Authorization
When you add an AWS S3 card to a flow for the first time, Okta prompts you to configure the connection. After saving your account information, you can reuse the connection for future AWS S3 flows.
You can create multiple connections and manage them from your Connections page.
To create a new connection from an action card:
-
Click New Connection.
-
Enter a Connection Nickname. This is useful if you plan to create multiple AWS S3 connections to share with your team.
-
Copy the ID from Account ID to the associated role's trust policy. See Providing access to AWS accounts owned by third parties.
-
Copy the ID from External ID the associated role's trust policy. See Providing access to AWS accounts owned by third parties.
-
Enter a Role Amazon Resource Name (ARN). See IAM Identifiers.
-
Click Create.
The role you create for AWS S3 operations must have an IAM policy attached to it. The IAM policy allows you to manage access to your AWS resources by specifying actions that the AWS S3 connector may run. You can attach an AWS managed policy or a customer managed policy. The following code is an example of a customer managed AWS policy.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"s3:GetObjectRetention",
"s3:DeleteObjectVersion",
"s3:GetObjectVersionTagging",
"s3:PutBucketOwnershipControls",
"s3:CreateBucket",
"s3:ListBucket",
"s3:GetObjectLegalHold",
"s3:BypassGovernanceRetention",
"s3:PutObject",
"s3:GetObject",
"s3:PutBucketTagging",
"s3:PutLifecycleConfiguration",
"s3:GetObjectTagging",
"s3:PutBucketAcl",
"s3:PutObjectTagging",
"s3:PutBucketObjectLockConfiguration",
"s3:DeleteObject",
"s3:DeleteBucket",
"s3:PutBucketVersioning",
"s3:PutObjectAcl",
"s3:GetObjectVersion",
"s3:PutObjectLegalHold",
"kms:GenerateDataKey",
"s3:GetBucketObjectLockConfiguration",
"s3:PutObjectRetention"
],
"Resource": "*"
}
]
}