Cross Account Role

AWS recommends the use of cross account roles for accessing customer resources example data in their s3 buckets.

Users can use Cross Account Role to grant permission to Accern AI platform using any of the 2 options below. Once the role has been setup, the users must provide the role ARN in the connection configurations in Accern AI Platform.

• Cloud Formation Stack: Cloud formation stack helps automate the creation of a cross account role with the required policies to access the s3 bucket that a customer provides. Users will get an auto-generated Cloud Formation Template URL with below fields.

  Stack name - The cloud formation stack that will be created and run in the customer account.

  External ID - The secure external ID that the cross account role will use to access the customers data. This will be unique per client that is using the Accern AI Platform.

  Other Account Number - Accern’s AWS account Id.

  S3 Bucket Name - The user will need to provide the s3 bucket name in its AWS account to which Accern will be given access.

• Create Roles and Permissions Manually: Users can create the necessary roles and permissions manually as well using the Accern Account Id and External Id provided.

Then the below policy document needs to be used to grant access to the specific S3 bucket. This may require creating a new policy that should be attached to the role being created.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": [
                "s3:ListBucket"
            ],
            "Resource": "arn:aws:s3:::<update-this-with-s3-bucket-name>",
            "Effect": "Allow",
            "Sid": "ListObjectsInBucket"
        },
        {
            "Action": "s3:*Object",
            "Resource": "arn:aws:s3:::<update-this-with-s3-bucket-name>/*",
            "Effect": "Allow",
            "Sid": "AllObjectActions"
        }
    ]
}