Insert excerpt _ExcerptBetaAPI _ExcerptBetaAPI nopanel true
This guide describes creating an S3 bucket to export interaction content into. It then describes configuring AWS permissions that enable the Interaction Content Export API to export the interaction content from VCC into the S3 bucket.
Panel | ||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| ||||||||||||||
|
Creating an S3 bucket and getting its ARN
Amazon S3 is an object storage service that stores data as objects within buckets. An object is a file and any metadata that describes the file. A bucket is a container for objects.
Start by creating an S3 bucket that can store exported interaction content data. It is recommended that you encrypt this bucket using AWS Key Management Service (KMS).
Info | ||
---|---|---|
| ||
AWS Key Management Service (AWS KMS) is a managed service that makes it easy for you to create and control the cryptographic keys that are used to protect your data. For information about creating an KMS key using AWS Management Console, see Creating keys (console) (AWS help). To find the ARN, go to Amazon KMS and — within Customer Managed Keys — locate your created key. The key's ARN will be in the General configuration section. |
After creating the bucket, you must then find its Amazon Resource Name (ARN) which uniquely identifies the AWS resource. To find the ARN, go to Amazon S3 and — within Buckets — locate your created bucket. The bucket's ARN will be in the Properties section.
You'll need the ARN of the bucket — and the KMS key's ARN if you encrypted the bucket — to create the IAM policy in the Creating an IAM policy section later in this page.
Using Amazon's Identity and Access Management (IAM) to manage access to the S3 bucket
You manage permissions in AWS by creating IAM policies and attaching them to IAM identities (users, groups of users, or roles) or AWS resources. IAM policies define permissions required to perform an action.
Creating an IAM policy
You need to create a policy that will allow a user to transfer data from VCC to your bucket. For information about creating an IAM policy using the AWS Management Console, see Creating IAM policies (console) (AWS help).
Using the JSON method, provide the following JSON file, replacing braces ({}
) with applicable values from the S3 bucket you created (if bucket won't use encryption, remove JSON object starting with Sid
property from array property named Statement
):
Code Block | ||
---|---|---|
| ||
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:PutObjectAcl"
],
"Resource": "{customer-bucket-arn}/*",
"Condition": {
"StringEquals": {
"s3:x-amz-acl": "bucket-owner-full-control"
}
}
},
{
"Effect": "Allow",
"Action": [
"s3:ListBucket",
"s3:GetObject"
],
"Resource": [
"{customer-bucket-arn}",
"{customer-bucket-arn}/*"
]
},
{
"Sid": "KMSpermissions",
"Effect": "Allow",
"Action": [
"kms:GenerateDataKeyPair",
"kms:ReEncryptFrom",
"kms:Decrypt",
"kms:GenerateDataKeyWithoutPlaintext",
"kms:GenerateDataKeyPairWithoutPlaintext",
"kms:Encrypt",
"kms:GenerateDataKey",
"kms:ReEncryptTo",
"kms:DescribeKey"
],
"Resource": "{customer-kms-arn}"
}
]
} |
Replace:
customer-bucket-arn
with the bucket's ARN.customer-kms-arn
with the KMS key's ARN.
Name and save your new policy.
You'll need the name of your IAM policy in the Creating an IAM role and getting its ARN section later in this page.
Creating an IAM role and getting its ARN
An IAM role is an IAM identity, with specific permissions, that you can create in your account.
You need to create a role that will be connected to the IAM policy created earlier. For information about creating an IAM role using the AWS Management Console, see Creating a role using custom trust policies (console) (AWS help).
Using the 'Custom trust policy' or 'AWS account' type, provide the following JSON file, replacing braces ({}
) with applicable values from the S3 bucket you created:
Code Block | ||
---|---|---|
| ||
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": [
"{primary-service}",
"{secondary-service}"
]
},
"Action": "sts:AssumeRole",
"Condition": {}
}
]
} |
Replace primary-service
and secondary-service
with the values in the following table. Use the values for the region that your VCC account is in.
Region | primary-service | secondary-service |
---|---|---|
APAC | arn:aws:iam::496745973653:role/prd-apac-syd-app01-ecs-task-interaction-content-export-wd4 | arn:aws:iam::496745973653:role/prd-apac-sin-app01-ecs-task-interaction-content-export-16n |
EMEA | arn:aws:iam::382688127288:role/prd-emea-lon-app01-ecs-task-interaction-content-export-7xf | arn:aws:iam::382688127288:role/prd-emea-fra-app01-ecs-task-interaction-content-export-21r |
NAM | arn:aws:iam::048768717337:role/prd-nam-ric-app01-ecs-task-interaction-content-export-77z | arn:aws:iam::048768717337:role/prd-nam-pdx-app01-ecs-task-interaction-content-export-wy9 |
When asked to set permissions, search for the policy name you created and assign it. Then name and save the role.
After creation, you must then find its Amazon Resource Name (ARN) which uniquely identifies the role. To find the ARN, go to Amazon S3 and — within Roles — locate your created role. The role's ARN will be in the Summary section. You must use this role's ARN when you create an external storage item for your S3 bucket using the Interaction Content Export API. For information about creating an external storage item, see Create an external storage item.