How to Set Up AssumeRole for Secure Access
Overview
Our configuration now supports secure content access from an Amazon S3 bucket using Amazon’s Secure Token Service (STS) AssumeRole with an IAM role. This process is further secured using an ExternalID for added authentication.
What is ExternalID?
- An optional identifier used in IAM role trust policy.
- Not treated as a secret by AWS.
- Useful in multi-tenant environments to provide unique identification for each AWS account.
- Typically provided by the third party (in this case, us) and should be distinct for every client.
Why use ExternalID?
Imagine you want a third-party, like our Encoding, to access your AWS S3 resources. Instead of giving it long-term credentials, you would provide an IAM role with temporary credentials. ExternalID ensures that only the desired entity can assume this role, even if others know the role ARN.
Role Setup For Clients
IAM Role Setup
Create an IAM role with a trust policy that includes our AWS account as the Principal and an ExternalID condition. For Axinom Encoding Tenant (PS: Mosaic Tenants are currently not supported), Go to My Mosaic / Encoding and you will find your Tenant Name under Configuration.
For EU region
Configure trust policy as such and set the role’s trust policy’s principal to this account:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::201119604013:root"
},
"Action": "sts:AssumeRole",
"Condition": {
"StringEquals": {
"sts:ExternalId": "your-encoding-tenant-name"
}
}
}
]
}
For US region
Configure trust policy as such and set the role’s trust policy’s principal to this account:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::358917058612:root"
},
"Action": "sts:AssumeRole",
"Condition": {
"StringEquals": {
"sts:ExternalId": "your-encoding-tenant-name"
}
}
}
]
}
Permissions
Assign a policy to the IAM role to regulate our access level. Refer to See permissions for AWS S3.
Use the Role ARN in the job
Submit the IAM role’s ARN in the job request.
Configuration in job request
Provider
- Description: Source of the content storage.
- Value: "AmazonS3"
UriPath
- Description: Complete URI path to the S3 bucket location.
- Example Value: "https://<your-bucket-name>.s3.<your-aws-region>.amazonaws.com/<input-folder-path>/"
RoleArnToAssume
- Description: ARN for the role to assume.
- Example Value: "arn:aws:iam::272758771130:role/example-role-name"
RoleSessionDurationInSeconds
- Description: Duration for which the assumed role credentials are valid.
- Value: Example is 900 seconds (15 minutes). Adjust based on needs.
- Note: Omitting this property defaults to 3600 (1hr). The session’s max duration is 1 hour from the API call unless explicitly set longer in the AWS Role trust policy, up to 43200 (12hrs).
Final Notes
Remember, the ExternalID isn’t secretive. It serves as an extra validation. Only when both the role ARN and the correct ExternalID are given, the STS role assumption request succeeds. Always adhere to the principle of least privilege when setting permissions.