Push-to-Warehouse Setup: S3 Staging Bucket
In this guide, you will be setting up a connection to a data warehouse destination you own. Reach out to your Customer Success Manager or [email protected] to confirm that your Modern Treasury plan includes the Push to Warehouse capability.
Some destinations without built-in staging resources require a staging bucket to efficiently load data.
Prerequisites
- By default, S3 authentication uses role-based access. You will need the trust policy prepopulated with the data-syncing service's identifier to grant access. It should look similar to the following JSON object with a proper service account identifier (your Modern Treasury contact will provide this):
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"sts:AssumeRole"
],
"Principal": {
"AWS": "<some_service_account_identifier>"
}
}
]
}
Create staging bucket
- Navigate to the S3 service page.
- Click Create bucket.
- Enter a Bucket name and modify any of the default settings as desired. Note: Object Ownership can be set to "ACLs disabled" and Block Public Access settings for this bucket can be set to "Block all public access" as recommended by AWS. Make note of the Bucket name and AWS Region.
- Click Create bucket.
Create policy
- Navigate to the IAM service page, click on the Policies navigation tab, and click Create policy.
- Click the JSON tab, and paste the following policy, being sure to replace
BUCKET_NAME
with the name of the bucket chosen above.- Note: the first policy applies to
BUCKET_NAME
whereas the second policy applies only to the bucket's contentsBUCKET_NAME/*
an important distinction.
- Note: the first policy applies to
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "s3:ListBucket",
"Resource": "arn:aws:s3:::BUCKET_NAME"
},
{
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:GetObject",
"s3:DeleteObject"
],
"Resource": "arn:aws:s3:::BUCKET_NAME/*"
}
]
}
- Click through to the Review step, choose a name for the policy, for example,
transfer-service-policy
(this will be referenced in the next step), add a description, and click Create policy.
Create role
- Navigate to the IAM service page.
- Navigate to the Roles navigation tab, and click Create role.
- Select Custom trust policy and paste the provided trust policy to allow AssumeRole access to the new role. Click Next.
- Add the permissions policy created above, and click Next.
- Enter a Role name, for example,
transfer-role
, and click Create role. - Once successfully created, search for the created role in the Roles list, click the role name, and make a note of the ARN value.
You're done!
Use this configured S3 staging bucket during the connection of your preferred data source or destination.
Updated about 2 months ago