Account Access Identifiers in AWS

Access Resource Names (ARNs) uniquely define AWS resources such as IAM accounts, users and roles. An IAM identity represents a human user or programmatic workload and can be permitted to perform actions in AWS. 

• More information about AWS ARNs: AWS ARNs
• For help finding ARNs, please see the instructions below or visit: Finding AWS ARNs for advanced finding help.

Types of ARN's used in Bobsled

User IAM 

When a customer is looking for access to an Amazon S3 delivery configured in Bobsled, the User ARN is the quickest and easiest option, especially when your customer is not sure which ARN to use. You will need to add a User ARN per individual at your client that wants to access the files in the Amazon S3 bucket you have configured for them.

Definition:

An IAM user represents the human user or workload who interacts with the AWS account. The user ARN uniquely identifies the IAM user. 

• Syntax = arn:aws:iam::account:user/user-name-with-path
• Example = arn:aws:iam::123456789012:user/JohnDoe

Where your customer can find their User ARN:

1. In the AWS console, search 'IAM' and select 'Users':

2. Find the user(s) that should have access to the Bobsled Amazon S3 bucket, and copy the ARN of each. Note: Depending on your settings, you may need to scroll your window to the right to see the  User ARN column.

For more information, visit: IAM users

Role ARN

An IAM role is similar to a user, and is used to provide appropriate access to a variety of trusted identities. Your customers can use roles to configure access to a Bobsled Amazon S3 bucket for a group of users, applications, and / or other identities and package that access in one tidy ARN.

Definition:

An IAM role is an IAM identity in an account that has specific permissions. An IAM role is similar to an IAM user, in that it is an AWS identity with permission policies that determine what the identity can and cannot do in AWS. The role ARN uniquely identifies the IAM role. 

• Syntax = arn:aws:iam::account:role/role-name-with-path 
• Example = arn:aws:iam::123456789012:role/S3Access

Where your customer can find their Role ARN:

1. In the AWS console, search 'IAM' and select 'Roles':

2. Select the role from the list of roles that you would like to have access to the Bobsled Amazon S3 bucket, and copy the ARN from the top 'Summary' menu:

For more information, visit: Role ARN

Account IAM 

It is not AWS best practice to grant account level access to any AWS resource, as it violates Principle of Least Privelege. However, if your customer wants, they can send you an Account ARN that grants all identities within an AWS account access to the Bobsled Amazon S3 bucket. 

Definition:

An AWS account has a single identity that has complete access to all AWS services and resources in the account. This identity is called the AWS account root user. The account root user has an ARN associated with it used to uniquely identify the account.

• Syntax = arn:aws:iam::account:root  
• Example = arn:aws:iam::123456789012:root 

For more information, visit: IAM root user account 

How does Bobsled use ARN's?

Bobsled requires both Providers and Consumers to provide their ARN(s) to be used to authorize access to cloud resources. Providers will use their ARN(s) to grant access to their source, and Consumers will use their ARN(s) to be granted access to Bobsled’s destination resource. 

Amazon S3 Source

To configure an Amazon S3 source, an IAM role will be created in the Providers account scoped to the permissions that Bobsled will require to read the source bucket. The role ARN that is associated with the “Bobsled access role” will be imputed into Bobsled to authorize read access to your source. 

To learn how to configure an Amazon S3 source, please visit: Amazon S3 Source. 

Amazon S3 Destination

Bobsled will grant read access on the Bobsled-managed destination bucket to the ARNs of IAM identities that are configured in the destination section of a given share. This permits these identities to read from the destination bucket as well as copy data into their own buckets. To copy data into a bucket in your account, the ARN will need to have write access on the bucket.

To learn how to configure an Amazon S3 destination, please visit: Configure an Amazon S3 Destination