Trust Relationship Role
AWS integrations are securely configured by means of a Trust Relationship of the BICS Data Streamer role (arn:aws:iam::884047677700:role/datastreamer
). The Trust Relationship can be added to new and/or already-existing roles.
The following JSON shows an example policy document that should be added in the Trust Relationship.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "",
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::884047677700:role/datastreamer"
]
},
"Action": "sts:AssumeRole",
"Condition": {
"ForAnyValue:StringEquals": {
"sts:ExternalId": [
"org-1234"
]
}
}
}
]
}
Note: The ExternalID
must match with the BICS organisation number, so for an organisation with a numeric ID of 1234
, the value above shows org-1234
. The numeric ID of an organisation can be retrieved with a call to /organisation/my.
S3 AWS Configuration
This section covers the steps necessary to create a new role with S3 write access.
-
In the AWS console, navigate to S3 and create a new bucket
-
In IAM -> Policies click Create Policy to create a policy which allows
PutObject
permissions to the S3 bucket. -
In IAM -> Roles, click Create Role for the S3 use case and click Next: Permissions
-
Attach the policy created in step 2 and click Next: Tags, then Create Role.
-
Edit the newly-created role and click Trust Relationships -> Edit Trust Relationships
-
Copy the policy document JSON listed above with your organisation ID in place to allow BICS’s datastreamer role write access.
NOTES:
- Bucket names should be DNS-compliant, see AWS docs: Rules for Bucket Naming.
Kinesis AWS Configuration
This section covers the steps necessary to create a new role with Kinesis write access.
-
In the AWS console, navigate to Kinesis and create a new stream
-
In IAM -> Policies click Create Policy which allows
PutRecord
andPutRecords
write permissions to the Kinesis stream. -
In IAM -> Roles, click Create Role for Kinesis Analytics and click Next: Permissions
-
Attach the policy created in step 2 and click Next: Tags -> Create Role.
-
Edit the newly-created role and click Trust Relationships -> Edit Trust Relationships
-
Copy the policy document JSON listed above with your organisation ID in place to allow BICS’s datastreamer role write access.