This Integration allows full access to AWS S3 API from your integration. Fusebit's multi tenant approach makes it easy for you to manage multiple AWS accounts on behalf of your app's users. Our Node.js-based programming model and lightweight deployment story make it easy to customize the integration with any necessary business logic.

Getting Started

  1. Use the Fusebit Management Portal to create an account and log in.
  2. Create a new Integration using one of our AWS templates

  1. You will then be able to run the Integration, download its code, modify it, and deploy your changes. Detailed instructions on how to get started with an Integration are available here.

Invoking the AWS S3 API

The AWS Integration Template comes pre-configured with some example calls that invoke AWS's S3 API, for example:

const awsCredentials = await integration.tenant.getSdkByTenant(
  ctx,
  connectorName,
  ctx.params.tenantId
);
const awsClient = new S3(awsCredentials);
const response = await client.listBuckets({});

ctx.body = {
  message: `${response.Buckets?.length} buckets discovered from the AWS account.`,
};

Fusebit ensures the SDK object (awsClient) is already bootstrapped with the AWS credentials of the user invoking the Integration. You do not need to worry about obtaining an access token or refresh token for the user -- Fusebit does that for you automatically.

Creating your own AWS App

Out of the box, Fusebit's Integration uses our own demonstration App in AWS. This is only done to make it easier for you to get started, however, you will need to register your own App for use in production.

📘

There is no formally registered "AWS App" like there is for other standard OAuth applications

To enable your integration through an "AWS App" in Fusebit, your tenants essentially need to grant permissions to a specifically created IAM role that will perform actions on their behalf in their AWS instances

To do this, you need the following items:

  • CloudFormation Template that your tenant will execute in their environment to grant permission to your IAM role.
  • Public Access S3 Bucket where the Cloud Formation template will be retrieved from and generated during your tenant's installation process.
  • IAM Configuration Credentials that will be used to 'Assume Role' into your tenant's AWS accounts in order to run the integration.

CloudFormation Template

In order to enable access to your customer's AWS accounts, you need to first define a CloudFormation Template which will allow you to deploy an IAM Access role.

  1. In the Fusebit Portal, find the Integration you would like to connect to the new AWS App you just created. Select the Connector tied to that integration.

  1. Navigate to Custom CloudFormation Template where we have provided a basic template that will work as-is. During the installation flow, we retrieve certain properties from the Tenant's AWS accounts and create a template that is specific to their account.

🚧

Required Properties

You may choose to add more properties to this CloudFormation template, however, there are three properties that are required and must not be changed or modified. Otherwise the installation will not work properly and your Integration will fail.

  • ##ROLE_NAME## (Configured in the Connector Configuration screen)
  • ##EXTERNAL_ID## (Uniquely generated during the session install flow)
  • ##BASE_ACCOUNT_ID##(The accountId of your account)

Public Access S3 Bucket

For the AWS connector to work, we rely on a public access S3 bucket where the CloudFormation template will be stored. During the installation flow, Fusebit will retrieve the template from this location and update the required properties

  1. In your AWS Console, navigate to S3 and create a new bucket. Ensure that you uncheck the option to "Block all public access" when creating it.

  1. For this newly created bucket, go to Permissions and generate a new policy that will enable any public resource to perform s3:getObject on it and apply this policy to your bucket.

  1. Back in the Fusebit Portal, Under Fusebit Configuration, configure the following items:
  • Bucket Name (as created above)
  • Bucket Prefix (will be used to identify the generated templates in your tenant's S3 instances)
  • Cloud Formation Stack Name (the name of the CloudFormation Template which will be used in your tenant's AWS Instances)


CHANGE THIS IMAGE TO UPDATE CFN NAME.

IAM Configuration

The final step is to create the IAM User role that your tenants will grant permission to access their AWS accounts with. For this you will need to do two things:

  • Create a new policy with very specific permissions targeting the S3 actions you want to perform
  • Create a new IAM user with MultiFactor Authentication (MFA) enabled and apply this policy towards this user
  1. In your AWS Console, navigate to IAM, click on Policies and select Create Policy

  2. Next, Click on JSON and apply the following policy:

    {
        "Version": "2012-10-17",
        "Statement": [
            {
                "Sid": "VisualEditor0",
                "Effect": "Allow",
                "Action": [
                    "s3:PutObject",
                    "s3:GetObject",
                    "sts:AssumeRole",
                    "s3:DeleteObject"
                ],
                "Resource": "*"
            }
        ]
    }
    

  1. Next, navigate to Users, click Add User and assign this new user a name. Make sure to select Access Key as the AWS Credential Type before clicking next.

  1. Next, in the Permissions screen, search for the newly created policy and select the checkbox next to it. Once you are done you will be presented with the Access Key ID and Secret Access Key for this user, make sure to store these are you will need to configure these items in Fusebit.

  2. As noted earlier, you will need to enable MFA for this newly created user. You can do this by going into the User, navigating to Security Credentials and then clicking the Manage link next to Assigned MFA Device.

    MFA OTP Code

    For security reasons, we ommitted the walkthrough screens for obtaining the OTP URL, which is a required field for the configuration.

    We use 1Password here at Fusebit to store and retrieve our MFA credentials but any similar product should work for you!

  3. Finally, in the Fusebit Portal, navigate to IAM Configuration and add the following items:

    • IAM Access Key

    • IAM Secret Access Key

    • OTP Secret

    • MFA Serial Code (formatted as per arn:aws:iam:accountId:mfa/IAMUsername)

👍

Good Job!

Now, any time a new user installs your Integration, you should now see your newly configured AWS Credentials & Information displayed during the Installation Flow.

Receiving events from AWS

📘

AWS does not currently support webhooks functionality. Reach out to let us know if you are interested in this, and we can work with you to find a solution or notify you when it becomes available out of box!