Skip to content

Prerequisites for AWS S3

Before proceeding with the AWS S3 setup, ensure that the following prerequisites are met:

Two IAM roles are required to allow access to S3:

  • DataServer Pod IAM Role – Assumed by the DataServer pods using IRSA/OIDC.
  • DataAccess IAM Role – Contains the required S3 permissions.

The DataServer Pod IAM Role must be granted permission to assume the DataAccess IAM Role, ensuring that the pod identity remains separate from the permissions used for data access.

Follow the steps below to create the required IAM Roles:

  1. Create DataServer Pod IAM Role:

    • It is an identity-federated role assumed by pods via IRSA/OIDC — its only permission is to assume another role that gives actual data access, keeping pod identity separate from data access.
    • Create a new IAM role with the following trust relationship. Replace <IDENTITY_PROVIDER_ARN> with the ARN of the identity provider:
      DataServer Pod IAM Role Trust Relationship
       1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
      {
  "Version": "2012-10-17",
  "Statement": [
      {
          "Effect": "Allow",
          "Principal": {
              "Federated": "<IDENTITY_PROVIDER_ARN>"
          },
          "Action": "sts:AssumeRoleWithWebIdentity"
      }
  ]
}

  2. Create DataAccess IAM Role:

    • This role holds the actual S3 permissions. This role is assumed by the DataServer Pod IAM Role to access the S3 buckets.
    • Create a new IAM role with the following trust relationship.
      DataAccess IAM Role Trust Relationship
       1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
      {
  "Version": "2012-10-17",
  "Statement": [
  {
    "Effect": "Allow",
    "Principal": {
      "AWS":"<DATASERVER_POD_IAM_ROLE_ARN>"
      },
    "Action": "sts:AssumeRole"
  }
 ]
}

  3. Create DataAccess IAM Role Policy to Allow Access to S3:

    • Create a new IAM role policy with the following permissions:
      DataAccess IAM Role Policy
       1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
      {
  "Version":"2012-10-17",
  "Statement":[
  {
    "Sid":"DataServerS3Limited",
    "Effect":"Allow",
    "Action":[
      "s3:PutObject",
      "s3:GetObjectAcl",
      "s3:GetObject",
      "s3:ListBucket",
      "s3:DeleteObject",
      "s3:ListBucketMultipartUploads",
      "s3:GetBucketAcl",
      "s3:GetBucketPolicy",
      "s3:ListMultipartUploadParts",
      "s3:AbortMultipartUpload",
      "s3:GetBucketLocation",
      "s3:PutObjectAcl"
    ],
  "Resource":[
    "<RESOURCE_ARN>"
  ]
  },
  {
    "Sid":"DataServerS3ListBucketAccess",
    "Effect":"Allow",
    "Action":[
      "s3:ListAllMyBuckets"
    ],
    "Resource":"*"
  }
]
}
    • Attach the IAM role policy to the above created DataAccess IAM role.

  4. Create DataServer Pod IAM Role Policy:

    • Define a Policy for the DataServer Pod IAM Role, that allows it to assume the DataAccess IAM Role to access the data.
      DataServer Pod IAM Role Policy
       1
 2
 3
 4
 5
 6
 7
 8
 9
10
      {
 "Statement": [
     {
         "Action": "sts:AssumeRole",
         "Effect": "Allow",
         "Resource": "<DATAACCESS_IAM_ROLE_ARN>"
     }
 ],
 "Version": "2012-10-17"
}

An IAM role with the required policies must be created to allow access to S3 as described below. The IAM role should also have a trust relationship with the Privacera DataServer Pod IAM role, allowing it to assume the Data Access Role.

Follow the steps below to create the required IAM Role:

  1. Create DataAccess IAM Role:

    • It enables the DataServer to access the required data.
    • Create a new IAM Role with the following trust relationship.
      DataAccess Pod IAM Role Trust Relationship
       1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
      {
    "Version": "2012-10-17",
    "Statement": [
    {
        "Effect": "Allow",
        "Principal": {
        "AWS": [
            "arn:aws:iam::870790086151:role/PCLOUD_DATA_ACCESS_ROLE"
        ]
    },
    "Action": "sts:AssumeRole"
      }
    ]
}

  2. Create a Policy to allow S3 Access:

    • Create a Policy for the Role that allows access to the required data.
      DataAccess IAM Role Policy
       1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
      {
    "Version":"2012-10-17",
    "Statement":[
    {
        "Sid":"DataServerS3Limited",
        "Effect":"Allow",
        "Action":[
            "s3:PutObject",
            "s3:GetObjectAcl",
            "s3:GetObject",
            "s3:ListBucket",
            "s3:DeleteObject",
            "s3:ListBucketMultipartUploads",
            "s3:GetBucketAcl",
            "s3:GetBucketPolicy",
            "s3:ListMultipartUploadParts",
            "s3:AbortMultipartUpload",
            "s3:GetBucketLocation",
            "s3:PutObjectAcl"
        ],
    "Resource":[
        "<RESOURCE_ARN>"
      ]
    },
    {
        "Sid":"DataServerS3ListBucketAccess",
        "Effect":"Allow",
        "Action":[
        "s3:ListAllMyBuckets"
        ],
    "Resource":"*"
    }
  ]
}

  3. Attach the IAM policy created earlier to the DataAccess IAM Role.