GCP Cross-Account Access to Simon Data hosted S3 Bucket
For external access to your SimonData hosted S3 bucket please contact your Account Manager and follow the steps in the guide to setup.
We'll create a role for your organization that can provide temporary credentials to principals within your account via AWS’s Security Token Service. Your Google Service Account can then assume the AWS role with STS
Follow the steps in this guide to grant both read and write access.
- A GCP account
- A Google Service Account
- Access to manage IAM with / Service Accounts within GCP
- Instance/Machine/Kubernetes cluster attached to the Service Account
- Enable OAuth for the service account you want to use.
- Give the OAuth Client ID to your account manager.
- The Simon Data Security team will setup the S3 access and send back an AWS ARN for your service account to assume.
Test Programmatic Access
Log into your GCP account via the CLI with the service account.
Run the following command to obtain a session token to assume the role within AWS:
aws sts assume-role-with-web-identity --role-arn arn:aws:iam::709223122281:role/clientname_external_sts --role-session-name<testsession> --web-identity-token $(curl -H 'Metadata-Flavor: Google' http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/<service-account>.iam.gserviceaccount.com/identity?audience=<audiencename>) | jq .Credentials
role-arnto the ARN provided by Simon Data.
audienceto an identifier (this will show in cloudtrail and GCP audit logs).
- Update the metadata URI to include your service account.
The request returns a response that includes an
AWS_SESSION_TOKEN. These will be short lived credentials (limited to 15 mins to 1 hour).
Create three variables to assume the IAM role:
Alternatively the following can be appended to the command in step 2, to skip this step:
| "export AWS_ACCESS_KEY_ID=(.AccessKeyId)\nexport AWS_SECRET_ACCESS_KEY=(.SecretAccessKey)\nexport AWS_SESSION_TOKEN=(.SessionToken)\n"')
Verify that you assumed the IAM role by running this command:
aws sts get-caller-identity
The AWS CLI command should output the ARN as
arn:aws:sts::709223122281:assumed-role/clientname_external_sts/AWSCLI-Sessionwhich verifies that you assumed the
Verify access to your S3 bucket by running the following command:
aws s3 ls s3://clientname.simondata.com/
To remove the AWS credentials, remove the environment variables:
unset AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY AWS_SESSION_TOKEN
Updated 10 months ago