Contents x
    STS Integration
    • 18 Jul 2024
    • Print
    • Dark
      Light
    • PDF
    Contents

    STS Integration

    • Updated On 18 Jul 2024
    • Print
    • Dark
      Light
    • PDF
    Article summary

    AWS STS (Security Token Service) Integration allows the Dataloop platform to securely assume AWS roles and obtain temporary security credentials for accessing AWS resources. This integration enhances security by providing time-limited access to AWS services and resources without the need to manage long-term access keys.

    To set up STS in AWS and connect it to Dataloop, follow these instructions:

    Create an S3 Bucket

    1. Log in to the AWS Management Console.
    2. Go to Services > Storage and click the S3 service.
    3. Click Create bucket. The Create Bucket page is displayed.
    4. Provide a Bucket name.
    5. Select your AWS region from the list.
    6. Ensure you block public access settings for this bucket - Block all public access.
    7. For all other optional settings, use the default values.
    8. Click Create bucket. A confirmation message is displayed.

    For a step-by-step guide on creating an S3 bucket in AWS, see Creating a bucket.

    Create an IAM Policy

    Create an IAM User

    1. Log in to the AWS Management Console.
    2. Go to Services and click All services. A list of services is displayed.
    3. Click the IAM service from the list.
    4. From the left portal menu, click Users.
    5. Click Add users.
    6. Enter a username.
    7. Ensure the Programmatic access checkbox is selected as the type of access you want to grant the user.
      Note: Use the default access type and do not choose console access.
    8. Click Next. A Set Permissions page is displayed.
    9. Leave the page as is and click next.
    10. Click Create user. A confirmation message is displayed.
      See Creating an IAM user in AWS for more information.

    Create an IAM Role

    1. Log in to the AWS Management Console.
    2. Go to Services and click All services. A list of services is displayed.
    3. Click the IAM service from the list.
    4. From the left portal menu, click Roles.
    5. Click Create role.
    6. Choose AWS service as the trusted entity type.
    7. Choose EC2 as the use case.
    8. Click Next.
    9. Search and select the policy that you created for accessing the S3 bucket.
    10. Click Next.
    11. Enter a name and an optional description for the role.
    12. Click Create role. A confirmation message is displayed.
    13. Click the Role that you created from the list.
    Note:
    • Copy the ARN value, which is required during the integration phase.
    • For a step-by-step guide on creating an S3 bucket in AWS, see Creating IAM roles.

    Add an Inline IAM policy to the IAM User

    1. Log in to the AWS Management Console.
    2. Go to Services and click All services. A list of services is displayed.
    3. Click the IAM service from the list.
    4. From the left portal menu, click Users.
    5. Search and select the IAM user you just created.
    6. Click on the Permissions tab
    7. Click on the Add permissions button and choose Create inline policy
    8. Select the JSON tab
    9. Define policy document in JSON format, like:
    {
  "Version": "2012-10-17",
  "Statement": {
    "Effect": "Allow",
    "Action": "sts:AssumeRole",
    "Resource": "arn:aws:iam::<YourAWSAccountId>:role/<IAMRoleName>"
  }
}
    Note
    • Replace <YourAWSAccountId> with your AWS account ID.
    • Replace <IAMRoleName> with the name of the IAM Role.
    1. Click Review Policy.
    2. Enter a Name for the policy.
    3. Click Create policy. A confirmation message is displayed.

    Create an Access Key for the IAM User

    1. Log in to the AWS Management Console.
    2. Go to Services and click All services. A list of services is displayed.
    3. Click the IAM service from the list.
    4. From the left portal menu, click Users.
    5. Find and click on the desired user (for example, a Dataloop user) for whom you want to create an access key.
    6. Click on the Security credentials tab.
    7. In the Access keys section, click Create access key.
    8. In the Access key best practices & alternatives, choose Application running outside AWS.
    9. Click Next.
    10. Enter a description that includes Dataloop.
    11. Click Create access key.
    12. Copy and save the Access Key and Secret Access Key in a secure location, or download the CSV file. The access key and secret access key are required for the integration phase.
    13. Click Done. It completes the access key creation process for the IAM user.
      See Set up an S3 policy for setting up a policy in AWS.

    Update the trust relationship of an IAM Role

    1. Log in to the AWS Management Console.
    2. Go to Services and click All services. A list of services is displayed.
    3. Click the IAM service from the list.
    4. From the left portal menu, click Roles.
    5. Search and select the IAM role whose trust relationship you want to change.
    6. Click the Trust relationships tab.
    7. Click Edit trust policy.
    8. Replace the existing trust policy JSON document with the following:
    {    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                 "AWS":"arn:aws:iam::<AWSAccountId>:user/<IAMUserName>"
            },
            "Action": "sts:AssumeRole"
        }
    ]
}
    Note
    • Replace <AWSAccountId> with your AWS account ID.
    • Replace <IAMUserName> with the name of the IAM User.
    1. Click Update Policy. A confirmation message is displayed.

    Create an AWS STS Integration on Dataloop Platform

    1. Log in to the Dataloop platform.
    2. From the left-side panel, select Data Governance.
    3. Click Create Integration. A pop-up window is displayed on the right-side.
    4. Integration Name: Enter a Name for the integration.
    5. Provider: Choose AWS from the list.
    6. Integration Type: Select the STS from the list.
    7. Key: Enter the IAM user’s access key ID that you noted while creating an access key for the IAM user.
    8. Secret: Enter the IAM user’s secret access key that you noted while creating an access key for the IAM user.
    9. Role ARN: Enter the Role ARN that you noted earlier.
    10. Click Create Integration. A confirmation message is displayed.

    Create S3 Storage Service on the Dataloop Platform

    For more information, see the Create AWS S3 Storage Driver on the Dataloop Platform topic.

    What's Next