User GuidesAPI Reference & Developer GuidesInteractive GuidesOperational StatusRelease Notes
API Reference & Developer Guides
Log In To Simon

GCP Cross-Account Access to Simon Data hosted S3 Bucket

For external access to your SimonData hosted S3 bucket please contact your Account Manager and follow the steps in the guide to setup.

We'll create a role for your organization that can provide temporary credentials to principals within your account via AWS’s Security Token Service. Your Google Service Account can then assume the AWS role with STS AssumeRoleWithWebIdentity.

📘

Read/Write Access

Follow the steps in this guide to grant both read and write access.

Prerequisites

Setup

  1. Enable OAuth for the service account you want to use.
  2. Give the OAuth Client ID to your account manager.
  3. The Simon Data Security team will setup the S3 access and send back an AWS ARN for your service account to assume.

Test Programmatic Access

  1. Log into your GCP account via the CLI with the service account.

  2. Run the following command to obtain a session token to assume the role within AWS:

aws sts assume-role-with-web-identity
--role-arn arn:aws:iam::709223122281:role/clientname_external_sts
--role-session-name<testsession> 
--web-identity-token 
$(curl -H 'Metadata-Flavor: Google' http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/<service-account>.iam.gserviceaccount.com/identity?audience=<audiencename>) | jq .Credentials
  • Update role-arn to the ARN provided by Simon Data.
  • Update session name and audience to an identifier (this will show in cloudtrail and GCP audit logs).
  • Update the metadata URI to include your service account.

  1. The request returns a response that includes an AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, AWS_SESSION_TOKEN. These will be short lived credentials (limited to 15 mins to 1 hour).

  2. Create three variables to assume the IAM role:

  • export AWS_ACCESS_KEY_ID=RoleAccessKeyID
  • export AWS_SECRET_ACCESS_KEY=RoleSecretKey
  • export AWS_SESSION_TOKEN=RoleSessionToken

Alternatively the following can be appended to the command in step 2, to skip this step: | "export AWS_ACCESS_KEY_ID=(.AccessKeyId)\nexport AWS_SECRET_ACCESS_KEY=(.SecretAccessKey)\nexport AWS_SESSION_TOKEN=(.SessionToken)\n"')

  1. Verify that you assumed the IAM role by running this command: aws sts get-caller-identity
    The AWS CLI command should output the ARN as arn:aws:sts::709223122281:assumed-role/clientname_external_sts/AWSCLI-Session which verifies that you assumed the clientname_external_sts role.

  2. Verify access to your S3 bucket by running the following command: aws s3 ls s3://clientname.simondata.com/

  3. To remove the AWS credentials, remove the environment variables: unset AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY AWS_SESSION_TOKEN