IAM role for importing endpoints or segments - Amazon Pinpoint

IAM role for importing endpoints or segments

With Amazon Pinpoint, you can define a user segment by importing endpoint definitions from an Amazon Simple Storage Service (Amazon S3) bucket in your AWS account. Before you import, you must delegate the required permissions to Amazon Pinpoint. To do this, you create an AWS Identity and Access Management (IAM) role and attach the following policies to the role:

  • The AmazonS3ReadOnlyAccess AWS managed policy. This policy is created and managed by AWS, and it grants read-only access to your Amazon S3 bucket.

  • A trust policy that allows Amazon Pinpoint to assume the role.

After you create the role, you can use Amazon Pinpoint to import segments from an Amazon S3 bucket. For information about creating the bucket, creating endpoint files, and importing a segment by using the console, see Importing segments in the Amazon Pinpoint User Guide. For an example of how to import a segment programmatically by using the AWS SDK for Java, see Import segments in Amazon Pinpoint in this guide.

Creating the IAM role (AWS CLI)

Complete the following steps to create the IAM role by using the AWS Command Line Interface (AWS CLI). If you haven't installed the AWS CLI, see Installing the AWS CLI in the AWS Command Line Interface User Guide.

To create the IAM role by using the AWS CLI
  1. Create a JSON file that contains the trust policy for your role, and save the file locally. You can use the following trust policy.

    { "Version": "2012-10-17", "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": "pinpoint.amazonaws.com" }, "Condition": { "StringEquals": { "aws:SourceAccount": "accountId" }, "ArnLike": { "arn:aws:mobiletargeting:region:accountId:apps/application-id" } } } ] }

    In the preceding example, do the following:

    • Replace region with the AWS Region that you use Amazon Pinpoint in.

    • Replace accountId with the unique ID for your AWS account.

    • Replace application-id with the unique ID of the project.

  2. At the command line, use the create-role command to create the role and attach the trust policy:

    aws iam create-role --role-name PinpointSegmentImport --assume-role-policy-document file://PinpointImportTrustPolicy.json

    Following the file:// prefix, specify the path to the JSON file that contains the trust policy.

    After you run this command, you see output that's similar to the following in your terminal:

    { "Role": { "AssumeRolePolicyDocument": { "Version": "2012-10-17", "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": "pinpoint.amazonaws.com" }, "Condition": { "StringEquals": { "aws:SourceAccount": "accountId" }, "ArnLike": { "aws:SourceArn": "arn:aws:mobiletargeting:region:accountId:apps/application-id" } } } ] }, "RoleId": "AIDACKCEVSQ6C2EXAMPLE", "CreateDate": "2016-12-20T00:44:37.406Z", "RoleName": "PinpointSegmentImport", "Path": "/", "Arn": "arn:aws:iam::accountId:role/PinpointSegmentImport" } }
  3. Use the attach-role-policy command to attach the AmazonS3ReadOnlyAccess AWS managed policy to the role:

    aws iam attach-role-policy --policy-arn arn:aws:iam::aws:policy/AmazonS3ReadOnlyAccess --role-name PinpointSegmentImport