Generate temporary credentials for ingestion

This article describes how to create an IAM user in your AWS account that has just enough access to read data in an Amazon S3 (S3) bucket.

Create an IAM policy

1. Open the AWS IAM console in your AWS account, typically at https://console.aws.amazon.com/iam.

2. Click Policies.

3. Click Create Policy.

4. Click the JSON tab.

5. Replace the existing JSON code with the following code. In the code, replace:

   • <s3-bucket> with the name of your S3 bucket.

   • <folder> with the name of the folder within your S3 bucket.

   {
     "Version": "2012-10-17",
     "Statement": [
       {
         "Sid": "ReadOnlyAccessToTrips",
         "Effect": "Allow",
         "Action": [
           "s3:GetObject",
           "s3:ListBucket"
         ],
         "Resource": [
           "arn:aws:s3:::<s3-bucket>",
           "arn:aws:s3:::<s3-bucket>/<folder>/*"
         ]
       }
     ]
   }
   

6. Click Next: Tags.

7. Click Next: Review.

8. Enter a name for the policy and click Create policy.

Create an IAM user

1. In the sidebar, click Users.

2. Click Add users.

3. Enter a name for the user.

4. Select the Access key - Programmatic access box, and then click Next: Permissions.

5. Click Attach existing policies directly.

6. Select the box next to the policy, and then click Next: Tags.

7. Click Next: Review.

8. Click Create user.

9. Copy the Access key ID and Secret access key values that appear to a secure location, as you need them to get the AWS STS session token.

Create a named profile

1. On your local development machine, use the AWS CLI to create a named profile with the AWS credentials that you copied in the previous step. See Named profiles for the AWS CLI on the AWS website.

2. Test your AWS credentials. To do this, use the AWS CLI to run the following command, which displays the contents of the folder that contains your data. In the command, replace:

   • <s3-bucket> with the name of your S3 bucket.

   • <folder> with the name of the folder within your S3 bucket.

   • <named-profile> with the name of your named profile.

   aws s3 ls s3://<s3-bucket>/<folder>/ --profile <named-profile>
   

3. To get the session token, run the following command:

   aws sts get-session-token --profile <named-profile>
   

   Replace <named-profile> with the name of your named profile.

4. Copy the AccessKeyId, SecretAccessKey, and SessionToken values that appear to a secure location.