Communities
A collaborative platform to connect and grow with like-minded Informaticans across the globe
Product Communities
Connect and collaborate with Informatica experts and champions
Discussions
Have a question? Start a Discussion and get immediate answers you are looking for
User Groups
Customer-organized groups that meet online and in-person. Join today to network, share ideas, and get tips on how to get the most out of Informatica
Get Started
Community Guidelines
Knowledge Center
Troubleshooting documents, product guides, how to videos, best practices, and more
Knowledge Base
One-stop self-service portal for solutions, FAQs, Whitepapers, How Tos, Videos, and more
Support TV
Video channel for step-by-step instructions to use our products, best practices, troubleshooting tips, and much more
Documentation
Information library of the latest product documents
Velocity (Best Practices)
Best practices and use cases from the Implementation team
Learn
Rich resources to help you leverage full capabilities of our products
Trainings
Role-based training programs for the best ROI
Certifications
Get certified on Informatica products. Free, Foundation, or Professional
Product Learning Paths
Free and unlimited modules based on your expertise level and journey
Resources
Library of content to help you leverage the best of Informatica products
Tech Tuesdays Webinars
Most popular webinars on product architecture, best practices, and more
Product Availability Matrix
Product Availability Matrix statements of Informatica products
SupportFlash
Monthly support newsletter
Support Documents
Informatica Support Guide and Statements, Quick Start Guides, and Cloud Product Description Schedule
Product Lifecycle
End of Life statements of Informatica products
Ideas
Events
Change Request Tracking
Marketplace
English
  • Mass Ingestion
  • All Products

Table of Contents

Search

  1. Preface
  2. Connectors and Connections
  3. Mass Ingestion connectors
  4. Mass Ingestion connection properties

Connectors and Connections

Connectors and Connections

Back Next

Generate temporary security credentials using AssumeRole for Amazon S3 staging

Generate temporary security credentials using AssumeRole for Amazon S3 staging

You can use the temporary security credentials using AssumeRole to access the Amazon S3 staging bucket from the same or different AWS accounts.
Ensure that you have the
sts:AssumeRole
 permission and a trust relationship established within the AWS accounts to use the temporary security credentials. The trust relationship is defined in the trust policy of the IAM role when you create the role. The IAM role adds the IAM user as a trusted entity allowing the IAM users to use the temporary security credentials and access the AWS accounts. For more information about how to establish the trust relationship, see the AWS documentation.
When the trusted IAM user requests for the temporary security credentials, the AWS Security Token Service (AWS STS) dynamically generates the temporary security credentials that are valid for a specified period and provides the credentials to the trusted IAM users. The temporary security credentials consist of access key ID, secret access key, and secret token.
To use the dynamically generated temporary security credentials, provide the value of the
S3 IAM Role ARN
 connection property when you create an Amazon Redshift V2 connection. The IAM Role ARN uniquely identifies the AWS resources. Then, specify the time duration in seconds during which you can use the temporarily security credentials in the
Temporary Credential Duration
 advanced source and target properties.

External ID

You can specify the external ID for a more secure access to the Amazon S3 bucket when the Amazon S3 bucket is in a different AWS account than the IAM user or EC2 instance.
Application ingestion
 and
database ingestion
 tasks do not support use of External ID.
You can optionally specify the external ID in the AssumeRole request to the AWS Security Token Service (STS).
The external ID must be a string. The following sample shows an external ID condition in the assumed IAM role's trust policy: 
"Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::AWS_Account_ID : user/user_name"
      },
      "Action": "sts:AssumeRole",
      "Condition": {
        "StringEquals": {
          "sts:ExternalId": "dummy_external_id"
        }
      }
    }
  ]

Temporary security credentials policy

To use the temporary security credentials to access the Amazon S3 staging bucket, both the IAM user and IAM role require policies.
The following section lists the policies required for the IAM user and IAM role:
IAM user
An IAM user must have the
sts:AssumeRole
 policy to use the temporary security credentials in the same or different AWS account.
The following sample policy allows an IAM user to use the temporary security credentials in an AWS account: 
{
"Version":"2012-10-17", 
"Statement":
        { "Effect":"Allow", "Action":"sts:AssumeRole", 
          "Resource":"arn:aws:iam::<ACCOUNT-HYPHENS>:role/<ROLE-NAME>" }
}
The following sample policy allows an IAM user for the China region to use the temporary security credentials in an AWS account: 
{
"Version":"2012-10-17", 
"Statement":
        { 
        "Effect":"Allow", "Action":"sts:AssumeRole", 
        "Resource":"arn:aws-cn:iam::<ACCOUNT-HYPHENS>:role/<ROLE-NAME>" 
       }
}
IAM role
An IAM role must have a
sts:AssumeRole
 policy and a trust policy attached with the IAM role to allow the IAM user to access the Amazon S3 bucket using the temporary security credentials. The policy specifies the Amazon S3 bucket that the IAM user can access and the actions that the IAM user can perform. The trust policy specifies the IAM user from the AWS account that can access the Amazon S3 bucket.
The following policy is a sample trust policy: 
{
"Version":"2012-10-17", 
"Statement":[
         { 
         "Effect":"Allow", 
         "Principal":{ "AWS":"arn:aws:iam::AWS-account-ID:<ROLE-NAME" },
         "Action":"sts:AssumeRole" 
          }  
        ]
       }
}

Temporary security credentials for KMS

To use the temporary security credentials with AWS Key Management Service (AWS KMS)-managed customer master key and enable encryption with KMS, you must create a KMS policy.
You can perform the following operations to use the temporary security credentials and enable encryption with KMS:
  • GenerateDataKey
  • DescribeKey
  • Encrypt
  • Decrypt
  • ReEncrypt
You can use the following sample policy: 
{
"Version":"2012-10-17", 
"Statement":[
{ "Effect":"Allow", 
"Action":
[ "kms:GenerateDataKey", "kms:DescribeKey", "kms:Encrypt", "kms:Decrypt", "kms:ReEncrypt*" ], 
"Resource": ["arn:aws:kms:region:account:key/<KMS_key>"] 
	}
  ] 
   }
When you configure KMS and access an Amazon S3 endpoint in the China region, use the following sample policy: 
{
"Version":"2012-10-17", 
"Statement":[
{ "Effect":"Allow", 
"Action":[ "kms:GenerateDataKey", "kms:DescribeKey", "kms:Encrypt", "kms:Decrypt", "kms:ReEncrypt*" ], 
"Resource": ["arn:aws-cn:kms:region:account:key/<KMS_key>"] 
	}
  ] 
   }
0 COMMENTS
We’d like to hear from you!