Trust Relationship Role

AWS integrations are securely configured by means of a Trust Relationship of the emnify Data Streamer role (arn:aws:iam::884047677700:role/datastreamer). The Trust Relationship can be added to new and/or already-existing roles.

The following JSON shows an example policy document that should be added in the Trust Relationship.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "",
      "Effect": "Allow",
      "Principal": {
        "AWS": [
          "arn:aws:iam::884047677700:role/datastreamer"
        ]
      },
      "Action": "sts:AssumeRole",
      "Condition": {
        "ForAnyValue:StringEquals": {
          "sts:ExternalId": [
            "org-1234"
          ]
        }
      }
    }
  ]
}

Note: The ExternalID must match with the emnify organisation number, so for an organisation with a numeric ID of 1234, the value above shows org-1234. The numeric ID of an organisation can be retrieved with a call to /organisation/my.

S3 AWS Configuration

This section covers the steps necessary to create a new role with S3 write access.

  1. In the AWS console, navigate to S3 and create a new bucket

  2. In IAM -> Policies click Create Policy to create a policy which allows PutObject permissions to the S3 bucket.

  3. In IAM -> Roles, click Create Role for the S3 use case and click Next: Permissions

  4. Attach the policy created in step 2 and click Next: Tags, then Create Role.

  5. Edit the newly-created role and click Trust Relationships -> Edit Trust Relationships

  6. Copy the policy document JSON listed above with your organisation ID in place to allow emnify’s datastreamer role write access.

NOTES:

Kinesis AWS Configuration

This section covers the steps necessary to create a new role with Kinesis write access.

  1. In the AWS console, navigate to Kinesis and create a new stream

  2. In IAM -> Policies click Create Policy which allows PutRecord and PutRecords write permissions to the Kinesis stream.

  3. In IAM -> Roles, click Create Role for Kinesis Analytics and click Next: Permissions

  4. Attach the policy created in step 2 and click Next: Tags -> Create Role.

  5. Edit the newly-created role and click Trust Relationships -> Edit Trust Relationships

  6. Copy the policy document JSON listed above with your organisation ID in place to allow emnify’s datastreamer role write access.