{"metadata":{"image":[],"title":"","description":""},"api":{"url":"","auth":"required","settings":"","results":{"codes":[]},"params":[]},"next":{"description":"","pages":[]},"title":"AWS S3 Access","type":"basic","slug":"aws-s3-access","excerpt":"","body":"A number of out integrations require a partner to access a PushSpring provided AWS S3 Bucket.\n\nThere are two ways to provision credentials for access to this bucket.\n[block:api-header]\n{\n  \"title\": \"AWS IAM Role Trust\"\n}\n[/block]\nThis is the preferred mechanism for access.\n\nData security is enforced using [AWS Identity and Access Management](https://aws.amazon.com/iam/) To access a PushSpring provided S3 bucket you will need your own, valid AWS account and an IAM user with the sts:AssumeRole privilege.\n\nTo grant access to S3, PushSpring takes your organization’s AWS account ID and creates a new role within PushSpring's AWS account. This role has a unique identifier called a Role ARN. This role grants access to your data, and can only be assumed from IAM users within your AWS account.\n\n1. You will need to provide the ARN for an IAM Role or IAM User in an AWS account that you own. This role will need to be given the sts:AssumeRole permission. \n2. Once we receive your ARN we will create an IAM Role in our AWS account that specifies your ARN as a trusted entity.  We will send you the ARN of our IAM Role.\n3. When accessing our S3 bucket you will need to assume the role in our account using the ARN we have provided. \n\n**Obtaining Temporary Credentials to Access Data Platform**\nIn order to access your data from PushSpring's AWS account, first make sure that you have received a role ARN and an External ID from PushSpring. The role ARN should take the form of arn:aws:iam:: 041138300700:role/<ROLE_NAME> and the External ID should take the form of XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX.\n\nNext, attach a group policy to the IAM user who is trying to assume the role. The policy should use the role ARN provided by PushSpring and take the following form:\n[block:code]\n{\n  \"codes\": [\n    {\n      \"code\": \"  {\\n    \\\"Version\\\": \\\"2012-10-17\\\",\\n    \\\"Statement\\\": {\\n        \\\"Effect\\\": \\\"Allow\\\",\\n        \\\"Action\\\": \\\"sts:AssumeRole\\\",\\n        \\\"Resource\\\": \\\"arn:aws:iam::041138300700:role/<ROLE_NAME>\\\"\\n    }\\n  }\",\n      \"language\": \"json\",\n      \"name\": null\n    }\n  ]\n}\n[/block]\nThen, you need to call the sts:AssumeRole action from within your own AWS account, using both the role ARN and External ID provided by PushSpring. If the call succeeds (you are allowed to assume roles, and have been authorized to assume the role PushSpring created) you will receive a set of temporary credenials to access your data.\n\nHow to do this using the AWS CLI this is documented here: https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-role.html\n\nFor AWS SDKs check out the STS.AssumeRole method.  The JavaScript SDK documentation is here: https://docs.aws.amazon.com/AWSJavaScriptSDK/latest/AWS/STS.html#assumeRole-property\n[block:api-header]\n{\n  \"title\": \"AWS Access Keys\"\n}\n[/block]\nThis is **NOT** the preferred method.  If you use this method you will need to get new access keys every 90 days.  Your old access keys will be disabled after 90 days.\n\nIf you must use this option please provide the email address and phone number of a contact who is responsible for updating the keys in your system as well as an escalation contact in case that individual is not available.