AWS S3 bucket data storage
Overview
ConductorOne automatically syncs with the connected S3 bucket every hour, so data updated in the S3 bucket is reflected in the ConductorOne application.
Availability
✅ General availability. The AWS S3 data source integration is available to all ConductorOne users.
Requirements
When connecting to your AWS environment, you will need:
- Super Administrator role in ConductorOne
- Ability to create an IAM Role in AWS
- ConductorOne uses an IAM Trust relationship between your AWS Account and ConductorOne’s Service AWS Account.
- This is the AWS-recommended method of sharing access to AWS Accounts. ConductorOne has a specially created and isolated AWS Account dedicated to the AWS integration.
- For advanced configurations, the only trusted entity should be the following ARN:
arn:aws:iam::765656841499:role/ConductorOneS3DatasourceService
Integrate your AWS account
Step 1: Get a ConductorOne-provided External ID for the AWS IAM Role
Do not close the ConductorOne window during the integration process. If you close the window, a new External ID is generated. This is a known issue and will be fixed.
- Log into ConductorOne.
- Click Integrations, and click S3 in the Data Sources section of the page.
- Copy and save the External ID generated for you by ConductorOne. You’ll use this value in Step 2.
Step 2: Create an AWS IAM Role for ConductorOne
-
In a new browser tab, navigate to AWS and sign into your AWS account.
-
Navigate to the Identity and Access Management (IAM) dashboard.
-
Click Roles > Create Role.
-
Select Custom Trust Policy and paste the following code into the Trust Policy JSON editor, replacing
<EXTERNAL ID FROM C1>with the value you saved in Step 1.{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::765656841499:role/ConductorOneS3DatasourceService" }, "Action": "sts:AssumeRole", "Condition": { "StringEquals": { "sts:ExternalId": "<EXTERNAL ID FROM C1>" } } } ] } -
Click Next.
-
Do not make any changes on the Add permissions page. Click Next.
-
On the Name, review, and create page, in the Role Name field, enter ConductorOneIntegration.
-
Optional. Add any tags relevant to your organization.
-
Click Create role.
-
Back on the Roles page, click on the newly created ConductorOneIntegration role to view the role’s details.
-
Under Permissions Policies, click Add Permissions and select Create Inline Policy.
-
Click the JSON Editor tab and paste in the following code:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "s3:GetObject", "s3:GetObjectAttributes", "s3:GetBucketLocation", "s3:ListBucket" ], "Resource": [ "arn:aws:s3:::<BUCKET NAME>", "arn:aws:s3:::<BUCKET NAME>/*" ] } ] } -
Click Review Policy.
-
In the Name field, enter ConductorOnePermissions.
-
Click Create policy.
-
Copy and save the Role ARN for the newly created policy. The Role ARN is formed as
arn:aws:iam::<UNIQUE STRING>:role/ConductorOneIntegration. You’ll use this value in Step 3.Detail view of othe ConductorOneIntegration role, with the Role ARN copy function shown displaying "ARN Copied."
Step 3: Connect an S3 Data Source to ConductorOne
- Return to the ConductorOne Integrations page and (if necessary) click S3 to reopen the data source settings.
- Paste the Role ARN you generated in Step 2 into the Role ARN field.
- Enter the name of the S3 bucket that contains the files you want to use in ConductorOne.
- Click Next.
Step 4: Connect the Data Source to an Application
- Navigate to a ConductorOne application.
- Click the Imports tab. Click Import App Data and select From Data Source.
- Click Choose a datasource and select the name of your S3 bucket.
- In the File Name field, enter the name of the file you want to import to the application.
- Click Import.