Guides

AWS S3 Access

Suggest Edits

A number of our integrations require a partner to access a Magenta Advertising Platform provided AWS S3 Bucket.

There are two ways to provision credentials for access to this bucket.

AWS IAM Role Trust

This is the preferred mechanism for access.

Data security is enforced using AWS Identity and Access Management To access a Magenta Advertising Platform provided S3 bucket you will need your own, valid AWS account and an IAM user with the sts:AssumeRole privilege.

To grant access to S3, Magenta Advertising Platform takes your organization’s AWS account ID and creates a new role within Magenta Advertising Platform's AWS account. This role has a unique identifier called a Role ARN. This role grants access to your data, and can only be assumed from IAM users within your AWS account.

  1. You will need to provide the ARN for an IAM Role or IAM User in an AWS account that you own. This role will need to be given the sts:AssumeRole permission.
  2. Once we receive your ARN we will create an IAM Role in our AWS account that specifies your ARN as a trusted entity. We will send you the ARN of our IAM Role.
  3. When accessing our S3 bucket you will need to assume the role in our account using the ARN we have provided.

Obtaining Temporary Credentials to Access Data Platform
In order to access your data from Magenta Advertising Platform's AWS account, first make sure that you have received a role ARN and an External ID from Magenta Advertising Platform. The role ARN should take the form of arn:aws:iam:: 041138300700:role/<ROLE_NAME> and the External ID should take the form of XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX.

Next, attach a group policy to the IAM user who is trying to assume the role. The policy should use the role ARN provided by Magenta Advertising Platform and take the following form:

{
    "Version": "2012-10-17",
    "Statement": {
        "Effect": "Allow",
        "Action": "sts:AssumeRole",
        "Resource": "arn:aws:iam::041138300700:role/<ROLE_NAME>"
    }
  }

Then, you need to call the sts:AssumeRole action from within your own AWS account, using both the role ARN and External ID provided by Magenta Advertising Platform. If the call succeeds (you are allowed to assume roles, and have been authorized to assume the role Magenta Advertising Platform created) you will receive a set of temporary credentials to access your data.

How to do this using the AWS CLI this is documented here: https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-role.html

For AWS SDKs check out the STS.AssumeRole method. The JavaScript SDK documentation is here: https://docs.aws.amazon.com/AWSJavaScriptSDK/latest/AWS/STS.html#assumeRole-property

AWS Access Keys

This is NOT the preferred method. If you use this method you will need to get new access keys every 90 days. Your old access keys will be disabled after 80 days.

If you must use this option please provide the email address and phone number of a contact who is responsible for updating the keys in your system as well as an escalation contact in case that individual is not available.

Once this information is provided we will provide your first set of access keys.

Updated less than a minute ago