\n\nOnce this information is provided we will provide your first set of access keys.","updates":[],"order":999,"isReference":false,"hidden":false,"sync_unique":"","link_url":"","link_external":false,"_id":"5f0606dd92312b0274f2aa89","createdAt":"2020-07-08T17:48:13.990Z","user":"55de06e19db51a0d0064947d","category":{"sync":{"isSync":false,"url":""},"pages":[],"title":"Data Transfer and Integration","slug":"data-transfer-and-integration","order":11,"from_sync":false,"reference":false,"_id":"5dd81acdb8c91603c41dfec3","__v":0,"project":"55de06fa57f7b20d0097636b","version":"5dd81acdb8c91603c41dff08","createdAt":"2017-04-11T18:09:32.839Z"},"version":{"version":"2.0","version_clean":"2.0.0","codename":"PostSDK","is_stable":true,"is_beta":false,"is_hidden":false,"is_deprecated":false,"categories":["5dd81acdb8c91603c41dfeba","5dd81acdb8c91603c41dfebb","5dd81acdb8c91603c41dfebc","5dd81acdb8c91603c41dfebd","5dd81acdb8c91603c41dfebe","5dd81acdb8c91603c41dfebf","563cbfe4260dde0d00c5e9d4","5dd81acdb8c91603c41dfec0","5dd81acdb8c91603c41dfec1","5dd81acdb8c91603c41dfec2","5dd81acdb8c91603c41dfec3","5dd81acdb8c91603c41dfec4","5dd81acdb8c91603c41dfec5","5dd81acdb8c91603c41dfec6"],"_id":"5dd81acdb8c91603c41dff08","project":"55de06fa57f7b20d0097636b","__v":0,"forked_from":"55de06fa57f7b20d0097636e","createdAt":"2015-08-26T18:35:38.642Z","releaseDate":"2015-08-26T18:35:38.642Z"},"project":"55de06fa57f7b20d0097636b","__v":0}
A number of out integrations require a partner to access a PushSpring provided AWS S3 Bucket. There are two ways to provision credentials for access to this bucket. [block:api-header] { "title": "AWS IAM Role Trust" } [/block] This is the preferred mechanism for access. Data security is enforced using [AWS Identity and Access Management](https://aws.amazon.com/iam/) To access a PushSpring provided S3 bucket you will need your own, valid AWS account and an IAM user with the sts:AssumeRole privilege. To grant access to S3, PushSpring takes your organization’s AWS account ID and creates a new role within PushSpring's AWS account. This role has a unique identifier called a Role ARN. This role grants access to your data, and can only be assumed from IAM users within your AWS account. 1. You will need to provide the ARN for an IAM Role or IAM User in an AWS account that you own. This role will need to be given the sts:AssumeRole permission. 2. Once we receive your ARN we will create an IAM Role in our AWS account that specifies your ARN as a trusted entity. We will send you the ARN of our IAM Role. 3. When accessing our S3 bucket you will need to assume the role in our account using the ARN we have provided. **Obtaining Temporary Credentials to Access Data Platform** In order to access your data from PushSpring's AWS account, first make sure that you have received a role ARN and an External ID from PushSpring. The role ARN should take the form of arn:aws:iam:: 041138300700:role/<ROLE_NAME> and the External ID should take the form of XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX. Next, attach a group policy to the IAM user who is trying to assume the role. The policy should use the role ARN provided by PushSpring and take the following form: [block:code] { "codes": [ { "code": " {\n \"Version\": \"2012-10-17\",\n \"Statement\": {\n \"Effect\": \"Allow\",\n \"Action\": \"sts:AssumeRole\",\n \"Resource\": \"arn:aws:iam::041138300700:role/<ROLE_NAME>\"\n }\n }", "language": "json", "name": null } ] } [/block] Then, you need to call the sts:AssumeRole action from within your own AWS account, using both the role ARN and External ID provided by PushSpring. If the call succeeds (you are allowed to assume roles, and have been authorized to assume the role PushSpring created) you will receive a set of temporary credenials to access your data. How to do this using the AWS CLI this is documented here: https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-role.html For AWS SDKs check out the STS.AssumeRole method. The JavaScript SDK documentation is here: https://docs.aws.amazon.com/AWSJavaScriptSDK/latest/AWS/STS.html#assumeRole-property [block:api-header] { "title": "AWS Access Keys" } [/block] This is **NOT** the preferred method. If you use this method you will need to get new access keys every 90 days. Your old access keys will be disabled after 90 days. If you must use this option please provide the email address and phone number of a contact who is responsible for updating the keys in your system as well as an escalation contact in case that individual is not available. Once this information is provided we will provide your first set of access keys.