Role-Based AWS Credentials

This guide shows you how to configure IAM roles to manage your credentials at Upsolver.

Upsolver connections store access credentials such as IAM roles, access and secret keys, and connection strings. Connection objects are managed by administrators and referenced by users when creating data processing jobs. Connections are a simple and secure way to authenticate access to resources without the need to pass around sensitive credentials.

The bird's-eye view of the authentication scheme is using IAM roles, linked to your intended policy, with a trust relationship that contains an external id. Then, using that role and external id you can create Upsolver connections. If you would like to expand on IAM roles, you can find the AWS documentation here.

The steps to manage credentials in Upsolver using AWS roles are:

Create an IAM policy with required permissions
Create an IAM role

1. Create an IAM policy with required permissions

The connection you create in Upsolver allows you to manage the credentials needed to list, read, write, and delete objects. It is up to you to determine which specific permissions you need when developing your Upsolver jobs.

The following instructions describe how to create an IAM policy and add the necessary permissions to allow Upsolver to access your data.

Log into the AWS Management Console.
On the dashboard, search for IAM and select Identity & Access Management (IAM):

Choose Account Settings from the menu on the left-hand side.
Expand the Security Token Service Regions list, find the AWS region corresponding to the region where your account resides, and choose Activate if it is Inactive.
Choose Policies from the menu on the left-hand side, and click Create Policy.
Click the JSON tab:

Add the policy statement that allows Upsolver to access your data. You can find an Amazon S3 example here.
Click Review Policy.
Enter the name and description of the policy and click Create Policy.

2. Create an IAM role

In the AWS IAM Console, create an IAM role that grants access to the data.

From the IAM Console, select Roles from the menu on the left-hand side.
Click Create Role.
Select Custom trust policy as the Trusted Identity Type.
From Upsolver's Security Information page, you can copy the trusted entity that Upsolver assigned to your organization and paste it here:

Here is a trusted entity example:

{
	"Version": "2012-10-17",
	"Statement": [
    	{
        	"Effect": "Allow",
        	"Principal": {
            	"AWS": "arn:aws:iam::428641199958:role/upsolver-role-355e3b5f-960d-406b-afa7-12f4fd8327eb"
        	},
        	"Action": "sts:AssumeRole",
        	"Condition": {
            	"StringEquals": {
                	"sts:ExternalId": "GTWKRE6K"
            	}
        	}
    	}
	]
}

You have now updated the IAM role trust policy to allow a specific Upsolver role to assume and use these permissions to access data in your AWS account.

Note: The IAM role configured in the trust policy is auto-generated and attached to your Upsolver organization. Only your organization is allowed to assume your role and access data in your AWS account.

Click Next.
Locate the policy you created in Step 1 and add it to the role.
Click Next.
Enter the name and description of the role and click Create role.

You’ve now created an IAM role that allows Upsolver to access your data.

Note down the Role ARN by selecting your role from the role summary page.

Now you are able to create an Upsolver connection using the role you created in Step 2 and the external id generated by Upsolver in the trusted entity JSON.

For example, creating an Amazon S3 connection:

Last updated 5 months ago