Console Set up
The following setup creates an IAM role and an IAM policy; the setup then attaches the IAM policy to the newly created IAM role. XMode will assume this IAM role, policed by the policy to limit XMode’s access, in order to transfer data into the specified S3 location.
- Sign in to the AWS Management Console and open the IAM console at https://console.aws.amazon.com/iam/.
- In the navigation pane of the console, choose Roles and then choose Create role.
- Choose the Another AWS account role type.
- For Account ID, use the account ID “366810793500”. This is XMode’s account ID and access to S3 will be granted to this account.
- Select Require external ID. The external ID will be your company name that you entered without spaces or special characters except for the following: "=,.@:/-_". This option automatically adds a condition to the trust policy that allows the user to assume the role only if the request includes the correct sts:ExternalID This option automatically adds a condition to the trust policy that allows the user to assume the role only if the request includes the correct sts:ExternalID.
- Choose Next: Permissions.
- IAM includes a list of the AWS managed and customer managed policies in your account. Select the policy to use for the permissions policy or choose Create policy to open a new browser tab and create a new policy from scratch. If you have a policy already created, ensure that will allow XMode to read, write, and list into the specified bucket/path. Otherwise, XMode suggests the following policy:
- Choose Next: Tagging.
- (Optional) Add metadata to the role by attaching tags as key–value pairs.
- Choose Next: Review
- For Role name, type a name for your role. Role names must be unique within your AWS account. They are not distinguished by case. For example, you cannot create roles named both PRODROLE and prodrole. Because other AWS resources might reference the role, you cannot edit the name of the role after it has been created.
- For Role description, type a description for the new role.
- Review the role and then choose Create role.
- Find the Role that was just create and select the Trust relationships tab
- Click Edit trust relationship
- Update “arn:aws:iam::366810793500:root” with “arn:aws:iam::366810793500:user/xmode-data-transfer”.
- That’s it, you’re done!
{ "Version": "2012-10-17", "Statement": { "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::366810793500:user/xmode-data-transfer"}, "Action": "sts:AssumeRole", "Condition": { "StringEquals": { "sts:ExternalId": "{replace with input company name, without spaces or special characters except for the following: "=,.@:/-_}" } } } }
AWS CLI Setup
- Create the role and attach the trust policy file that allows users in the specified account to assume the role. Below is an example of the CLI command to run:
- Create a Policy for XMode to use
- Attach the permissions policy (in this example a managed policy) to the role to specify what it is allowed to do.
aws iam create-role --role-name Test-UserAccess-Role --assume-role-policy-document '{ "Version": "2012-10-17", "Statement": { "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::366810793500:user/xmode-data-transfer"}, "Action": "sts:AssumeRole", "Condition": { "StringEquals": { "sts:ExternalId": "{replace with input company name}" } } } } '
aws iam create-policy --policy-name my-policy --policy-document '{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "s3:PutObject", "s3:PutObjectAcl" ], "Resource": [ "arn:aws:s3:::bucket-name", "arn:aws:s3:::bucket-name/*" ], "Condition": { "StringEquals": { "s3:x-amz-acl": [ "bucket-owner-full-control" ] } } }, { "Effect": "Allow", "Action": [ "s3:DeleteObject", "s3:GetObject", "s3:GetObjectAcl", "s3:ListBucket" ], "Resource": [ "arn:aws:s3:::bucket-name", "arn:aws:s3:::bucket-name/*" ] }, { "Effect": "Deny", "NotAction": "s3:*", "NotResource": [ "arn:aws:s3:::bucket-name", "arn:aws:s3:::bucket-name/*" ] } ] } '
aws iam attach-role-policy --role-name Test-UserAccess-Role --policy-arn arn:aws:iam::123456789012:role/my-policy
