Events Backup Bucket Permissions

Technical description of the storage provider-based requirements for RudderStack to back up events on to the buckets

For RudderStack to backup events to cloud provider buckets, we need the following requirements based on each cloud storage provider.

Amazon S3

  • Create a bucket in S3 service.

  • Create a new customer managed policy with the following json

{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:AbortMultipartUpload"
],
"Resource": "arn:aws:s3:::{BUCKET_NAME}/*"
}
]
}
  • Create a new group and add the above created policy to this group

  • Create a new user in Identity and Access Management (IAM) with programmatic access and add the user to the above created group.

  • Download the access keys and share Access key ID and Secret access key with the rudder team.

  • The rudder team can inject the above Access key ID and Secret access key to the rudder-server which is required for authenticating the rudder-server to send events dump to S3.

Google Cloud Storage

  • Create a role with the following permissions : 1. Storage.objects.create 2. storage.objects.get You might be required to add each permission one by one.

  • Create a service account as follows :- 1. Give a name to this service account 2. Add the role created above. 3. Create key with key type json and save the file locally.

  • Create a bucket with uniform bucket access control. Once, the bucket is created. Add permissions : - Go to “Permissions” tab - Add member with the above created service account - Add role with the above created role.

  • Send the downloaded json file to the rudder team. We will inject these service account json file to the rudder-server which is required for authenticating the rudder-server to send events dump to gcs.