Configuring S3 Assume Role Authentication
Tamr Cloud supports authenticating to S3 using AWS IAM role assumption. With this method, Tamr obtains short-lived credentials via sts:AssumeRole on each use; no long-lived access keys are stored.
Step 1: Configure S3 IAM Policies
See Configuring S3 IAM Policies
Step 2: Create an IAM Role in Your AWS Account
In your AWS account, create an IAM role with a trust policy that allows Tamr's service principal to assume it.
Use the trust principal for the AWS region in which your Tamr Cloud environment is deployed:
| Region | Tamr Service Principal |
|---|---|
us-east-1 | arn:aws:iam::013081881335:role/token-vendor-us-east-1-role |
eu-central-1 | arn:aws:iam::013081881335:role/token-vendor-eu-central-1-role |
eu-west-2 | arn:aws:iam::013081881335:role/token-vendor-eu-west-2-role |
ap-southeast-1 | arn:aws:iam::013081881335:role/token-vendor-ap-southeast-1-role |
Example trust policy for us-east-1:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::013081881335:role/token-vendor-us-east-1-role"
},
"Action": "sts:AssumeRole"
}
]
}
Step 3: Attach S3 IAM Policy to the Role
Attach the S3 IAM policy or policies you configured in step 1 to this role.
Step 4: Configure the Connection
Add the connection (see Managing Connections), selecting Assume Role authentication and supplying the Role ARN.
Updated about 15 hours ago