Applying Custom Permissions for AWS Accounts

Rebekah Garner
Rebekah Garner
  • Updated

Isolate Service Account Permissions to access AWS S3 Buckets

by Julie Sabor, Claravine Solutions Consultant

 

In the event you need to limit permissioning to S3, this article describes how to isolate AWS User permissions using Custom Policies within your AWS IAM.  

 

Claravine requires two actions to read/write to your S3 Bucket:

  • s3:PutObject

  • s3:ListBucket

 

You can limit these actions and limit the Resources within a custom Policy in IAM.  Follow the steps below to complete this process.


Step One:

Retrieve ARN and Region.  For later steps, we need to note the ARN (Amazon Resource Name) of the buckets and/or folders we want to limit access to in Claravine and the region of our bucket.  

Go to S3 -> Buckets to see the list of buckets available.  Click a bucket (or folder), then select ‘Properties’.

Bucket:

 

Folder:



Take note of the region, we will need that in Step 4, and copy/paste the ARN in a text file - we will use those values for Step 2.


Step Two:

Go to IAM -> Access Management -> Policies.  Click ‘Create Policy’ in the upper right-hand corner.



Select the JSON tab.



Copy/Paste the script below into the JSON code block area.  Under “Resource”, substitute each ARN with your ARN values collected at Step 1.  If you have a folder ARN, make sure to write in a corresponding wildcard value as denoted with a * .  In this example, the ARN values are:

ARN Value

Type

arn:aws:s3:::we.retail.claravine.demo

My Bucket

arn:aws:s3:::we.retail.claravine.demo/demo-folder/

My Bucket/Folder

 

arn:aws:s3:::we.retail.claravine.demo/demo-folder/*

My Bucket/Folder wildcard

 

 

JSON Script:

{

    "Version": "2012-10-17",

    "Statement": [

        {

            "Sid": "VisualEditor0",

            "Effect": "Allow",

            "Action": [

                "s3:PutObject",

                "s3:ListBucket"

            ],

            "Resource": [

                "arn:aws:s3:::we.retail.claravine.demo",

                "arn:aws:s3:::we.retail.claravine.demo/demo-folder/",

                "arn:aws:s3:::we.retail.claravine.demo/demo-folder/*"

            ]

        }

    ]

}

 

 

Click through the next optional steps, and make changes as required for your company.  When you get to ‘Review policy’ give your policy a Name, Description, and click ‘Create policy’

 

After Policy is created, you can search for your Policy and make edits at any time in IAM -> Access Management -> Policies.

 

Step Three:

Create User with newly created policy.  Go to IAM -> Access Management -> Users and click ‘Add Users’.

Give your User a name and select Programmatic access

 

Click Next.

On Set permissions, select ‘Attach Existing policies directly’ and search for your newly created policy and select.

Edit the permissions boundary if needed.  Click through the next option (Tags) and add if necessary for your company needs.  Click Next and finally ‘Create user’

After creating a User, copy the Access Key and Secret Key to a secure location.  You will need these values to connect in Claravine.

 

 

Step Four:

Connect your AWS User to Claravine.

Go to Claravine and add Account (Settings -> Integrations -> Accounts) by selecting the blue + sign, give your Account a name for Claravine usage, give description (optional), select the AWS S3 tile, and paste in your Access and Secret Key values.  Click Save.

Once your AWS user is saved in Claravine, go to your Template to configure the integration.  

For the Integration, Settings → Template →  Inbound/Outbound Integration, select your AWS Account, Region (noted from Step 1), you will see an error message because we have limited permissioning on this account, select ‘Manual Bucket Entry’ from the radio button option.

Under S3 Bucket, type your bucket name:

ARN Name

Claravine Bucket Name

arn:aws:s3:::we.retail.claravine.demo/demo-folder/

we.retail.claravine.demo

 

If you are using a folder, under Filename, the start of the Filename looks like this:

ARN Name

Prefix to Claravine Filename

arn:aws:s3:::we.retail.claravine.demo/demo-folder/

demo-folder/

 

If use Manaul entry with file directories:

ARN Name

Claravine Bucket Name Prefix to Claravine Filename

s3://cmdt-temp/cidw/data-science/claravine/

cmdt-temp

cidw/data-science/claravine/



The screenshot below illustrates the final integration.

 

 

 

 

Comments

0 comments

Article is closed for comments.