This is a guide to help set up a Creative Force connection to the customer's S3 bucket using IAM role for:

  • Data source

  • Asset Delivery

Both have the same steps for setup, except the permission:

  • Data source: Creative Force needs read permission.

  • Delivery options: Creative force needs read and write permission.

Step 1. Setup on Your AWS Account

Create S3 Bucket

Create a new S3 bucket if needed.

Reference to Creating a bucket - Amazon Simple Storage Service

Setup S3 bucket encryption

Creative Force requires server side encryption on your S3 bucket, there are two methods:

  • Amazon S3-managed keys (SSE-S3)

  • AWS KMS keys stored in AWS Key Management Service (AWS KMS) (SSE-KMS)

See more at Setting default server-side encryption behavior for Amazon S3 buckets

We do not allow:

  • No encryption

  • Client side encryption

Setup IAM Role on your account

  • Create a new role with a type of trusted entity “Another AWS account”

  • Enter setting:

  1. Account ID: 092392787187 (It’s Creative Force Account ID)

  2. Require External ID: a pair-key in free-text, to increase the security of your role

  3. Require MFA: We do not support this option.

  • Click “Next: Permission”

  • On “Permission setting”, we skip it and we will come back later.

  • Click “Next: Tags”

  • Add some tags if you want

  • Click “Next: Review”

  • Enter “Role name”

  • Click “Create role”

Step 2. Setup on Gamma

You can create “Delivery option” and “Data source” as normally. Most fields are the same, here are some differences when you want a new authentication type “IAM role”

  1. Authentication Type: choose “IAM Role”

  2. Server Encryption Type: choose “AWS KMS Encryption” or “AWS S3 Encryption”

    1. If type is “AWS KMS Encryption”, you need to enter “KMS ARN” which is created on Setup S3 bucket encryption

  3. Role ARN: arn of role which is created on Setup IAM Role on your account

  4. External Id: pair key to CF can authenticate to your bucket see Setup IAM Role on your account

  5. Bucket: your S3 Bucket name which is created on Setup S3 Bucket

Step 3. Back to your AWS Account to setup policy

Tips: After adding new “Data source” or “Delivery options”, you can open the edit slide-in again and see the “Generate Policies” button. Which you can then copy all examples of policies that you need to set up on your AWS Account.

Role Policy

Purpose: This policy defines permission to access the KMS key & S3 Bucket

  • To edit you go to Roles, choose the role and go to the detail page

  • On the tab “Permissions” click “Add inline policy”

  • Choose the JSON editor and edit the Policy that looks similar below (You can copy this JSON from the Gamma setting):

{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "KMS",
"Effect": "Allow",
"Action": [
"kms:Decrypt",
"kms:Encrypt",
"kms:GenerateDataKey"
],
"Resource": [
"arn:aws:kms:eu-central-1:YOUR_ACCOUNT:key/KMS_ID"
]
},
{
"Sid": "UploadObjectS3",
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:PutObjectAcl"
],
"Resource": [
"arn:aws:s3:::BUCKET_NAME/*",
"arn:aws:s3:::BUCKET_NAME"
]
},
{
"Sid": "ReadObjectS3",
"Effect": "Allow",
"Action": [
"s3:GetObject",
"s3:GetObjectVersion"
],
"Resource": [
"arn:aws:s3:::BUCKET_NAME/*",
"arn:aws:s3:::BUCKET_NAME"
]
},
{
"Sid": "ReadListS3",
"Effect": "Allow",
"Action": "s3:ListBucket",
"Resource": "arn:aws:s3:::BUCKET_NAME"
}
]
}

Edit IAM Role Trust Relationship

Purpose: You can trust the Creative Force AWS account, and grant Creative Force access to your s3 bucket on your IAM Role.

Go to the detail page of the new role:

  • Open tab “Trust relationships”

  • Click “Edit trust relationship”

  • Update "arn:aws:iam::092392787187:root" to "arn:aws:iam::092392787187:user/CreativeForceCloudS3"

  • Click “Update Trust Policy”

Setup S3 Bucket Policy

  • Navigate to you S3 bucket

  • Open tab “Permission”

  • On Section “Bucket Policy” click "Edit”

  • The Policy needs to be edited like the example below (Please copy this JSON from Gamma screen)

  • Click “Save changes”

{
"Version": "2012-10-17",
"Id": "Policy1641802481873",
"Statement": [
{
"Sid": "Stmt1641802481873",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::YOUR_ACCOUNT:role/YOUR_ROLE_ARN"
},
"Action": "s3:*",
"Resource": "arn:aws:s3:::BUCKET_NAME"
}
]
}

Troubleshooting

  1. On “Delivery options” you can check status of the new options to see if the setting is correct

  1. Delivery options may need Listing-permission when we need to check if a file exists or not.

  2. In case Encryption is updated, we need to consider updating the IAM Role Policy to match.

Did this answer your question?