Pre-requisite for external id in S3 managed connection
Pre-requisite
1. IAM Role Permissions
We need to ensure that the IAM Role actually has permission to interact with the specific S3 bucket. Make sure that the IAM Role has permissions similar to the following inline policy.
Example of a IAM Role Permission
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:PutObjectAcl"
],
"Resource": "arn:aws:s3:::examplebucket/*"
}
]
}
Confirm the Role ARN
Also confirm that the role ARN that is being used is the full arn which includes the arn:aws:iam:: part.
Verify Trust Relationships Policy
We need to add a trust policy to allow the sequentum role arn:aws:iam::302263087412:role/seqtestclient to assume the external IAM role to upload files.
Example of Trust Relationships Policies
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::280772890673:role/sequentum-upload-qa"
},
"Action": "sts:AssumeRole",
"Condition": {
"StringEquals": {
"sts:ExternalId": "seq_p8OgYZNm_anQEaOZ8-mMn"
}
}
}
]
}4. Add a Bucket Policy to Allow Access
You need to add a bucket policy that allows your IAM role to put objects into the bucket:
Example of a bucket policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::666666666666:role/your-iam-role"
},
"Action": [
"s3:PutObject",
"s3:PutObjectAcl"
],
"Resource": "arn:aws:s3:::examplebucket/*"
}
]
}This policy allows the iam role: arn:aws:iam::666666666666:role/your-iam-role to upload objects and set access control for said objects for the specified bucket.
5. Confirm that the External ID Usage Matches
You have to make sure that the External ID which you are using in the Sequentum Enterprise while making the connection and the External ID which you are using to setup AWS S3 Assume Role ARN is same.