Tutorial: Creating a connector for
Goldman Sachs Financial Cloud for Data
Important
Amazon FinSpace Dataset Browser will be discontinued on March 26,
2025. Starting November 29, 2023, FinSpace will no longer accept the creation of new Dataset Browser
environments. Customers using Amazon FinSpace with Managed Kdb Insights
This tutorial guides you through the steps to create a data connector for the Goldman Sachs Financial Cloud for Data (GSFCD) provider.
Prerequisites
Before you proceed, make sure that you have the following available:
-
Goldman Sachs Financial Cloud for Data API credentials – These credentials will be used to connect to the GSFCD. The credentials will be stored in AWS Secrets Manager so that the data connector can use them securely.
Registered users for Goldman Sachs Financial Cloud for Data can obtain new API credentials from Goldman Sachs Developer website
. New users can submit a request to obtain API credentials at Goldman Sachs Financial Cloud for Data
.
-
A FinSpace environment – You can only use a data connector in the FinSpace environment where it was created. For more information, see Create an Amazon FinSpace environment.
Step 1: Add connector details
To add connector details
Sign in to the AWS Management Console and open the Amazon FinSpace console at https://console.aws.amazon.com/finspace
. In the left pane, choose Data Providers.
Tip
Alternatively, you can also perform the following steps:
-
In the left pane, choose Environments.
-
From the list of environments, choose the name of the environment where you want to create a data connector.
-
On the environment details page, scroll down to Data Connectors and choose Create connector. The Data Providers page opens.
-
On the Data Providers page, for the Goldman Sachs Financial Cloud for Data provider, choose Add connector.
On the Connector details page, provide a unique Connector name, and choose an account with superuser to run the connector.
For Scheduled runs, select this option if you want to schedule automatic connector runs. The data connector will run daily at 00:00 UTC.
Clear this option if you don't want to schedule automatic runs. You will need to manually start the data connector run from the console. For more information, see Running a data connector.
Choose Next and proceed to Step 2: Add a secret name.
Step 2: Add a secret name
FinSpace uses AWS Secrets Manager to store the API credentials that your FinSpace environment will use to connect to the Goldman Sachs Financial Cloud for Data API. For more information, see Secrets Manager concepts in the AWS Secrets Manager User Guide.
When you choose Next on the Connector details page in the previous step, the Secret name page opens. You can choose an existing secret name or create a new one.
To add a secret name
On the Secret name page, choose an existing secret name from the dropdown list.
You can also create a new secret name on this page by choosing the Create new secret option from the list.
Under the Create new secret section, for Secret name, enter a unique name for the secret.
Enter the key-value pair for your secret in Client ID and Client secret, respectively.
Choose an encryption AWS KMS key. This key will be used by AWS Secrets Manager to encrypt your secret. You can select an existing KMS key from the dropdown or create a new one by using the AWS Key Management Service. For more information, see the AWS Key Management Service Developer Guide.
Note
By default, this field displays the KMS key that you used to create the environment where you're creating this data connector.
Choose Next and proceed to Step 3: Add customer IAM role.
Note
You can also create a secret directly from the AWS Secrets Manager console. For more information, see Create a secret in the AWS Secrets Manager User Guide.
Step 3: Add customer IAM role
In FinSpace, you can securely control access to data connectors by creating IAM policies and attaching them to roles. A policy is an object in AWS that, when associated with an identity or resource, defines their permissions. AWS evaluates these policies when a principal uses an IAM entity (user or role) to make a request. For more information, see Roles terms and concepts in the IAM User Guide.
When you choose Next on the Secret name page in the previous step, the Customer IAM role page opens. You can select an existing role or create a new one.
To add a customer IAM role
On the Customer IAM role page, choose an existing role ARN from the dropdown list.
You can also create a new role on this page by choosing the Create new customer IAM role option from list.
First create a permissive IAM policy and then create an IAM role. Then attach the new policy to it.
To create an IAM policy
Under the Create a policy section, choose Copy code to copy the policy code. You will use this code to create an IAM permissions policy.
Choose Go to policy creation form. This button opens the Create policy page in a new tab.
Note
Do not close the Customer IAM role tab.
On the Create policy page, choose the JSON tab. Delete any prepopulated JSON code, and then paste the policy code that you copied in previous step.
Choose Next: Tags. (Optional) Add metadata to the policy by attaching tags as key-value pairs.
Choose Next: Review.
On the Review policy page, enter a Name and a Description (optional) for the policy that you're creating. Review the policy Summary to see the permissions that are granted by your policy. Then choose Create policy to save your work.
Note
Remember this policy name because you will need it while creating a role.
To create an IAM role
Return to the Select customer IAM role tab. Under the Create a customer IAM role section, choose Copy code to copy the trust relationship code.
Choose Go to customer IAM role form. This button opens the Create role setup in a new tab.
Note
Do not close the Customer IAM role tab.
On the Select trusted entity page, for Trusted entity type, choose Custom trust policy.
Under the Custom trust policy section, delete any prepopulated code, and then paste the trust relationship code that you copied in the previous step.
Choose Next.
On the Add permissions page, for Permissions policy, search for the policy name that you created in step f in "To add a customer IAM role". Select the policy check box and choose Next.
On the Name, review, and create page, add a role name. Review the policy and permission details and choose Create role.
Note
Remember this role name because you will need it in the next step.
Return to the Select customer IAM role tab. For Customer IAM role, enter the name of the role you created in the previous step.
Choose Next and proceed to Step 4: Review and create.
Note
You can also create the IAM role and policy directly from the AWS Identity and Access Management console. For more information, see Creating an IAM role (console) in the IAM User Guide.
Step 4: Review and create
Review the connector details, secret name, and customer IAM role, and then choose Create connector.
After the new data connector is created, the connector details page opens where you can perform other operations using a data connector. To verify that the new connector setup is complete, see the Connector summary section and ensure that the Status is Active. The connector will start syncing automatically when it's connected. For more information, see Connector details.
Note
-
If you create multiple GSFCD data connectors for a single Amazon FinSpace environment, duplicate datasets are created in FinSpace if the GSFCD client access credentials that you use have an overlap in the datasets they have access to. To avoid this, only create multiple connectors with credentials that don't have overlapping access to datasets.
Datasets that are created when a GSFCD connector runs are placed in a system-generated permission group. You can't add them to other permission groups.
