HeatWave on AWS  /  ...  /  Creating an IAM Role to Access an Amazon S3 Bucket

20.5.2 Creating an IAM Role to Access an Amazon S3 Bucket

Use the AWS Management Console to create an IAM role for accessing an Amazon S3 bucket (see Using an external ID for third-party access for more information on the topic).
This task requires the following:
  • Access to AWS Management Console.
  • IAM policy that specifies the Amazon S3 and/or KMS permissions required for the feature you want to use. See Creating an IAM Policy to Access an Amazon S3 Bucket.
  • The tenancy Oracle Cloud Identifier (OCID). To view the OCID of the tenancy, see Viewing OCID of the Tenancy.
  • If you want to grant access to a specific DB System, the resource ID of the DB System.
  • The name of the Amazon S3 bucket you want to grant access to.
  • Sufficient IAM permissions for creating the IAM roles.
Do the following to create an IAM role:
  1. Open the AWS Management Console and sign in with your credentials.
  2. In the AWS Management Console home page, click Services, and click Security, Identity, & Compliance, and then click IAM.
  3. In the navigation pane of the Console, under Access management, click Roles, and then click Create role.
  4. In the Select trusted entity panel, do the following:
    1. Select Custom trust policy.
    2. Specify the following trust policy:
      {    
          "Version": "2012-10-17",    
          "Statement": [        
              {            
                  "Effect": "Allow",            
                  "Action": "sts:AssumeRole",            
                  "Principal": {                
                      "AWS": "612981981079"            
                  },            
                  "Condition": {                
                      "StringLike": {                    
                          "sts:ExternalId": "<IDDetails>"                
                      }            
                  }        
              }    
          ]
      }
      • When you are editing a DB System, specify either of the following in <IDDetails>:
        • To grant access to a specific DB System in the tenancy: <TenancyOCID>/<DBSystemResourceId> (see Viewing DB System Details on how to view the resource ID of the DB System). For example:
          ocid1.tenancy.oc1..aaaaaaaaba3pv6wkcr4jqae5f44n2b2m2yt2j6rx32uzr4h25vqstifsfdsq/5281bb96-99a1-23fe-a65f-370cd85b979f
        • To grant access to all DB Systems in the tenancy: <TenancyOCID>/*. For example:
          ocid1.tenancy.oc1..aaaaaaaaba3pv6wkcr4jqae5f44n2b2m2yt2j6rx32uzr4h25vqstifsfdsq/*
      • When you are creating a DB System, specify the following in <IDDetails> to grant access to all DB Systems in the tenancy:<TenancyOCID>/*
        ocid1.tenancy.oc1..aaaaaaaaba3pv6wkcr4jqae5f44n2b2m2yt2j6rx32uzr4h25vqstifsfdsq/*

        Once the DB System is created, update the trust policy to limit access to a specific DB System (see the bullet "When you are editing a DB System…" above).

  5. Resolve any warnings or errors generated during policy validation, and then click Next.
  6. In the Add permissions page, search for the policy you created, and select the check box to attach the policy to your new role. See Creating an IAM Policy to Access an Amazon S3 Bucket.
  7. Click Next.
  8. In the Name, review, and create page, in the Role details section, enter the following:
    • Role name: Enter a name to the identify the role.
    • Description: (Optional) Specify a description of the policy.
  9. Click Create role.
  10. Click the role you just created.
  11. In the Summary section, copy the ARN.
After you create the role, enter the role ARN in an exisiting DB System, or create a new DB System and enter the ARN details. See Editing a DB System and Creating a DB System.