For external access to your SimonData hosted S3 bucket please contact your Account Manager and follow the steps in the guide to setup.

We'll create a role for your organization that can provide temporary credentials to principals within your account via [AWS’s Security Token Service](🔗). Your Google Service Account can then assume the AWS role with STS `AssumeRoleWithWebIdentity`.

Read/Write Access

Follow the steps in this guide to grant _both_ read and write access.

# Prerequisites

  • A [GCP account](🔗)

  • A [Google Service Account](🔗)

  • Access to [manage IAM with / Service Accounts](🔗) within GCP

  • Instance/Machine/Kubernetes cluster attached to the Service Account

# Setup

  1. Enable OAuth for the service account you want to use.

  2. Give the OAuth Client ID to your account manager.

  3. The Simon Data Security team will setup the S3 access and send back an AWS ARN for your service account to assume.

# Test Programmatic Access

  1. Log into your GCP account via the CLI with the service account.

  2. Run the following command to obtain a session token to assume the role within AWS:

(Script tags will be stripped)

  1. The request returns a response that includes an `AWS_ACCESS_KEY_ID`, `AWS_SECRET_ACCESS_KEY`, `AWS_SESSION_TOKEN`. These will be short lived credentials (limited to 15 mins to 1 hour).

  2. Create three variables to assume the IAM role:

(Script tags will be stripped)

Alternatively the following can be appended to the command in step 2, to skip this step: `| "export AWS_ACCESS_KEY_ID=(.AccessKeyId)\nexport AWS_SECRET_ACCESS_KEY=(.SecretAccessKey)\nexport AWS_SESSION_TOKEN=(.SessionToken)\n"')`

  1. Verify that you assumed the IAM role by running this command: `aws sts get-caller-identity` The AWS CLI command should output the ARN as `arn:aws:sts::709223122281:assumed-role/clientname_external_sts/AWSCLI-Session` which verifies that you assumed the `clientname_external_sts` role.

  2. Verify access to your S3 bucket by running the following command: `aws s3 ls s3://`

  3. To remove the AWS credentials, remove the environment variables: `unset AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY AWS_SESSION_TOKEN`