ConductorOne Docs

Import data from an AWS S3 bucket

Use the data currently housed in your AWS S3 buckets in ConductorOne. These data storage locations can be added to applications and support those apps with lists of users and entitlements.

ConductorOne automatically syncs with the connected S3 bucket every hour, so data updated in the S3 bucket is reflected in the ConductorOne application.

Availability

✅ General availability. The AWS S3 data source integration is available to all ConductorOne users.

Requirements

When connecting to your AWS environment, you will need:

Super Administrator role in ConductorOne
Ability to create an IAM Role in AWS
- ConductorOne uses an IAM Trust relationship between your AWS Account and ConductorOne’s Service AWS Account.
- This is the AWS-recommended method of sharing access to AWS Accounts. ConductorOne has a specially created and isolated AWS Account dedicated to the AWS integration.
- For advanced configurations, the only trusted entity should be the following ARN: arn:aws:iam::765656841499:role/ConductorOneS3DatasourceService

Integrate your AWS account

Step 1: Get a ConductorOne-provided External ID for the AWS IAM Role

Log into ConductorOne.
In the navigation panel, open Admin and click Integrations.
Click S3 in the Data Sources section of the page.
Copy and save the External ID generated for you by ConductorOne. You’ll use this value in Step 2.

Step 2: Create an AWS IAM Role for ConductorOne

In a new browser tab, navigate to AWS and sign into your AWS account.
Navigate to the Identity and Access Management (IAM) dashboard.
Click Roles > Create Role.

Select Custom Trust Policy and paste the following code into the Trust Policy JSON editor, replacing <EXTERNAL ID FROM C1> with the value you saved in Step 1.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::765656841499:role/ConductorOneS3DatasourceService"
      },
      "Action": "sts:AssumeRole",
      "Condition": {
        "StringEquals": {
          "sts:ExternalId": "<EXTERNAL ID FROM C1>"
        }
      }
    }
  ]
}

Click Next.
Do not make any changes on the Add permissions page. Click Next.
On the Name, review, and create page, in the Role Name field, enter ConductorOneIntegration.
Optional. Add any tags relevant to your organization.
Click Create role.
Back on the Roles page, click on the newly created ConductorOneIntegration role to view the role’s details.
Under Permissions Policies, click Add Permissions and select Create Inline Policy.

Click the JSON Editor tab and paste in the following code:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "s3:GetObject",
        "s3:GetObjectAttributes",
        "s3:GetBucketLocation",
        "s3:ListBucket"
      ],
      "Resource": [
        "arn:aws:s3:::<BUCKET NAME>",
        "arn:aws:s3:::<BUCKET NAME>/*"
      ]
    }
  ]
}

Click Review Policy.
In the Name field, enter ConductorOnePermissions.
Click Create policy.
Copy and save the Role ARN for the newly created policy. The Role ARN is formed as arn:aws:iam::<UNIQUE STRING>:role/ConductorOneIntegration. You’ll use this value in Step 3.
Detail view of othe ConductorOneIntegration role, with the Role ARN copy function shown displaying "ARN Copied."

Step 3: Connect an S3 Data Source to ConductorOne

Return to the ConductorOne Integrations page and (if necessary) click S3 to reopen the data source settings.
Paste the Role ARN you generated in Step 2 into the Role ARN field.
Enter the name of the S3 bucket that contains the files you want to use in ConductorOne in the S3 bucket field.
Click Next.

Step 4: Connect the data source to an application

Navigate to a ConductorOne application.
Click the Data sources tab. Click Import app data and select From data source.
Click Choose a data source and select the name of your S3 bucket.
In the File name field, enter the name of the file you want to import to the application.
Click Import.