AWS Cross-Account Access to Simon Data hosted S3 Bucket

For external access to your Simon Data hosted S3 bucket please contact your Account Manager and provide your AWS account number.

We'll create a role for your organization that can provide temporary credentials to principals within your account via AWS’s Security Token Service.

📘

Read/Write Access

Follow the steps in this guide to grant both read and write access.

Once your Account Manager has shared the role ARN with you, follow the below steps to complete the setup.

Prerequisites

  • An AWS account
  • Access to manage IAM to create a new policy
  • A principal which the new policy will be attached to. (This principal must have programmatic access enabled.)

Setup account permissions to allow an AWS Principal to assume the Simon Data role

Setup via the AWS Console

  1. Log in to the AWS console with a principal who has IAM administrator privileges
  2. Navigate to the IAM Console
  3. On the left-side menu, click Policies, then Create Policy
  4. Click the JSON tab, and paste the policy specified below in the JSON text box. (Update role-arn to the ARN we provided you.)
{
    "Version": "2012-10-17",
    "Statement": [
        {
			"Sid": "AllowAssumeRole",
    		"Effect": "Allow",
    		"Action": [
				"sts:AssumeRole"
			],
    		"Resource": [
				"arn:aws:iam::709223122281:role/clientname_external_sts"
			]
  		}
	]
}
  1. Click Next: Tags, Next: Review
  2. Enter a policy name (i.e.SimonDataCrossAccount) and a description
  3. Click create policy
  4. On the attach policy page, select the principal you want to have access to the S3 bucket then click attach policy.

Setup via the AWS Command Line Interface

  1. Log in to AWS via the CLI with a principal who has IAM administrator privileges.
  2. Run the following to create the SimonDataCrossAccount policy. (Update role-arn to the ARN we provided you.)
aws iam create-policy \
    --policy-name SimonDataCrossAccount \
    --policy-document \
'{
    "Version": "2012-10-17",
    "Statement": [
        {
			"Sid": "AllowAssumeRole",
    		"Effect": "Allow",
    		"Action": [
				"sts:AssumeRole"
			],
    		"Resource": [
				"arn:aws:iam::709223122281:role/clientname_external_sts"
			]
  		}
	]
}'
  1. Run the following to attach the policy to a role. (Update role-example to the role name we provided you with).
aws iam attach-role-policy 
--policy-arn arn:aws:iam::aws:policy/SimonDataCrossAccount 
--role-name role-example
  1. To verify that the policy has been successfully attached to the IAM role, run the list-attached-role-policies command:
aws iam list-attached-role-policies --role-name role-example

Test Programmatic Access

  1. Log into your AWS account via the CLI with a principal who was granted the ability to assume the role.
  2. To assume the role, run this command.
  • Update role-arn to the ARN we provided you.
  • Update AWSCLI-Session name to an identifier (this will show in cloudtrail logs).
aws sts assume-role 
--role-arn "arn:aws:iam::709223122281:role/clientname_external_sts" 
--role-session-name AWSCLI-Session
  1. Create three variables to assume the IAM role:
export AWS_ACCESS_KEY_ID=RoleAccessKeyID
export AWS_SECRET_ACCESS_KEY=RoleSecretKey
export AWS_SESSION_TOKEN=RoleSessionToken
  1. Verify that you assumed the IAM role by running this command:
aws sts get-caller-identity

The AWS CLI command should output the ARN as arn:aws:sts::709223122281:assumed-role/clientname_external_sts/AWSCLI-Session which verifies that you assumed the clientname_external_sts role.

  1. Verify access to your S3 bucket by running the following command:
aws s3 ls s3://clientname.simondata.com/
  1. To return to your previous IAM principal, remove the environment variables:
unset AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY AWS_SESSION_TOKEN
aws sts get-caller-identity