Use an IAM Role

Setting up an IAM Role

If using an IAM role to provide access

1) Create a policy that allows access to the bucket:

• Go to the AWS IAM Console → Policies → Create Policy

• Go to the JSON tab

• Copy the following policy and paste it into the visual editor. Replace {your-bucket-name} with the name of your S3 bucket.

{
    "Version": "2012-10-17",
    "Statement": [
        {
        "Effect": "Allow",
        "Action": [
                "s3:GetBucketLocation",
                "s3:GetObject",
                "s3:ListBucket"

        ],
        "Resource": [
                "arn:aws:s3:::{your-bucket-name}/*",
                "arn:aws:s3:::{your-bucket-name}"
        ]
        }
    ]
}

• You can save the policy as HockeyStack-DataSyncs-S3Access

2) Create an IAM role for our user that can properly access your bucket:

• Go to the AWS IAM Console → Roles → Create Role

• Select "Another AWS Account"

  • Enter 422597910032 (HockeyStack-DataSyncs AWS Account ID).

• Check "Require external ID" (Recommended for security)

  • Set an External ID (a unique string you choose, that will be used to configure the DataSync)

• In the Add permissions step, select the HockeyStack-DataSyncs-S3Access policy you created, then finish creating the policy.

3) (Optional) Giving access specifically to HockeyStack-DataSyncs user:

• Edit the custom trust policy of the role, to further specify that only our HockeyStack-DataSyncs user can assume the role:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::422597910032:user/HockeyStack-DataSyncs"
            },
            "Action": "sts:AssumeRole",
            "Condition": {
                "StringEquals": {
                    "sts:ExternalId": "YOUR_EXTERNAL_ID"
                }
            }
        }
    ]
}