From 6356d74413a1fe5f6bf74516fc5d4498077ad769 Mon Sep 17 00:00:00 2001 From: Joe Zhou Date: Wed, 16 Aug 2023 16:49:17 -0700 Subject: [PATCH] AMP-82079 Update S3 import IAM Policy --- docs/data/sources/amazon-s3.md | 55 ++++++++++++++++++++++++++++++++-- 1 file changed, 52 insertions(+), 3 deletions(-) diff --git a/docs/data/sources/amazon-s3.md b/docs/data/sources/amazon-s3.md index 35dc57a97..9b4819390 100644 --- a/docs/data/sources/amazon-s3.md +++ b/docs/data/sources/amazon-s3.md @@ -98,9 +98,58 @@ Follow these steps to give Amplitude read access to your AWS S3 bucket. 3. Create a new IAM policy, for example, `AmplitudeS3ReadOnlyAccess`. Use the entire example code that follows, but be sure to update **{{}}** in highlighted text. - **{{bucket_name}}**: the s3 bucket name where your data is imported from. - - **{{prefix}}**: the prefix of files that you want to import, for example `/prefix`. For folders, make sure prefix ends with `/`. But for root folder, keep prefix as empty. + - **{{prefix}}**: the optional prefix of files that you want to import, for example `filePrefix`. For folders, make sure prefix ends with `/`, for example `folder/`. For the root folder, keep prefix as empty. - ```json hl_lines="16 30 41" + Example 1: IAM policy without prefix: + ```json hl_lines="16 29 40" + { + "Version":"2012-10-17", + "Statement":[ + { + "Sid":"AllowListingOfDataFolder", + "Action":[ + "s3:ListBucket" + ], + "Effect":"Allow", + "Resource":[ + "arn:aws:s3:::{{bucket_name}}" + ], + "Condition":{ + "StringLike":{ + "s3:prefix":[ + "*" + ] + } + } + }, + { + "Sid":"AllowAllS3ReadActionsInDataFolder", + "Effect":"Allow", + "Action":[ + "s3:GetObject", + "s3:ListObjects" + ], + "Resource":[ + "arn:aws:s3:::{{bucket_name}}/*" + ] + }, + { + "Sid":"AllowUpdateS3EventNotification", + "Effect":"Allow", + "Action":[ + "s3:PutBucketNotification", + "s3:GetBucketNotification" + ], + "Resource":[ + "arn:aws:s3:::{{bucket_name}}" + ] + } + ] + } + ``` + + Example 2: IAM policy with a prefix. For a folder, make sure the prefix ends with `/`, for example `folder/`: + ```json hl_lines="16 29 40" { "Version":"2012-10-17", "Statement":[ @@ -129,7 +178,7 @@ Follow these steps to give Amplitude read access to your AWS S3 bucket. "s3:ListObjects" ], "Resource":[ - "arn:aws:s3:::{{bucket_name}}{{prefix}}*" + "arn:aws:s3:::{{bucket_name}}/{{prefix}}*" ] }, {