Creating and Sharing an AWS S3 Bucket

Data

Creating and Sharing an AWS S3 Bucket

//
April 22, 2020

I had a situation with a client where they had a new AWS account and wanted to create an online storage folder area where a third party could upload JSON files, that could then later be ingested into Snowflake. They had no experience with AWS, so I walked them through setting up an S3 bucket on their account, and a new user account for their third party that could access the bucket.

Order Matters in AWS

AWS is very flexible but also pretty complicated, and you need to set up the pieces in the right order. The order I’ll be describing in this post is one I’ve found that works. This is more of a high-level overview of the overall process, but you can find more detailed step-by-step instructions in AWS’ documentation.

At a very high level, the overall sequence is:

  1. Create bucket
  2. Create a policy to access the bucket
  3. Create a group and assign the policy to the group
  4. Create a user and make the user a member of the group

Let’s look at the process in a bit more detail.

Create the Bucket

Make sure the client has an AWS account and is able to log in to it. Log into AWS Management Console using the client’s high level account, and use the S3 service to create a new bucket. The bucket name has to be unique across all AWS S3 instances:

Pick a Region for the bucket. Normally, this would be the same region as your Snowflake instance. Leave Block all public access on:

Select the bucket and click Copy ARN then paste to Notepad (The ARN is the Amazon Resource Name. It’s the full formal name for the bucket):

In this example, the ARN for interworks.unique.bucket.name is arn:aws:s3:::interworks.unique.bucket.name.

Create IAM Objects

Go back to the top level, and select the IAM service (Identity and Access Management) to configure policies, groups and users:

Use the menu on the left to select Policies:

Select the S3 service, and add all S3 actions to the policy. In the Resources section, click bucket to specify the bucket ARN:

Add the bucket’s ARN that you previously noted:
Click Review policy then name the policy and create it:

Create Group and User

From the IAM menu, select Groups and create a new group, and attach the policy to the group.

A user can be added with or without AWS console access. Enabling console access will allow the third-party user to log into the console and see some limited information about the account. In my view, console access should be enabled unless there is a clear reason not to:

When creating the user, make sure to add them to the group you created above:

Once the user is created, you get a confirmation screen:

At this point, you can download the .csv file, which contains credentials, and share it with the user. The process is complete!

More About the Author

Mike Oldroyd

Data Architect
LinkedIn
Diagnosing Issues in Matillion ETL Using Component Level Logging Sometimes when you’re developing a data pipeline in Matillion ETL, you may find that a component that you’re working on just isn’t ...
Domain Ownership: Data Products within Business Functions A few years ago, the dominant architecture for data and analytics was based around an enterprise data warehouse (EDW). The intention ...

See more from this author →

InterWorks uses cookies to allow us to better understand how the site is used. By continuing to use this site, you consent to this policy. Review Policy OK

×

Interworks GmbH
Ratinger Straße 9
40213 Düsseldorf
Germany
Geschäftsführer: Mel Stephenson

Kontaktaufnahme: markus@interworks.eu
Telefon: +49 (0)211 5408 5301

Amtsgericht Düsseldorf HRB 79752
UstldNr: DE 313 353 072

×

Love our blog? You should see our emails. Sign up for our newsletter!