This article will walk through the required permissions to set up Role-Based Access Control (RBAC) to connect Upsolver to an S3 bucket in an external account.
In your primary account, Upsolver will have created a role that the Upsolver servers use to access data, this role should have an ARN similar to this
arn:aws:iam::<your-aws-account-id>:role/upsolver-role-<your-upsolver-account-id>
Within your primary account, this role will need to be given permissions to assume roles in the other account(s). To do this, you will need to add a policy like the following in your primary account, replacing 'PROD_ACCOUNT_ROLE' with the ARN of the role in the external account that has permission to access the data you wish to read.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"sts:AssumeRole"
],
"Resource": "PROD_ACCOUNT_ROLE"
}
]
}
Next, we will need to set up a trust relationship in the external account that allows the upsolver-role to assume that role. That trust relationship should look like the following:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::<primary-aws-account-no>:role/upsolver-role-<upsolver-account-id>"
},
"Action": "sts:AssumeRole",
"Condition": {
"StringEquals": {
"sts:ExternalId": "upsolver"
}
}
}
]
}
(The external ID condition is optional - if you keep it make sure to use it when creating the connection in Upsolver)
With the trust relationship and permissions added you can then add a New Connection in Upsolver, and select Role-Based authentication. The ARN you use should be the ARN from the external account.
Comments
0 comments
Article is closed for comments.