Using the Amazon FinSpace API -

Using the Amazon FinSpace API

Use the topics in this section to understand how to use the FinSpace data APIs.

Accessing the FinSpace credentials

To use the FinSpace data APIs, you need to be a registered user in FinSpace environment. You use API credentials that are associated with your user profile in Amazon FinSpace. The credentials are only valid for 60 minutes. There are two ways to access the API credentials.

  1. Copy the API credentials from FinSpace web application - You do not have to be a registered Identity Access and Management (IAM) user. Use the following procedure to procure short term API credentials to use with FinSpace SDK.

    1. From the FinSpace homepage, go to the gear menu. Choose API Credentials.

    2. Copy the Access Key ID, Secret Access Key, Session Token.

    3. Use the credentials to use the FinSpace data APIs.

      #!/usr/bin/env python import boto3 session = boto3.session.Session() finSpaceClient = session.client( region_name='us-east-1', service_name='finspace-data', aws_access_key_id='Specify Access Key ID', aws_secret_access_key='Specify Secret Access Key', aws_session_token='Specify Session Token' )
  2. Access credentials programmatically using IAM access key id and secret access key - Your Amazon Resource Name (ARN) must be registered with your user profile in FinSpace web application to use this method. Please contact your administrator to verify. You can find your FinSpace environment id from the sign-in URL that you use to login to your FinSpace web application. For example, if your FinSpace sign-in URL is, the environment id is vs57phhvijir4kv5rf6ywt.

    #!/usr/bin/env python import boto3 REGION = "us-east-1" PROD_ENVIRONMENT_ID = "Specify FinSpace environment id" AWS_ACCESS_KEY_ID = "Specify AWS_ACCESS_KEY_ID" # Access key id of your IAM user AWS_SECRET_ACCESS_KEY = "Specify AWS_SECRET_ACCESS_KEY" # Secret access key for your IAM user session = boto3.Session(AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, region_name=REGION) client = session.client( region_name=REGION, service_name='finspace-data', aws_access_key_id=AWS_ACCESS_KEY_ID, aws_secret_access_key=AWS_SECRET_ACCESS_KEY ) apiCredentials = client.get_programmatic_access_credentials(environmentId=PROD_ENVIRONMENT_ID) finSpaceClient = session.client( service_name='finspace-data', aws_access_key_id=apiCredentials['credentials']['AccessKeyId'], aws_secret_access_key=apiCredentials['credentials']['SecretAccessKey'], aws_session_token=apiCredentials['credentials']['SessionToken'] )

Loading data from an Amazon S3 Bucket using the FinSpace API

You can load data from an external S3 bucket into Amazon FinSpace when you create or update a change set. To do this, you will first need to enable access to an S3 bucket where the data resides from FinSpace.


In order to setup access to an S3 bucket, you must be authorized to access the FinSpace page in AWS Management Console and make changes to bucket-level permissions in Amazon S3.

Find your FinSpace infrastructure account number from Amazon FinSpace page in AWS Management console

  1. Sign in to your AWS account and open FinSpace from the AWS Management Console. It is located under Analytics, and you can find it by searching for FinSpace.

  2. In the FinSpace page, from the list of environments, choose the environment that you want to setup to access an S3 bucket.

  3. On the environment page, copy and save the FinSpace infrastructure account name.

Setup access for FinSpace infrastructure account in S3 bucket policy

  1. Sign in to your AWS account and open Amazon S3 from the AWS Management Console. It is located under Storage, and you can find it by searching for S3.

  2. Choose the bucket that you want to access from your FinSpace environment.

  3. Set a bucket policy for the bucket with following json code. For example, if your bucket name is example-bucket and your FinSpace infrastructure account number is 123456789101 below would be the example policy.

    { "Version": "2012-10-17", "Id": "CrossAccountAccess", "Statement": [ { "Effect": "Allow", "Principal": { "AWS": [ "arn:aws:iam::123456789101:role/FinSpaceServiceRole" ] }, "Action": "s3:GetObject", "Resource": "arn:aws:s3:::example-bucket/*" }, { "Effect": "Allow", "Principal": { "AWS": [ "arn:aws:iam::123456789101:role/FinSpaceServiceRole" ] }, "Action": "s3:ListBucket", "Resource": "arn:aws:s3:::example-bucket" } ] }

    Using the above policy, you should be able to access example-bucket from the FinSpace environment, which is associated with the FinSpace infrastructure account number 123456789101 .