Configure IAM roles

You will need two roles: one to use as an identity bearer role for your web app, and a second to use for configuring an access grant. A identity bearer role, is a role that includes an authenticated user's identity in its sessions. It is used to make requests to S3 Access Grants for data access on behalf of the user.

Note

You can skip the procedure for creating a identity bearer role. For information about having the Transfer Family service create the identity bearer role, see Create a Transfer Family web app.

Create a identity bearer role

Sign in to the AWS Management Console and open the IAM console at https://console.aws.amazon.com/iam/.
Choose Roles, and then Create role.

Choose Custom trust policy and then paste in the following code.


{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "Service":"transfer.amazonaws.com"
            },
            "Action": [
                "sts:AssumeRole",
                "sts:SetContext"
            ]
        }
    ]
}

Choose Next and then skip Add permissions and select Next again.
Enter a name, for example web-app-user-session.
Choose Create role to create the identity bearer role.
Choose the role that you just created from the list, then in the Permissions policies panel, choose Add permissions > Create inline policy.

In the Policy editor, select JSON and then paste in the following code block.


{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "s3:GetDataAccess",
                "s3:ListCallerAccessGrants",
                "s3:ListAccessGrantsInstances"
            ],
            "Resource": "*"
        }
    ]
}

For the policy name, enter AllowS3AccessGrants, and then select Create policy.

Next, you create the role that S3 Access Grants assumes to vend temporary credentials to the grantee.

Create an access grants role

Sign in to the AWS Management Console and open the IAM console at https://console.aws.amazon.com/iam/.
Choose Roles, and then Create role. This role should have permission to access your S3 data in the AWS Region.

Choose Custom trust policy, and then paste in the following code.


{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "Service": "access-grants.s3.amazonaws.com"
            },
            "Action": [
                "sts:AssumeRole",
                "sts:SetContext"
            ]
        }
    ]
}

Choose Next add a minimal policy as described in Register a location. While not recommended, you can add the AmazonS3FullAccess managed policy, which may be too permissive for your needs.
Choose Next, and enter a name (for example access-grants-location).
Choose Create role to create the role.

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Configure your identity provider

Configure a Transfer Family web app