From 028d226d87661a71c4535f9eaaee6e442529d1db Mon Sep 17 00:00:00 2001 From: Kevin Moore Date: Tue, 3 Oct 2023 14:09:19 -0700 Subject: [PATCH 1/6] Update CrossAccount.md Add instructions to enable subscribing to existing object notifications (SNS topic) from a Quilt stack in another account. --- docs/CrossAccount.md | 54 ++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 54 insertions(+) diff --git a/docs/CrossAccount.md b/docs/CrossAccount.md index 33f89dec95f..889f4678700 100644 --- a/docs/CrossAccount.md +++ b/docs/CrossAccount.md @@ -55,6 +55,60 @@ following to buckets in your *DataAccount*. ] } ``` +## Notifications + +To add a cross-account bucket to Quilt that already has object notifications enabled, add the following statement to the SNS topic access policy. + +```json +{ + "Sid": "AWSConfigSNSPolicy", + "Effect": "Allow", + "Principal": { + "AWS": "arn:aws:iam::CONTROL-ACCOUNT:root" + }, + "Action": [ + "sns:GetTopicAttributes", + "sns:Subscribe" + ], + "Resource": "SNS_TOPIC_ARN" +} +``` + +The complete access policy will then look like this example: +``` +{ + "Version": "2012-10-17", + "Statement": [ + { + "Sid": "AllowBucketToPushNotificationEffect", + "Effect": "Allow", + "Principal": { + "Service": "s3.amazonaws.com" + }, + "Action": "sns:Publish", + "Resource": "*", + "Condition": { + "ArnLike": { + "aws:SourceArn": "arn:aws:s3:*:*:bucket-in-data-account" + } + } + }, + { + "Sid": "AWSConfigSNSPolicy", + "Effect": "Allow", + "Principal": { + "AWS": "arn:aws:iam::CONTROL_ACCOUNT:root" + }, + "Action": + "sns:GetTopicAttributes", + "sns:Subscribe" + ], + "Resource": SNS_TOPIC_ARN + } + ] +} +``` +Once the access policy has been updated, add the bucket in your Quilt stack. Specify the SNS Topic ARN in the "Indexing and Metadata" parameters. ## CloudTrail From 197ffcfa34ae12086c1c54b8df19844da0573e76 Mon Sep 17 00:00:00 2001 From: Kevin Moore Date: Sun, 24 Dec 2023 07:11:07 -0800 Subject: [PATCH 2/6] Update docs/CrossAccount.md Co-authored-by: Aneesh Karve --- docs/CrossAccount.md | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/docs/CrossAccount.md b/docs/CrossAccount.md index 889f4678700..2415823b7ef 100644 --- a/docs/CrossAccount.md +++ b/docs/CrossAccount.md @@ -57,7 +57,10 @@ following to buckets in your *DataAccount*. ``` ## Notifications -To add a cross-account bucket to Quilt that already has object notifications enabled, add the following statement to the SNS topic access policy. +In order for *ControlAccount* to use an existing and +[correctly configured SNS topic](EventBridge.md#the-workarounds) +for a single bucket in *DataAccount*, add a statement similar to the following +to the topic resource policy: ```json { From 5c2c75d1c89f74d1bccb9181de4de61667544514 Mon Sep 17 00:00:00 2001 From: Kevin Moore Date: Sun, 24 Dec 2023 07:12:09 -0800 Subject: [PATCH 3/6] Update docs/CrossAccount.md Co-authored-by: Aneesh Karve --- docs/CrossAccount.md | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/docs/CrossAccount.md b/docs/CrossAccount.md index 2415823b7ef..09fd19729b0 100644 --- a/docs/CrossAccount.md +++ b/docs/CrossAccount.md @@ -111,7 +111,9 @@ The complete access policy will then look like this example: ] } ``` -Once the access policy has been updated, add the bucket in your Quilt stack. Specify the SNS Topic ARN in the "Indexing and Metadata" parameters. + +You can now set the SNS topic in the [Catalog Admin Panel](catalog/Admin.md) in bucket +properties under "Indexing and notifications". ## CloudTrail From dd49b0a2a38e88728d685324cabc40cc4c896f65 Mon Sep 17 00:00:00 2001 From: Kevin Moore Date: Sun, 24 Dec 2023 07:26:55 -0800 Subject: [PATCH 4/6] Update docs/CrossAccount.md Co-authored-by: Aneesh Karve --- docs/CrossAccount.md | 34 ---------------------------------- 1 file changed, 34 deletions(-) diff --git a/docs/CrossAccount.md b/docs/CrossAccount.md index 09fd19729b0..c1412287c86 100644 --- a/docs/CrossAccount.md +++ b/docs/CrossAccount.md @@ -77,40 +77,6 @@ to the topic resource policy: } ``` -The complete access policy will then look like this example: -``` -{ - "Version": "2012-10-17", - "Statement": [ - { - "Sid": "AllowBucketToPushNotificationEffect", - "Effect": "Allow", - "Principal": { - "Service": "s3.amazonaws.com" - }, - "Action": "sns:Publish", - "Resource": "*", - "Condition": { - "ArnLike": { - "aws:SourceArn": "arn:aws:s3:*:*:bucket-in-data-account" - } - } - }, - { - "Sid": "AWSConfigSNSPolicy", - "Effect": "Allow", - "Principal": { - "AWS": "arn:aws:iam::CONTROL_ACCOUNT:root" - }, - "Action": - "sns:GetTopicAttributes", - "sns:Subscribe" - ], - "Resource": SNS_TOPIC_ARN - } - ] -} -``` You can now set the SNS topic in the [Catalog Admin Panel](catalog/Admin.md) in bucket properties under "Indexing and notifications". From 4bf3d602f1481bd8074748ee0a24eef0080d6d0a Mon Sep 17 00:00:00 2001 From: Sergey Fedoseev Date: Wed, 11 Dec 2024 23:28:47 +0400 Subject: [PATCH 5/6] Apply suggestions from code review --- docs/CrossAccount.md | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/docs/CrossAccount.md b/docs/CrossAccount.md index dd88f02e26a..7f93bba5fe0 100644 --- a/docs/CrossAccount.md +++ b/docs/CrossAccount.md @@ -57,6 +57,7 @@ following to buckets in your *DataAccount*. ] } ``` + ## Notifications In order for *ControlAccount* to use an existing and @@ -78,8 +79,6 @@ to the topic resource policy: "Resource": "SNS_TOPIC_ARN" } ``` - - You can now set the SNS topic in the [Catalog Admin Panel](catalog/Admin.md) in bucket properties under "Indexing and notifications". From a2ea1373c54bbddf3e791f4e48f8537e0e713467 Mon Sep 17 00:00:00 2001 From: Sergey Fedoseev Date: Wed, 11 Dec 2024 23:29:24 +0400 Subject: [PATCH 6/6] Update docs/CrossAccount.md --- docs/CrossAccount.md | 1 + 1 file changed, 1 insertion(+) diff --git a/docs/CrossAccount.md b/docs/CrossAccount.md index 7f93bba5fe0..a811718d83b 100644 --- a/docs/CrossAccount.md +++ b/docs/CrossAccount.md @@ -79,6 +79,7 @@ to the topic resource policy: "Resource": "SNS_TOPIC_ARN" } ``` + You can now set the SNS topic in the [Catalog Admin Panel](catalog/Admin.md) in bucket properties under "Indexing and notifications".