Part of the Federated backend authentication epic (app-side).
What
Customer onboarding docs + copy-paste IaC for wiring a private S3 bucket to Source via federation. This is the make-or-break for adoption.
Contents
- Create an IAM OIDC identity provider for
https://data.source.coop (AWS auto-fetches its discovery doc + JWKS).
- Create a role with:
- Trust policy —
Federated = that provider; StringEquals { "data.source.coop:aud": "source-coop-data-proxy" }; a sub condition at the chosen scope, e.g. StringLike { "data.source.coop:sub": "scv1:conn:<id>:account:<acct>*" }.
- Permission policy —
s3:GetObject / s3:ListBucket scoped to arn:aws:s3:::<bucket>/<base_prefix><mirror_prefix>* (customer-side blast-radius cap).
- Paste the role ARN + choose
subject_scope in the Source data-connection UI.
Deliverables
Part of the Federated backend authentication epic (app-side).
What
Customer onboarding docs + copy-paste IaC for wiring a private S3 bucket to Source via federation. This is the make-or-break for adoption.
Contents
https://data.source.coop(AWS auto-fetches its discovery doc + JWKS).Federated= that provider;StringEquals { "data.source.coop:aud": "source-coop-data-proxy" }; asubcondition at the chosen scope, e.g.StringLike { "data.source.coop:sub": "scv1:conn:<id>:account:<acct>*" }.s3:GetObject/s3:ListBucketscoped toarn:aws:s3:::<bucket>/<base_prefix><mirror_prefix>*(customer-side blast-radius cap).subject_scopein the Source data-connection UI.Deliverables
subject_scope