All Collections
IT/Security
Integrations
Setup for S3 connection using IAM Role
Setup for S3 connection using IAM Role
Ian Mitchell avatar
Written by Ian Mitchell
Updated over a week ago

This is a guide to help set up a Creative Force connection to the customer's S3 bucket using IAM role for:

  • Data source

  • Asset Delivery

Both have the same steps for setup, except the permission:

  • Data source: Creative Force needs read permission.

  • Delivery options: Creative force needs read and write permission.

Step 1. Setup on Your AWS Account

Create S3 Bucket

Create a new S3 bucket if needed.

Reference to Creating a bucket - Amazon Simple Storage Service

Setup S3 bucket encryption

Creative Force requires server side encryption on your S3 bucket, there are two methods:

  • Amazon S3-managed keys (SSE-S3)

  • AWS KMS keys stored in AWS Key Management Service (AWS KMS) (SSE-KMS)

See more at Setting default server-side encryption behavior for Amazon S3 buckets

We do not allow:

  • No encryption

  • Client side encryption

Setup IAM Role on your account

  • Create a new role with a type of trusted entity “Another AWS account”

  • Enter setting:

  1. Account ID: 092392787187 (It’s Creative Force Account ID)

  2. Require External ID: a pair-key in free-text, to increase the security of your role

  3. Require MFA: We do not support this option.

Note:

In reference to AssumeRole, the External ID must follow the below rules:

  • Type: String

  • Length Constraints: Minimum length of 2. Maximum length of 1224.

  • Pattern: [\w+=,.@:\/-]*

  • Click “Next: Permission”

  • On “Permission setting”, we skip it and we will come back later.

  • Click “Next: Tags”

  • Add some tags if you want

  • Click “Next: Review”

  • Enter “Role name”

  • Click “Create role”

Step 2. Setup on Gamma

You can create “Delivery option” and “Data source” as normally. Most fields are the same, however below are some differences when you want to use the new authentication type “IAM role”

  1. Authentication Type: choose “IAM Role”

  2. Server Encryption Type: choose “AWS KMS Encryption” or “AWS S3 Encryption”

    1. If type is “AWS KMS Encryption”, you need to enter “KMS ARN” which is created during the "Setup S3 bucket encryption" section of this article

  3. Role ARN: arn of role which is created during the "Setup IAM Role on your account" section of this article.

  4. External Id: The pair key to CF so it can authenticate to your bucket see the "Setup IAM Role on your account" section of this article.

  5. Bucket: your S3 Bucket name which is created during the "Create S3 Bucket" of this article

Step 3. Back to your AWS Account to setup policy

Tips: After adding new “Data source” or “Delivery options”, you can open the edit slide-in again and see the “Generate Policies” button. Which you can then copy all examples of policies that you need to set up on your AWS Account.

Role Policy

Purpose: This policy defines permission to access the KMS key & S3 Bucket

  • To edit you go to Roles, choose the role and go to the detail page

  • On the tab “Permissions” click “Add inline policy”

  • Choose the JSON editor and edit the Policy that looks similar below (You can copy this JSON from the Gamma setting):

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "KMS",
      "Effect": "Allow",
      "Action": [
        "kms:Decrypt",
        "kms:Encrypt",
        "kms:GenerateDataKey"
      ],
      "Resource": [
        "arn:aws:kms:eu-central-1:YOUR_ACCOUNT:key/KMS_ID"
      ]
    },
    {
      "Sid": "UploadObjectS3",
      "Effect": "Allow",
      "Action": [
        "s3:PutObject",
        "s3:PutObjectAcl"
      ],
      "Resource": [
        "arn:aws:s3:::BUCKET_NAME/*",
        "arn:aws:s3:::BUCKET_NAME"
      ]
    },
    {
      "Sid": "ReadObjectS3",
      "Effect": "Allow",
      "Action": [
        "s3:GetObject",
        "s3:GetObjectVersion"
      ],
      "Resource": [
        "arn:aws:s3:::BUCKET_NAME/*",
        "arn:aws:s3:::BUCKET_NAME"
      ]
    },
    {
      "Sid": "ReadListS3",
      "Effect": "Allow",
      "Action": "s3:ListBucket",
      "Resource": "arn:aws:s3:::BUCKET_NAME"
    }
  ]
}

Edit IAM Role Trust Relationship

Purpose: You can trust the Creative Force AWS account, and grant Creative Force access to your s3 bucket on your IAM Role.

Go to the detail page of the new role:

  • Open tab “Trust relationships”

  • Click “Edit trust relationship”

  • Update "arn:aws:iam::092392787187:root" to "arn:aws:iam::092392787187:user/CreativeForceCloudS3"

  • Click “Update Trust Policy”

Setup S3 Bucket Policy

  • Navigate to you S3 bucket

  • Open tab “Permission”

  • On Section “Bucket Policy” click "Edit”

  • The Policy needs to be edited like the example below (Please copy this JSON from Gamma screen)

  • Click “Save changes”

{
  "Version": "2012-10-17",
  "Id": "Policy1641802481873",
  "Statement": [
    {
      "Sid": "Stmt1641802481873",
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::YOUR_ACCOUNT:role/YOUR_ROLE_ARN"
      },
      "Action": "s3:*",
      "Resource": "arn:aws:s3:::BUCKET_NAME"
    }
  ]
}

Troubleshooting

  1. On “Delivery options” you can check status of the new options to see if the setting is correct

  1. Delivery options may need Listing-permission when we need to check if a file exists or not.

  2. In case Encryption is updated, we need to consider updating the IAM Role Policy to match.

Did this answer your question?