IAM Roles for Input Blocks and Output Blocks

This feature is available in SaaS environments running v40.2 or later.

In v40.2 and later, you can use Amazon Web Services (AWS) Identity and Access Management (IAM) roles to authenticate connections for the following blocks:

• S3 Listener Input Block

• Message Queue (MQ) Listener Input Block (Amazon SQS)

• S3 Notifier Output Block

• Message Queue Notifier Output Block (Amazon SQS)

If you would like to use AWS IAM roles in the connections for these blocks, reach out to your Hyperscience representative. They will then help you work with a Hyperscience Cloud Engineer to complete the steps outlined below.

1) Hyperscience provides environment details.

Hyperscience shares the following information, which you will need to create the IAM role in step 3:

•  OIDC Issuer URL for the cluster (HS_OIDC_PROVIDER)

•  Your environment name (HS_CUST_ENV_NAME)

•  Name of the Hyperscience service account in your environment (HS_CUST_SVC_ACCT_NAME)

2) Create an OpenID Connect (OIDC) provider in your AWS account.

Using the OIDC Issuer URL provided by Hyperscience as the Provider URL, create an OIDC provider in your AWS account by following the steps in Amazon’s Create an IAM ODIC provider for your cluster.

3) Create an IAM role using the details Hyperscience provided.

For more information on creating IAM roles, see Amazon’s Create a role using custom trust policies.

Example using the command line:

HS_ODIC_PROVIDER="oidc.eks.us-east-1.amazonaws.com/id/00000000000000000000000000000000"
HS_CUST_ENV_NAME="customer-dev"
HS_CUST_SVC_ACCT_NAME="${HS_CUST_ENV_NAME}-hyperscience-block"

AWS_ACCOUNT_ID=012345678901
AWS_REGION=us1east11
AWS_RESOURCE=my-sqs-queue-name
AWS_IAM_POLICY_NAME=hs-access-policy
AWS_IAM_ROLE_NAME=customer-role-name

cat >"${AWS_IAM_POLICY_NAME}.json" <<EOF
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "SQS:*",
            "Resource": "arn:aws:sqs:${AWS_REGION}:${AWS_ACCOUNT_ID}:${AWS_RESOURCE}"
        }
    ]
}
EOF

# Create the IAM role with permissions needed by the Hyperscience service account.
aws iam create-policy --policy-name "$AWS_IAM_POLICY_NAME" --policy-document "file://${AWS_IAM_POLICY_NAME}.json"

cat >hs-trust-policy.json <<EOF
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "Federated": "arn:aws:iam::${AWS_ACCOUNT_ID}:oidc-provider/${HS_OIDC_PROVIDER}"
            },
            "Action": "sts:AssumeRoleWithWebIdentity",
            "Condition": {
              "StringEquals": {
                "${HS_OIDC_PROVIDER}:aud": "sts.amazonaws.com",
                "${HS_OIDC_PROVIDER}:sub": "system:serviceaccount:${CUST_ENV_NAME}:${HS_CUST_SVC_ACCT_NAME}"
              }
            }
        }
    ]
}

# Create the role using the assume role policy.
aws iam create-role --role-name "$AWS_IAM_ROLE_NAME" --assume-role-policy-document file://hs-trust-policy.json

# Attach the IAM policy to the role.
aws iam attach-role-policy --role-name "$AWS_IAM_ROLE_NAME" --policy-arn "arn:aws:iam::${AWS_ACCOUNT_ID}:policy/${AWS_IAM_POLICY_NAME}"

4) Provide the role’s Amazon Resource Name (ARN) to Hyperscience.

A Hyperscience Cloud Engineer will use this information to finish the configuration process.

5) Hyperscience configures the environment and notifies you upon completion.

After the process is complete, you can enable the Use AWS EC2 Instance IAM Role Credentials setting when setting up AWS connections in Input Blocks and Output Blocks.