Use an IAM Role
Configure an IAM role that DataSyncs can use to access your bucket
Setting up an IAM Role
If using an IAM role to provide access
1) Create a policy that allows access to the bucket:
Go to the AWS IAM Console → Policies → Create Policy
Go to the JSON tab
Copy the following policy and paste it into the visual editor. Replace
{your-bucket-name}with the name of your S3 bucket.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:GetBucketLocation",
"s3:GetObject",
"s3:ListBucket"
],
"Resource": [
"arn:aws:s3:::{your-bucket-name}/*",
"arn:aws:s3:::{your-bucket-name}"
]
}
]
}You can save the policy as
HockeyStack-DataSyncs-S3Access
2) Create an IAM role for our user that can properly access your bucket:
Go to the AWS IAM Console → Roles → Create Role
Select "Another AWS Account"
Enter 422597910032 (HockeyStack-DataSyncs AWS Account ID).
Check "Require external ID" (Recommended for security)
Set an External ID (a unique string you choose, that will be used to configure the DataSync)
In the Add permissions step, select the
HockeyStack-DataSyncs-S3Accesspolicy you created, then finish creating the policy.
3) (Optional) Giving access specifically to HockeyStack-DataSyncs user:
Edit the custom trust policy of the role, to further specify that only our HockeyStack-DataSyncs user can assume the role:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::422597910032:user/HockeyStack-DataSyncs"
},
"Action": "sts:AssumeRole",
"Condition": {
"StringEquals": {
"sts:ExternalId": "YOUR_EXTERNAL_ID"
}
}
}
]
}Last updated