How it Works

When an S3 warehouse is setup as a destination in Freshpaint, you will be provided with read-only access to a specific subdirectory of an s3 bucket in our account.

Get Started

To get started, please reach out to support@freshpaint.io and provide the following information:

• Your AWS Account ID

• (Optional) Specify the AWS Principal(s) that will be trusted to assume the IAM role with access to the bucket. By default, we’ll trust your account’s root user. See Permissions for more details.

Once this information is received, we'll complete the setup on our end, and then follow up to inform you once access has been granted to the s3 subdirectory.

Permissions

There is an IAM role in the Freshpaint account that has read-only access to the specific subdirectory of the S3 bucket containing your Freshpaint data. There are two options for configuring the AWS permissioning to grant you cross-account access to assume this role.

Root user

By default, Freshpaint will trust your account's root user to assume the role. Your AWS Account Administrator will need to delegate this permission to the specific users or roles that need to access the Freshpaint S3 bucket.

IAM Role

You can instead provide to Freshpaint Support the ARN of an IAM role in your account. In this case, you need to perform role chaining in order to access the data in S3.

1. First, you need to assume the role in your account. Your AWS Account Administrator may need to grant your user permission to assume the role.

2. Once you've assumed the role in your account, you can assume the role in Freshpaint's account. Again, your AWS Account Administrator may need to grant the role permission to assume the role in Freshpaint's account.

Note that role chaining is not possible in the AWS web console; we recommend using the AWS CLI to access to your s3 warehouse in this case. You can read about how to perform role chaining in the AWS CLI docs.

Validation

We recommend using the AWS CLI to validate access to your S3 data. Make sure to set up your credentials so that you can assume the role in Freshpaint's account that has access to your data.

Run aws sts get-caller-identity to make sure that you've assumed the correct role. If the role is not what you expected, you may need to specify an AWS profile (e.g. aws sts get-caller-identify --profile freshpaint_role). Then, run aws s3 ls perfalytics-warehouse-event-store/<Freshpaint environment id>/ to list the top level prefixes of your Freshpaint data.