IAM role for importing endpoints or segments
With Amazon Pinpoint, you can define a user segment by importing endpoint definitions from an Amazon Simple Storage Service (Amazon S3) bucket in your AWS account. Before you import, you must delegate the required permissions to Amazon Pinpoint. To do this, you create an AWS Identity and Access Management (IAM) role and attach the following policies to the role:
-
The
AmazonS3ReadOnlyAccessAWS managed policy. This policy is created and managed by AWS, and it grants read-only access to your Amazon S3 bucket. -
A trust policy that allows Amazon Pinpoint to assume the role.
After you create the role, you can use Amazon Pinpoint to import segments from an Amazon S3 bucket. For information about creating the bucket, creating endpoint files, and importing a segment by using the console, see Importing segments in the Amazon Pinpoint User Guide. For an example of how to import a segment programmatically by using the AWS SDK for Java, see Importing segments in this guide.
Creating the IAM role (AWS CLI)
Complete the following steps to create the IAM role by using the AWS Command Line Interface (AWS CLI). If you haven't installed the AWS CLI, see Installing the AWS CLI in the AWS Command Line Interface User Guide.
To create the IAM role by using the AWS CLI
-
Create a JSON file that contains the trust policy for your role, and save the file locally. You can use the following trust policy.
{ "Version": "2012-10-17", "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": "pinpoint.amazonaws.com" }, "Condition": { "StringEquals": { "aws:SourceAccount": "accountId" }, "ArnLike": { "arn:aws:mobiletargeting:region:accountId:apps/application-id" } } } ] }In the preceding example, do the following:
-
Replace
regionwith the AWS Region that you use Amazon Pinpoint in. -
Replace
accountIdwith the unique ID for your AWS account. -
Replace
application-idwith the unique ID of the project.
-
-
At the command line, use the
create-rolecommand to create the role and attach the trust policy:aws iam create-role --role-namePinpointSegmentImport--assume-role-policy-document file://PinpointImportTrustPolicy.jsonFollowing the
file://prefix, specify the path to the JSON file that contains the trust policy.After you run this command, you see output that's similar to the following in your terminal:
{ "Role": { "AssumeRolePolicyDocument": { "Version": "2012-10-17", "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": "pinpoint.amazonaws.com" }, "Condition": { "StringEquals": { "aws:SourceAccount": "accountId" }, "ArnLike": { "aws:SourceArn": "arn:aws:mobiletargeting:region:accountId:apps/application-id" } } } ] }, "RoleId": "AIDACKCEVSQ6C2EXAMPLE", "CreateDate": "2016-12-20T00:44:37.406Z", "RoleName": "PinpointSegmentImport", "Path": "/", "Arn": "arn:aws:iam::accountId:role/PinpointSegmentImport" } } -
Use the
attach-role-policycommand to attach theAmazonS3ReadOnlyAccessAWS managed policy to the role:aws iam attach-role-policy --policy-arn arn:aws:iam::aws:policy/AmazonS3ReadOnlyAccess --role-namePinpointSegmentImport
