Skip to content

docs: customer onboarding IaC for federated S3 backends #330

Description

@alukach

Part of the Federated backend authentication epic (app-side).

What

Customer onboarding docs + copy-paste IaC for wiring a private S3 bucket to Source via federation. This is the make-or-break for adoption.

Contents

  1. Create an IAM OIDC identity provider for https://data.source.coop (AWS auto-fetches its discovery doc + JWKS).
  2. Create a role with:
    • Trust policyFederated = that provider; StringEquals { "data.source.coop:aud": "source-coop-data-proxy" }; a sub condition at the chosen scope, e.g. StringLike { "data.source.coop:sub": "scv1:conn:<id>:account:<acct>*" }.
    • Permission policys3:GetObject / s3:ListBucket scoped to arn:aws:s3:::<bucket>/<base_prefix><mirror_prefix>* (customer-side blast-radius cap).
  3. Paste the role ARN + choose subject_scope in the Source data-connection UI.

Deliverables

  • Narrative onboarding doc
  • CloudFormation and Terraform snippets (parameterized by bucket, connection id, prefix)
  • Trust-policy examples for each subject_scope

Metadata

Metadata

Assignees

No one assigned

    Labels

    enhancementNew feature or request

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions