About Amazon S3 prerequisites

This method involves creating a Role in your AWS account that trusts Supermetrics up upload files.

AWS cluster requirement: IAM Role authentication is only available if your Supermetrics team is hosted on the AWS cluster. If you’re unsure which cluster your team is on, contact Supermetrics support before proceeding.

Note: The AWS configuration instructions in Steps 1 and 2 show one example approach. There are multiple ways to create policies and roles in AWS - you are free to use your preferred method as long as the end results grants the equivalent permisssions.

Step 1: Create the Permission policy

This policy defines what Supermetrics is allowed to do, in this scenario to upload files to a specific bucket.

1. Log in to your AWS console and navigate to IAM and then select policies.

2. Click Create policy.

3. Switch to the JSON tab and paste the following policy. Replace YOUR_BUCKET_NAME with a name of your choosing.

   {
       "Version": "2012-10-17",
       "Statement": [
           {
               "Sid": "SupermetricsS3Access",
               "Effect": "Allow",
               "Action": [
                   "s3:PutObject",
                   "s3:GetBucketLocation",
                   "s3:ListBucket"
               ],
               "Resource": [
                   "arn:aws:s3:::YOUR_BUCKET_NAME",
                   "arn:aws:s3:::YOUR_BUCKET_NAME/*"
               ]
           }
       ]
   }

4. Name the policy, SupermetricsS3WritePolicy for example, and then create it.

Step 2: Create the IAM Role

This policy defines who is allowed to use the permissions, which is the Supermetrics Application in this case.

1. Navigate to IAM > Roles.

2. Click Create role.

3. Select Custom trust policy as the trusted entity type.

4. Paste the following trust policy. This grants Supermetrics’ AWS role the ability to assume your role:

   {
       "Version": "2012-10-17",
       "Statement": [
           {
               "Effect": "Allow",
               "Principal": {
                   "AWS": "arn:aws:iam::043417694514:role/supermetrics-s3-role"
               },
               "Action": "sts:AssumeRole"
           }
       ]
   }

   Important: The ARN arn:aws:iam::043417694514:role/supermetrics-s3-role is Supermetrics' external role. This must be set exactly as shown — it is what authorizes Supermetrics to assume your role.

5. Click Next.

6. Search for and select the permissions policy that you created in Step 1.

7. Name the role, Supermetrics S3IntegrationRole for example and create it.

Step 3: Configure Supermetrics

1. In the AWS console, click the Role you just created.

2. Copy the Role ARN, in this example arn:aws:iam::043417694514:role/SupermetricsS3IntegrationRole

3. Go to the Supermetrics destination configuration.

4. Under Authentication method, select IAM role.

5. Paste the ARN into the IAM role ARN field.

6. Enter your Bucket name and Region code.

7. (Optional) If your S3 bucket uses a KMS customer-managed encryption key, enter the KMS key ARN in the KMS key ARN field. If your bucket uses default AWS-managed encryption, leave this blank.

8. Save and test the connection.

To authorize the use of your Amazon S3 bucket as a destination, you need the access key of your AWS user. Find or generate the access key in the AWS Management Console under My Security Credentials. Access keys generated using different methods can't be used to authenticate in this case.

Each access key comes with an access key ID and a corresponding secret access key. Both are needed in the destination setup.

See Amazon S3 documentation to learn more about managing access keys.