Journal export permissions in QLDB - Amazon Quantum Ledger Database (Amazon QLDB)

Journal export permissions in QLDB

Before submitting a journal export request in Amazon QLDB, you must provide QLDB with write permissions in your specified Amazon S3 bucket. If you choose a customer managed AWS KMS key as the object encryption type for your Amazon S3 bucket, you must also provide QLDB with permissions to use your specified symmetric encryption key. Amazon S3 doesn't support asymmetric KMS keys.

To provide your export job with the necessary permissions, you can make QLDB assume an IAM service role with the appropriate permissions policies. A service role is an IAM role that a service assumes to perform actions on your behalf. An IAM administrator can create, modify, and delete a service role from within IAM. For more information, see Creating a role to delegate permissions to an AWS service in the IAM User Guide.

Note

To pass a role to QLDB when requesting a journal export, you must have permissions to perform the iam:PassRole action on the IAM role resource. This is in addition to the qldb:ExportJournalToS3 permission on the QLDB ledger resource.

To learn how to control access to QLDB using IAM, see How Amazon QLDB works with IAM. For a QLDB policy example, see Identity-based policy examples for Amazon QLDB.

In this example, you create a role that allows QLDB to write objects into an Amazon S3 bucket on your behalf. For more information, see Creating a role to delegate permissions to an AWS service in the IAM User Guide.

If you're exporting a QLDB journal in your AWS account for the first time, you must first create an IAM role with the appropriate policies by doing the following. Or, you can use the QLDB console to automatically create the role for you. Otherwise, you can choose a role that you previously created.

Create a permissions policy

Complete the following steps to create a permissions policy for a QLDB journal export job. This example shows an Amazon S3 bucket policy that grants QLDB permissions to write objects into your specified bucket. If applicable, the example also shows a key policy that allows QLDB to use your symmetric encryption KMS key.

For more information about Amazon S3 bucket policies, see Using bucket policies and user policies in the Amazon Simple Storage Service User Guide. To learn more about AWS KMS key policies, see Using key policies in AWS KMS in the AWS Key Management Service Developer Guide.

Note

Your Amazon S3 bucket and KMS key must both be in the same AWS Region as your QLDB ledger.

To use the JSON policy editor to create a policy
  1. Sign in to the AWS Management Console and open the IAM console at https://console.aws.amazon.com/iam/.

  2. In the navigation column on the left, choose Policies.

    If this is your first time choosing Policies, the Welcome to Managed Policies page appears. Choose Get Started.

  3. At the top of the page, choose Create policy.

  4. Choose the JSON tab.

  5. Enter a JSON policy document.

    • If you're using a customer managed KMS key for Amazon S3 object encryption, use the following example policy document. To use this policy, replace DOC-EXAMPLE-BUCKET, us-east-1, 123456789012, and 1234abcd-12ab-34cd-56ef-1234567890ab in the example with your own information.

      { "Version": "2012-10-17", "Statement": [ { "Sid": "QLDBJournalExportS3Permission", "Action": [ "s3:PutObjectAcl", "s3:PutObject" ], "Effect": "Allow", "Resource": "arn:aws:s3:::DOC-EXAMPLE-BUCKET/*" }, { "Sid": "QLDBJournalExportKMSPermission", "Action": [ "kms:GenerateDataKey" ], "Effect": "Allow", "Resource": "arn:aws:kms:us-east-1:123456789012:key/1234abcd-12ab-34cd-56ef-1234567890ab" } ] }
    • For other encryption types, use the following example policy document. To use this policy, replace DOC-EXAMPLE-BUCKET in the example with your own Amazon S3 bucket name.

      { "Version": "2012-10-17", "Statement": [ { "Sid": "QLDBJournalExportS3Permission", "Action": [ "s3:PutObjectAcl", "s3:PutObject" ], "Effect": "Allow", "Resource": "arn:aws:s3:::DOC-EXAMPLE-BUCKET/*" } ] }
  6. Choose Review policy.

    Note

    You can switch between the Visual editor and JSON tabs any time. However, if you make changes or choose Review policy in the Visual editor tab, IAM might restructure your policy to optimize it for the visual editor. For more information, see Policy restructuring in the IAM User Guide.

  7. On the Review policy page, enter a Name and an optional Description for the policy that you are creating. Review the policy Summary to see the permissions that are granted by your policy. Then choose Create policy to save your work.

Create an IAM role

After creating a permissions policy for your QLDB journal export job, you can then create an IAM role and attach your policy to it.

To create the service role for QLDB (IAM console)
  1. Sign in to the AWS Management Console and open the IAM console at https://console.aws.amazon.com/iam/.

  2. In the navigation pane of the IAM console, choose Roles, and then choose Create role.

  3. For Trusted entity type, choose AWS service.

  4. For Service or use case, choose QLDB, and then choose the QLDB use case.

  5. Choose Next.

  6. Select the box next to the policy that you created in the previous steps.

  7. (Optional) Set a permissions boundary. This is an advanced feature that is available for service roles, but not service-linked roles.

    1. Open the Set permissions boundary section, and then choose Use a permissions boundary to control the maximum role permissions.

      IAM includes a list of the AWS managed and customer-managed policies in your account.

    2. Select the policy to use for the permissions boundary.

  8. Choose Next.

  9. Enter a role name or a role name suffix to help you identify the purpose of the role.

    Important

    When you name a role, note the following:

    • Role names must be unique within your AWS account, and can't be made unique by case.

      For example, don't create roles named both PRODROLE and prodrole. When a role name is used in a policy or as part of an ARN, the role name is case sensitive, however when a role name appears to customers in the console, such as during the sign-in process, the role name is case insensitive.

    • You can't edit the name of the role after it's created because other entities might reference the role.

  10. (Optional) For Description, enter a description for the role.

  11. (Optional) To edit the use cases and permissions for the role, in the Step 1: Select trusted entities or Step 2: Add permissions sections, choose Edit.

  12. (Optional) To help identify, organize, or search for the role, add tags as key-value pairs. For more information about using tags in IAM, see Tagging IAM resources in the IAM User Guide.

  13. Review the role, and then choose Create role.

The following JSON document is an example of a trust policy that allows QLDB to assume an IAM role with specific permissions attached to it.

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": "qldb.amazonaws.com" }, "Action": [ "sts:AssumeRole" ], "Condition": { "ArnEquals": { "aws:SourceArn": "arn:aws:qldb:us-east-1:123456789012:*" }, "StringEquals": { "aws:SourceAccount": "123456789012" } } } ] }
Note

This trust policy example shows how you can use the aws:SourceArn and aws:SourceAccount global condition context keys to prevent the confused deputy problem. With this trust policy, QLDB can assume the role for any QLDB resource in the account 123456789012 only.

For more information, see Cross-service confused deputy prevention.

After creating your IAM role, return to the QLDB console and refresh the Create export job page so that it can find your new role.