Data Integrations > AWS External ID

AWS External ID

This page describes how to give Rockset access to your data in Amazon AWS using external ID authentication for an IAM user.

Create IAM Role

  1. Sign in to the AWS Management Console and navigate to the IAM service.
  2. Under Roles, click Create role. AWS IAM Roles
  3. Select Another AWS account as type of trusted entity.
  4. Enter your own AWS Account ID. (Where is my AWS Account ID?). This will be changed after creating an External ID integration in Rockset.
  5. Select or create a Policy defining all the required permissions. Recommended policies are shown below, depending on which AWS service your data is in.
S3
Kinesis
DynamoDB
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "s3:List*"
      ],
      "Resource": [
        "arn:aws:s3:::bucket",
        "arn:aws:s3:::bucket/*"
      ]
    },
    {
      "Effect": "Allow",
      "Action": [
        "s3:GetObject"
      ],
      "Resource": [
        "arn:aws:s3:::bucket/path/to/scoped/data/*"
      ]
    }
  ]
}
  1. You can optionally add any tags. Click next.
  2. Enter rockset-role as name for this role, optionally give a description and create the role.
  3. Record the Role ARN from the role summary page. You will need this to create an External ID integration in Rockset.

Create Rockset Integration

  1. From Rockset console create an External Id integration using the ARN of role just created.

Create External ID

  1. You can now view the integration details to fetch aws_external_id and rockset_iam_user, which are required to update trust relationship of Role you just created.

View Integration Details

Integration Details

Reconfigure IAM Role

  1. Go back to the role summary page in AWS console and select Trust relationships tab.
  2. Click on Edit trust relationship. Replace AWS user Principal with the value of rockset_iam_user and modify the condition as follows
"Condition": {
    "StringEquals": {
         "sts:ExternalId": "{aws_external_id}"
    }
}
  1. Click Update Trust Policy.
  2. The updated trust policy should be similar to that shown below with appropriate values for rockset_iam_user and aws_external_id from above.
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": "{rockset_iam_user}"
            },
            "Action": "sts:AssumeRole",
            "Condition": {
                "StringEquals": {
                    "sts:ExternalId": "{aws_external_id}"
                }
            }
       }
   ]
}