Prerequisites

Prior to requesting a Customer Discovery Workspace you must first configure your AWS account. The owner of the AWS account (e.g. data consumer) is required to create a role and apply a policy to a role. The policy provides Data Republic with 'write access' so that we can configure your AWS account to work with Senate.  

AWS Configuration Requirements

  1. An organization can only nominate one AWS account to host a Customer Discovery Workspace in Senate. Data Republic recommends creating a new AWS account to ensure Data Republic administrators access a controlled space. 
  2. Identify the AWS account which will host the Discovery Workspace and provide your organization's AWS account details to Data Republic. 

What do I need to do?

  1. Configure your AWS policy by creating an IAM role to provide DR with 'write access'.  Data Republic will assume this role to provision the necessary resources within the account. (See below for an example policy that describes the necessary permissions required.)
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "AllowEC2Access",
      "Action": "ec2:*",
      "Effect": "Allow",
      "Resource": "*",
      "Condition": {
        "StringLike": {
          "ec2:Region": "<region>"
        }
      }
    },
    {
      "Sid": "DenyEC2Access",
      "Action": "ec2:*",
      "Effect": "Deny",
      "Resource": "*",
      "Condition": {
        "StringNotLike": {
          "ec2:Region": "<region>"
        }
      }
    },
    {
      "Sid": "AllowS3Access",
      "Action": [
        "s3:CreateBucket",
        "s3:DeleteBucket",
        "s3:DeleteBucketPolicy",
        "s3:DeleteObject",
        "s3:DeleteObjectTagging",
        "s3:DeleteObjectVersion",
        "s3:DeleteObjectVersionTagging",
        "s3:GetBucketAcl",
        "s3:GetBucketCORS",
        "s3:GetBucketLocation",
        "s3:GetBucketLogging",
        "s3:HeadBucket",
        "s3:ListAllMyBuckets",
        "s3:ListBucket",
        "s3:ListBucketByTags",
        "s3:ListBucketMultipartUploads",
        "s3:ListBucketVersions",
        "s3:ListMultipartUploadParts",
        "s3:ObjectOwnerOverrideToBucketOwner",
        "s3:PutBucketAcl",
        "s3:PutBucketCORS",
        "s3:PutBucketLogging",
        "s3:PutBucketNotification",
        "s3:PutBucketPolicy",
        "s3:PutBucketTagging",
        "s3:PutBucketVersioning",
        "s3:PutEncryptionConfiguration",
        "s3:PutLifecycleConfiguration",
        "s3:PutMetricsConfiguration",
        "s3:PutObject",
        "s3:PutObjectAcl",
        "s3:PutObjectTagging",
        "s3:PutObjectVersionAcl",
        "s3:RestoreObject"
      ],
      "Effect": "Allow",
      "Resource": [
        "arn:aws:s3:::*"
      ],
      "Condition": {
        "StringLike": {
          "s3:LocationConstraint": "<region>"
        }
      }
    },
    {
      "Sid": "DenyS3Access",
      "Effect": "Deny",
      "Action": [
        "s3:*"
      ],
      "Resource": [
        "arn:aws:s3:::*"
      ],
      "Condition": {
        "StringNotLike": {
          "s3:LocationConstraint": "<region>"
        }
      }
    },
    {
      "Sid": "AllowIAMAccess",
      "Action": [
        "iam:AddRoleToInstanceProfile",
        "iam:AttachRolePolicy",
        "iam:AttachUserPolicy",
        "iam:CreateAccessKey",
        "iam:CreateInstanceProfile",
        "iam:CreatePolicy",
        "iam:CreatePolicyVersion",
        "iam:CreateRole",
        "iam:CreateUser",
        "iam:DeleteAccessKey",
        "iam:DeleteInstanceProfile",
        "iam:DeletePolicy",
        "iam:DeletePolicyVersion",
        "iam:DeleteRole",
        "iam:DeleteRolePermissionsBoundary",
        "iam:DeleteRolePolicy",
        "iam:DeleteUser",
        "iam:DeleteUserPolicy",
        "iam:DetachRolePolicy",
        "iam:DetachUserPolicy",
        "iam:GetAccountSummary",
        "iam:GetInstanceProfile",
        "iam:GetPolicy",
        "iam:GetPolicyVersion",
        "iam:GetRole",
        "iam:GetRolePolicy",
        "iam:GetUser",
        "iam:GetUserPolicy",
        "iam:ListAccessKeys",
        "iam:ListAccountAliases",
        "iam:ListInstanceProfiles",
        "iam:ListInstanceProfilesForRole",
        "iam:ListPolicies",
        "iam:ListPolicyVersions",
        "iam:ListRolePolicies",
        "iam:ListRoleTags",
        "iam:ListRoles",
        "iam:ListUserPolicies",
        "iam:ListUserTags",
        "iam:ListUsers",
        "iam:PassRole",
        "iam:PutRolePermissionsBoundary",
        "iam:PutRolePolicy",
        "iam:PutUserPermissionsBoundary",
        "iam:PutUserPolicy",
        "iam:RemoveRoleFromInstanceProfile",
        "iam:TagRole",
        "iam:TagUser",
        "iam:UntagRole",
        "iam:UntagUser",
        "iam:UpdateAccessKey",
        "iam:UpdateRole",
        "iam:UpdateRoleDescription",
        "iam:UpdateUser"
      ],
      "Effect": "Allow",
      "Resource": [
        "arn:aws:iam::<accountID>:instance-profile/*",
        "arn:aws:iam::<accountID>:policy/*",
        "arn:aws:iam::<accountID>:role/*",
        "arn:aws:iam::<accountID>:user/*",
        "arn:aws:iam::aws:policy/*"
      ]
    }
  ]
}


2. Data Republic will provide the ARN (Amazon Resource Name) of the source role which you will need in order create a trusted relationship with (Please see example). This allows Data Republic to perform operations without the need to share any secrets.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::<DR_ACCOUNT_ID>:role/DR_ROLE_NAME"
      },
      "Action": "sts:AssumeRole"
    }
  ]
}

3. If you would like to host the Discovery Workspace in a specific location, please contact Data Republic. You will have the option to choose the type of Discovery Workspace to connect to in a project. 

Related articles:

Setting up local data sources and deploying Workspaces with CCS
Request a Workspace

Did this answer your question?