AWS event file configuration tutorial
This article steps you through configuring Amazon Web Services (AWS) for Pismo event file notification delivery. This requires you to create two things in AWS:
-
Identity and Access Management policy: You manage access in AWS by creating policies and attaching them to IAM identities (users, groups of users, or roles) or AWS resources.
-
IAM role: An IAM role is an IAM identity that you can create in your account that has specific permissions.
Prior to doing this, you should have already set up real-time event delivery. You must be able to receive Pismo event notifications in real-time to know when a new event file is available for download.
AWS UI configuration
For this tutorial, you need:
- An AWS account.
- Your Pismo organization ID.
- Your AWS S3 bucket name. For example,
pismo-dataplatform-<org_ID>. - AWS data account ID (from Pismo).
Create IAM policy
-
Go to the Amazon Web Services website and log in to your AWS account.
-
Go to the IAM dashboard.
-
In the navigation menu, under Access Management, select Policies.
-
Select Create policy in the upper-right.
-
Select the JSON tab and enter the following:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"sts:AssumeRole"
],
"Resource": [
"arn:aws:iam::<Pismo_AWS_account_ID>:role/dataplatform-consumer-<org_ID>"
]
}
]
}
The
org_IDyou enter here must have lowercase letters.
- Select Next:Tags and Next:Review and give the policy a Name. Then, select Create policy.
Create IAM role
-
Return to the IAM dashboard and select Roles under Access Management. Then, select Create role.
-
On the Select trusted entity page that appears, select AWS account and, then, Next.
-
Select the checkbox of your previously created policy and then, Next.
-
Give the role a name and select Create role.
-
Select View role and get the role's arn (Amazon resource name).
For example, arn:aws:iam::303421646629:role/NewRole
Create service desk ticket
-
Go to Pismo's service desk.
-
Select Configuration (English) or Configuracoes (Portuguese)
-
Fill out subject and description entries similar to this:
Subject
Add configuration to file integration of orgyour org_ID >
to AWS account for <test , prod> environment.
Description
Add configuration to the integration of org to AWS account in <prod, dev> environment.
My AWS account is:
My role arn is: < your_IAM_role_ARN>
Pismo creates an S3 bucket to handle file transfers exclusively for your organization.
Pismo also creates an IAM role. Your routine must assume this IAM role before accessing the S3 Bucket to retrieve files. Initially, no resource has permission to execute AssumeRole. Permission for this action can be set after you let Pismo know your IAM role.
Test your AWS integration
For this integration you need:
-
Linux computer.
-
AWS CLI configured with your client IAM role.
-
Your AWS S3 bucket name. For example,
pismo-dataplatform-<org_ID> -
Pismo's IAM role ARN . For example:
arn:aws:iam::<AWS_data_account ID>:role/dataplatform-consumer-<org_ID>) -
Your client role IAM ARN
-
AWS configuration shell script provided below. Listing the S3 object confirms a successful integration, as shown in the following image.
AWS configuration shell script
Run this script in a terminal and enter the relevant values when prompted. You can copy and paste the following code block: