For external access to your [Simon Data hosted S3 bucket](🔗) please contact your Account Manager and provide your [AWS account number](🔗).

We'll create a role for your organization that can provide temporary credentials to principals within your account via [AWS’s Security Token Service](🔗).

Read/Write Access

Follow the steps in this guide to grant _both_ read and write access.

Once your Account Manager has shared the role ARN with you, follow the below steps to complete the setup.

# Prerequisites

  • An AWS account

  • Access to [manage IAM](🔗) to create a new policy

  • A [principal](🔗) which the new policy will be attached to. (This principal must have programmatic access enabled.)

# Setup account permissions to allow an AWS Principal to assume the Simon Data role

## Setup via the AWS Console

  1. Log in to the AWS console with a principal who has IAM administrator privileges

  2. Navigate to the IAM Console

  3. On the left-side menu, click **Policies**, then **Create Policy**

  4. Click the JSON tab, and paste the policy specified below in the JSON text box. (Update `role-arn` to the ARN we provided you.)

  1. Click **Next: Tags**, **Next: Review**

  2. Enter a policy name (i.e.`SimonDataCrossAccount`) and a description

  3. Click **create policy**

  4. On the **attach policy** page, select the principal you want to have access to the S3 bucket then click **attach policy**.

## Setup via the AWS Command Line Interface

  1. Log in to AWS via the CLI with a principal who has IAM administrator privileges.

  2. Run the following to create the `SimonDataCrossAccount` policy. (Update `role-arn` to the ARN we provided you.)

  1. Run the following to attach the policy to a role. (Update `role-example` to the role name we provided you with).

  1. To verify that the policy has been successfully attached to the IAM role, run the list-attached-role-policies command:

# Test Programmatic Access

  1. Log into your AWS account via the CLI with a principal who was granted the ability to assume the role.

  2. To assume the role, run this command.

  • Update `role-arn` to the ARN we provided you.

  • Update `AWSCLI-Session name` to an identifier (this will show in cloudtrail logs).

  1. Create three variables to assume the IAM role:

  1. Verify that you assumed the IAM role by running this command:

The AWS CLI command should output the ARN as `arn:aws:sts::709223122281:assumed-role/clientname_external_sts/AWSCLI-Session` which verifies that you assumed the `clientname_external_sts` role.

  1. Verify access to your S3 bucket by running the following command:

  1. To return to your previous IAM principal, remove the environment variables: