<< Click to Display Table of Contents >> Raynet One Data Hub > 14.0 u1 > Connectors > Alphabetic Connector List > Amazon Simple Storage Service (S3) > Connector Parameters Authentication |
This parameter contains the Access Key that is used for the connection to the Session Token Service (STS).
Technical Name |
access_key_id |
Category |
Authentication |
Type |
String |
Default Value |
n/a |
Example Values |
|
How to get the credentials is described in the official documentation. It is recommended to generate credentials tailored to this connector via the IAM Console. The connector uses this credentials to do the first authentication to AWS. It then gets (and automatically renews) session credentials for the time of the execution.
This parameter contains the Secret Access Key that is used for the connection to the Session Token Service (STS).
Technical Name |
secret_access_key |
Category |
Authentication |
Type |
String |
Default Value |
n/a |
Example Values |
|
How to get the credentials is described in the official documentation. It is recommended to generate credentials tailored to this connector via the IAM Console. The connector uses this credentials to do the first authentication to AWS. It then gets (and automatically renews) session credentials for the time of the execution.
This parameter contains the Session Token for the connection to the Session Token Service (STS).
Technical Name |
session_token |
Category |
Authentication |
Type |
String null |
Default Value |
null |
Example Values |
null |
How to get the credentials is described in the official documentation. It is recommended to generate credentials tailored to this connector via the IAM Console. The connector uses this credentials to do the first authentication to AWS. It then gets (and automatically renews) session credentials for the time of the execution.
Use the Session Token Service STS to assume the given roles one after another.
Technical Name |
master_assume_role_arn_chain |
Category |
Authentication |
Type |
String |
Default Value |
n/a |
Example Values |
arn:aws:ima::123456789012:role/ROLE_NAME |
The initial credentials might not have the required permissions for the job. One can perform a privilege escalation with the Assume Role request via STS. For more information on the AWS authentication process read the official documentation. Using a list of roles will chain the assumptions together. The connector gets session credentials for the first role with the initial credentials. Then, with the session credentials it assumes the second role and so on. The last session credentials are used for the actual API access. When aggregating data of an Organizational Unit, this chain is used only for the master account of the OU.
This parameter can be used in order to provide an external ID for cross-account access with the Session Token Service (STS).
Technical Name |
assume_external_id |
Category |
Authentication |
Type |
String null |
Default Value |
null |
Example Values |
null, 987654321098 |
The externalId is used with every role assumption of the Assume Role ARN Chain. Read about the AWS authentication mechanism in the official documentation.
This parameter defines the accounts in the OU from which the data will be fetched.
Technical Name |
sub_account_assume_role_arn_chain |
Category |
Authentication |
Type |
String null |
Default Value |
null |
Example Values |
null arn:aws:iam::{accountId}:role/ROLE_NAME |
When managing a large number of accounts, one can aggregate them in an Organizational Unit (OU). Instead of running the connector for every single account, the connector can fetch the list of accounts from OU and aggregate the data automatically. When setting this parameter, the last role in the Assume Role Chain must have enough privileges for the ListAccount request. The initial credentials (Access Key ID, Secret Access Key, and Session Token) are reused for the first authentication, but for the cross-account access to the sub-accounts this chain is used instead. Use the placeholder {accountId} in the chain which is replaced by the sub-account IDs at run-time. Leave the chain empty or null to fetch data only from the master account.