AWS Cross Account Integration
  • Dark
    Light
  • PDF

AWS Cross Account Integration

  • Dark
    Light
  • PDF

Important

Organization can create up to 15 Cross Account integration.
If you would like to increase the number of Cross Account integrations for your organization, please contact our Customer support team

Create an S3 Bucket

  1. Log in to the AWS Management Console
  2. Go to the S3 service
  3. Click on the "Create bucket" button
  4. Provide a unique bucket name - related to DataLoop
  5. Make sure to block public access settings for this bucket - Block all public access
  6. For all other optional settings use default values
  7. Click on the "Create bucket" button

For a step-by-step guide on creating an S3 bucket in AWS, read AWS documentation

Create an IAM Policy

  1. Go to the IAM service
  2. Click on “Policies” in the left navigation panel
  3. Click on the "Create policy" button
  4. Select the JSON tab
  5. Define policy document in JSON format, like:
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AllowListBucket",
            "Effect": "Allow",
            "Action": [
                "s3:ListBucket",
                "s3:PutObject",
                "s3:DeleteObject",
                "s3:GetObject"
            ],
            "Resource": [
                "arn:aws:s3:::<DataLoopBucketName>",
                "arn:aws:s3:::<DataLoopBucketName>/*"
            ]

        }
    ]
}

Note:
Replace <DataLoopBucketName> with the name of the desired S3 bucket.

  1. Click on the next button to Review the policy
  2. Provide a meaningful name for the policy and an optional description
  3. Click the “Create policy” button to finish

Note:
a. “s3:DeleteObject” action allows DataLoop platform to delete dataset items - please see downstream
b. The resource arn:aws:s3:::<DataLoopBucketName> is required for the ListBucket action

For a step-by-step guide on creating an IAM policy in AWS, read AWS documentation.

Start the AWS Cross Account Integration on DataLoop platform

  1. On the Dataloop platform navigate to the left-side panel and choose integrations
  2. Click on the “Create New Integration” button
  3. Enter a meaningful name for the integration
  4. Under Type, choose “Cross Account
  5. Click on the “Get IAM user
    Note: In a case you already created one you can choose from a list of created IAM users that have not been assigned to an integration
  6. Copy the IAM user ARN
  7. Open a new tab and go to your AWS console

Grant Dataloop IAM user access to an IAM role

  1. Go to the IAM service
  2. Click on “Roles” in the left navigation panel
  3. Click on the "Create role" button
  4. Under "Select trust entity" choose "Customer trust policy"
  5. Define the Trust policy document in JSON format, like:
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::<Dataloop_Account_Id>:user/<Dataloop_IAM_User>"
            },
            "Action": "sts:AssumeRole"
        }
    ]
}	
  1. Replace the AWS principal with the IAM user ARN you copied from Dataloop platform
  2. Click Next
  3. Under Add permissions choose the IAM policy you created earlier
  4. Click Next
  5. Choose a name for the role
  6. (Optional) add description
  7. Click the “Create role” button to finish

Note: You can also create an IAM role in advance and edit his trust relationship
For a step-by-step guide on editing an IAM role trust relationship in AWS, read AWS documentation.

Finish the AWS Cross Account Integration on DataLoop platform:

  1. Go back to the Dataloop platform
  2. Under Role ARN, enter the IAM role ARN that you edited his trust relationship
  3. Click on Create

Create an AWS S3 Storage Driver on DataLoop platform

  1. On the Dataloop platform navigate to the left-side panel, choose “Data Management” and then click on “Cloud Storage”
  2. Click on the “CREATE DRIVER” button
  3. Enter a meaningful name for the storage driver
  4. Under Integration choose your relevant AWS Cross Account Integration
  5. Enter your AWS Bucket name (The one that is relevant to the integration)
  6. Select the region your S3 bucket is located in
  7. (Optional) Allow delete items
  8. Click “TEST” to test if the connection is successful
  9. Click “Create”