For external access to your Simon Data hosted S3 bucket please contact your Account Manager and provide your AWS account number.

We'll create a role for your organization that can provide temporary credentials to principals within your account via AWS’s Security Token Service.

📘
Read/Write Access
Follow the steps in this guide to grant both read and write access.

Once your Account Manager has shared the role ARN with you, follow the below steps to complete the setup.

Prerequisites

An AWS account
Access to manage IAM to create a new policy
A principal which the new policy will be attached to. (This principal must have programmatic access enabled.)

Setup account permissions to allow an AWS Principal to assume the Simon Data role

Setup via the AWS Console

Log in to the AWS console with a principal who has IAM administrator privileges
Navigate to the IAM Console
On the left-side menu, click Policies, then Create Policy
Click the JSON tab, and paste the policy specified below in the JSON text box. (Update role-arn to the ARN we provided you.)

{
    "Version": "2012-10-17",
    "Statement": [
        {
			"Sid": "AllowAssumeRole",
    		"Effect": "Allow",
    		"Action": [
				"sts:AssumeRole"
			],
    		"Resource": [
				"arn:aws:iam::709223122281:role/clientname_external_sts"
			]
  		}
	]
}

Click Next: Tags, Next: Review
Enter a policy name (i.e.SimonDataCrossAccount) and a description
Click create policy
On the attach policy page, select the principal you want to have access to the S3 bucket then click attach policy.

Setup via the AWS Command Line Interface

Log in to AWS via the CLI with a principal who has IAM administrator privileges.
Run the following to create the SimonDataCrossAccount policy. (Update role-arn to the ARN we provided you.)

aws iam create-policy \
    --policy-name SimonDataCrossAccount \
    --policy-document \
'{
    "Version": "2012-10-17",
    "Statement": [
        {
			"Sid": "AllowAssumeRole",
    		"Effect": "Allow",
    		"Action": [
				"sts:AssumeRole"
			],
    		"Resource": [
				"arn:aws:iam::709223122281:role/clientname_external_sts"
			]
  		}
	]
}'

Run the following to attach the policy to a role. (Update role-example to the role name we provided you with).

aws iam attach-role-policy 
--policy-arn arn:aws:iam::aws:policy/SimonDataCrossAccount 
--role-name role-example

To verify that the policy has been successfully attached to the IAM role, run the list-attached-role-policies command:

aws iam list-attached-role-policies --role-name role-example

Test Programmatic Access

Log into your AWS account via the CLI with a principal who was granted the ability to assume the role.
To assume the role, run this command.

Update role-arn to the ARN we provided you.
Update AWSCLI-Session name to an identifier (this will show in cloudtrail logs).

aws sts assume-role 
--role-arn "arn:aws:iam::709223122281:role/clientname_external_sts" 
--role-session-name AWSCLI-Session

Create three variables to assume the IAM role:

export AWS_ACCESS_KEY_ID=RoleAccessKeyID
export AWS_SECRET_ACCESS_KEY=RoleSecretKey
export AWS_SESSION_TOKEN=RoleSessionToken

Verify that you assumed the IAM role by running this command:

aws sts get-caller-identity

The AWS CLI command should output the ARN as arn:aws:sts::709223122281:assumed-role/clientname_external_sts/AWSCLI-Session which verifies that you assumed the clientname_external_sts role.

Verify access to your S3 bucket by running the following command:

aws s3 ls s3://clientname.simondata.com/

To return to your previous IAM principal, remove the environment variables:

unset AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY AWS_SESSION_TOKEN
aws sts get-caller-identity