole request to the AWS Security Token Service (STS).
The external ID must be a string. The following sample shows an external ID condition in the assumed IAM role's trust policy:
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::AWS_Account_ID : user/user_name"
},
"Action": "sts:AssumeRole",
"Condition": {
"StringEquals": {
"sts:ExternalId": "dummy_external_id"
}
}
}
]
Temporary security credentials policy
To use the temporary security credentials to access the Amazon S3 staging bucket, both the IAM user and IAM role require policies.
The following section lists the policies required for the IAM user and IAM role:
- IAM user
- An IAM user must have the sts:AssumeRole policy to use the temporary security credentials in the same or different AWS account.
- The following sample policy allows an IAM user to use the temporary security credentials in an AWS account:
{
"Version":"2012-10-17",
"Statement":
{ "Effect":"Allow", "Action":"sts:AssumeRole",
"Resource":"arn:aws:iam::<ACCOUNT-HYPHENS>:role/<ROLE-NAME>" }
}
- The following sample policy allows an IAM user for the China region to use the temporary security credentials in an AWS account:
{
"Version":"2012-10-17",
"Statement":
{
"Effect":"Allow", "Action":"sts:AssumeRole",
"Resource":"arn:aws-cn:iam::<ACCOUNT-HYPHENS>:role/<ROLE-NAME>"
}
}
- IAM role
- An IAM role must have a sts:AssumeRole policy and a trust policy attached with the IAM role to allow the IAM user to access the Amazon S3 bucket using the temporary security credentials. The policy specifies the Amazon S3 bucket that the IAM user can access and the actions that the IAM user can perform. The trust policy specifies the IAM user from the AWS account that can access the Amazon S3 bucket.
The following policy is a sample trust policy:
{
"Version":"2012-10-17",
"Statement":[
{
"Effect":"Allow",
"Principal":{ "AWS":"arn:aws:iam::AWS-account-ID:<ROLE-NAME" },
"Action":"sts:AssumeRole"
}
]
}
}
Temporary security credentials for KMS
To use the temporary security credentials with AWS Key Management Service (AWS KMS)-managed customer master key and enable encryption with KMS, you must create a KMS policy.
You can perform the following operations to use the temporary security credentials and enable encryption with KMS:
- •GenerateDataKey
- •DescribeKey
- •Encrypt
- •Decrypt
- •ReEncrypt
You can use the following sample policy:
{
"Version":"2012-10-17",
"Statement":[
{ "Effect":"Allow",
"Action":
[ "kms:GenerateDataKey", "kms:DescribeKey", "kms:Encrypt", "kms:Decrypt", "kms:ReEncrypt*" ],
"Resource": ["arn:aws:kms:region:account:key/<KMS_key>"]
}
]
}
When you configure KMS and access an Amazon S3 endpoint in the China region, use the following sample policy:
{
"Version":"2012-10-17",
"Statement":[
{ "Effect":"Allow",
"Action":[ "kms:GenerateDataKey", "kms:DescribeKey", "kms:Encrypt", "kms:Decrypt", "kms:ReEncrypt*" ],
"Resource": ["arn:aws-cn:kms:region:account:key/<KMS_key>"]
}
]
}