This is a guide to help set up a Creative Force connection to the customer's S3 bucket using IAM role for:
Both have the same steps for setup, except the permission:
Data source: Creative Force needs read permission.
Delivery options: Creative force needs read and write permission.
Step 1. Setup on Your AWS Account
Create S3 Bucket
Create a new S3 bucket if needed.
Reference to Creating a bucket - Amazon Simple Storage Service
Setup S3 bucket encryption
Creative Force requires server side encryption on your S3 bucket, there are two methods:
Amazon S3-managed keys (SSE-S3)
AWS KMS keys stored in AWS Key Management Service (AWS KMS) (SSE-KMS)
We do not allow:
Client side encryption
Setup IAM Role on your account
Create a new role with a type of trusted entity “Another AWS account”
Account ID: 092392787187 (It’s Creative Force Account ID)
Require External ID: a pair-key in free-text, to increase the security of your role
Require MFA: We do not support this option.
In reference to AssumeRole, the External ID must follow the below rules:
Length Constraints: Minimum length of 2. Maximum length of 1224.
Click “Next: Permission”
On “Permission setting”, we skip it and we will come back later.
Click “Next: Tags”
Add some tags if you want
Click “Next: Review”
Enter “Role name”
Click “Create role”
Step 2. Setup on Gamma
You can create “Delivery option” and “Data source” as normally. Most fields are the same, however below are some differences when you want to use the new authentication type “IAM role”
Authentication Type: choose “IAM Role”
Server Encryption Type: choose “AWS KMS Encryption” or “AWS S3 Encryption”
If type is “AWS KMS Encryption”, you need to enter “KMS ARN” which is created during the "Setup S3 bucket encryption" section of this article
Role ARN: arn of role which is created during the "Setup IAM Role on your account" section of this article.
External Id: The pair key to CF so it can authenticate to your bucket see the "Setup IAM Role on your account" section of this article.
Bucket: your S3 Bucket name which is created during the "Create S3 Bucket" of this article
Step 3. Back to your AWS Account to setup policy
Tips: After adding new “Data source” or “Delivery options”, you can open the edit slide-in again and see the “Generate Policies” button. Which you can then copy all examples of policies that you need to set up on your AWS Account.
Purpose: This policy defines permission to access the KMS key & S3 Bucket
To edit you go to Roles, choose the role and go to the detail page
On the tab “Permissions” click “Add inline policy”
Choose the JSON editor and edit the Policy that looks similar below (You can copy this JSON from the Gamma setting):
Edit IAM Role Trust Relationship
Purpose: You can trust the Creative Force AWS account, and grant Creative Force access to your s3 bucket on your IAM Role.
Go to the detail page of the new role:
Open tab “Trust relationships”
Click “Edit trust relationship”
Update "arn:aws:iam::092392787187:root" to "arn:aws:iam::092392787187:user/CreativeForceCloudS3"
Click “Update Trust Policy”
Setup S3 Bucket Policy
Navigate to you S3 bucket
Open tab “Permission”
On Section “Bucket Policy” click "Edit”
The Policy needs to be edited like the example below (Please copy this JSON from Gamma screen)
Click “Save changes”
On “Delivery options” you can check status of the new options to see if the setting is correct
Delivery options may need Listing-permission when we need to check if a file exists or not.
In case Encryption is updated, we need to consider updating the IAM Role Policy to match.