AWS - Required permissions

When it uses Snowflake, Tonic Structural orchestrates the creation, usage, and deletion of AWS components. The required permissions are taken from the IAM user or IAM role that is used based on the configuration in the workspace settings.

Note that these permissions are a starting point. Based on your exact AWS setup, you might need to add other permissions. For example, if you use AWS Key Management Service (KMS) on your S3 buckets, then you might need to grant AWS KMS access.

The following example policy allows Structural to properly orchestrate jobs in your AWS infrastructure. It assumes that you use default names for objects in AWS, and that your source and destination S3 bucket names begin with the tonic- prefix.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "s3:ListBucket"
            ],
            "Resource": [
                "arn:aws:s3:::tonic-*"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "s3:PutObject",
                "s3:GetObject",
                "s3:GetObjectVersion",
                "s3:DeleteObject",
                "s3:DeleteObjectVersion",
                "s3:PutObjectTagging"
            ],
            "Resource": "arn:aws:s3:::tonic-*/*"
        },
        {
            "Effect": "Allow",
            "Action": "s3:ListBucket",
            "Resource": "arn:aws:s3:::tonic-*",
            "Condition": {
                "StringLike": {
                    "s3:prefix": [
                        "*"
                    ]
                }
            }
        }
    ]
}

Last updated 1 day ago

Was this helpful?