Use an IAM Role

Configure an IAM role that DataSyncs can use to access your bucket

Setting up an IAM Role

If using an IAM role to provide access

1) Create a policy that allows access to the bucket:

  • Go to the AWS IAM Console → Policies → Create Policy

  • Go to the JSON tab

  • Copy the following policy and paste it into the visual editor. Replace {your-bucket-name} with the name of your S3 bucket.

{
    "Version": "2012-10-17",
    "Statement": [
        {
        "Effect": "Allow",
        "Action": [
                "s3:GetBucketLocation",
                "s3:GetObject",
                "s3:ListBucket"

        ],
        "Resource": [
                "arn:aws:s3:::{your-bucket-name}/*",
                "arn:aws:s3:::{your-bucket-name}"
        ]
        }
    ]
}

  • You can save the policy as HockeyStack-DataSyncs-S3Access

2) Create an IAM role for our user that can properly access your bucket:

  • Go to the AWS IAM Console → Roles → Create Role

  • Select "Another AWS Account"

    • Enter 422597910032 (HockeyStack-DataSyncs AWS Account ID).

  • Check "Require external ID" (Recommended for security)

    • Set an External ID (a unique string you choose, that will be used to configure the DataSync)

  • In the Add permissions step, select the HockeyStack-DataSyncs-S3Access policy you created, then finish creating the policy.

3) (Optional) Giving access specifically to HockeyStack-DataSyncs user:

  • Edit the custom trust policy of the role, to further specify that only our HockeyStack-DataSyncs user can assume the role:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::422597910032:user/HockeyStack-DataSyncs"
            },
            "Action": "sts:AssumeRole",
            "Condition": {
                "StringEquals": {
                    "sts:ExternalId": "YOUR_EXTERNAL_ID"
                }
            }
        }
    ]
}

Last updated