AWS event file configuration tutorial

This article steps you through configuring Amazon Web Services (AWS) for Pismo event file notification delivery. This requires you to create two things in AWS:

  1. Identity and Access Management (IAM) policy

    You manage access in AWS by creating policies and attaching them to IAM identities (users, groups of users, or roles) or AWS resources.

  2. IAM role

    An IAM role is an IAM identity that you can create in your account that has specific permissions.

Prior to doing this, you should have already set up real-time event delivery. You must be able to receive Pismo event notifications in real-time to know when a new event file is available for download.

AWS UI configuration

For this tutorial, you need:

  • An AWS account
  • Your Pismo organization/tenant ID
  • Your AWS S3 bucket name. For example, pismo-dataplatform-<tenant/org ID>.
  • AWS data account ID (from Pismo)

Create IAM policy

  1. Go to the Amazon Web Services website and log in to your AWS account.

  2. Go to the IAM dashboard. (Type IAM in Search and it appears.)

  3. In the navigation menu, under Access Management, select Policies.

Screen capture of Policies section of Access Managment.
  1. Select Create policy in the upper-right.

  2. Select the JSON tab and enter the following:

    "Version": "2012-10-17",
    "Statement": [
            "Effect": "Allow",
            "Action": [
            "Resource": [
                "arn:aws:iam::<Pismo AWS account ID>:role/dataplatform-consumer-<tenant/org ID>"

Note: The tenant/org ID you enter here must be lowercase.

  1. Select Next:Tags and Next:Review and give the policy a Name. Then, select Create policy.

Create IAM role

  1. Return to the IAM dashboard and select Roles under Access Management. Then, select Create role.

  2. On the Select trusted entity page that appears, select AWS account and, then, Next.

  3. Select the checkbox of your previously created policy and then, Next.

  4. Give the role a name and select Create role.

  5. Select View role and get the role's arn (Amazon resource name).

    For example, arn:aws:iam::303421646629:role/NewRole

Create service desk ticket

  1. Go to Pismo's service desk.

  2. Select Configuration (English) or Configuracoes (Portuguese)

  3. Fill out subject and description entries similar to this:

    Add configuration to file integration of org to AWS account for <test , prod> environment.

    Add configuration to the integration of org to AWS account in <prod, dev> environment.
    My AWS account is:
    My role arn is: < your IAM role arn>

Pismo creates an S3 bucket to handle file transfers exclusively for your organization.

Pismo also creates an IAM role. Your routine must assume this IAM role before accessing the S3 Bucket to retrieve files. Initially, no resource has permission to execute AssumeRole. Permission for this action can be set after you let Pismo know your IAM role.

Test your AWS integration

Pismo provides a Linux shell script you can use to set up and test AWS for event file delivery.

For this integration you need:

  • A Linux machine

  • The AWS CLI configured with your client IAM role

  • The AWS configuration shell script from Pismo

  • Your AWS S3 bucket name.

    For example, pismo-dataplatform-<tenant/org ID>

  • Pismo's IAM role arn

    For example, arn:aws:iam::<AWS data account ID>:role/dataplatform-consumer-<Tenant/Org ID>)

  • Your client role IAM arn.

Run the shell script at the command line and enter the fields requested when prompted. A successful execution looks like this. Note that sensitive data, such as actual arns and org ID, have been removed.

Screen capture showing a successful shell script.

Listing the S3 object confirms a successful integration.