Resources Required

Starsheet requires the following AWS resources:
  • A S3 Bucket, used to store the data that Starsheet generates for your project
  • A IAM User or IAM Role to allow Starsheet to authenticate with your AWS account
Additionally the following resources are optional, but strongly recommended:
  • A Cloudfront Distribution, which acts as a CDN to deliver content to end users at lower latency than loading from S3 directly

Authentication

Starsheet supports two methods of authentication against your AWS account:
  • IAM Role, which is where you are allowing Starsheet’s AWS user to assume a role on your account.
  • IAM User, which is where you setup a user on your AWS account and provide Startsheet with credentials (access key and secret) to access it.
Both methods are similar, in that you are granting an AWS Identify with specific permissions to act on your account but the setup process is subtly different between the two. AWS recommends using IAM Roles to grant external access to your AWS account as it avoids the need to generate and share account credentials.

Permissions Required

These instructions are for customers setting up AWS resources manually. If using Starsheet’s Cloudformation template, the AWS permissions described below will be configured automatically.
Starsheet requires the following permissions to the S3 bucket specified during the project setup process:
PermissionWhy it’s needed
s3:PutObjectUsed to upload the data generated from your Google Sheet(s) to your S3 bucket
s3:DeleteObjectUsed to delete an item from S3 when you perform an action in Startsheet to initiate a deletion (such as deleting an environment). Starsheet never deletes data unless you initiate it.
s3:PutObjectAclUsed to set permissions on an item to make them publicly available or private.
s3:GetObjectUsed to copy a content version to an environment when publishing to an environment
Additionally, if using Cloudfront to serve content, the following permissions are required to the Cloudfront Distribution:
PermissionWhy it’s needed
cloudfront:GetDistributionUsed by Starsheet to get the Cloudfront Domain Name and any Custom Domain Names mapped to the Cloudfront Distribution, which are used to generate the correct content URLs in the Startsheet application.
cloudfront:CreateInvalidationWhen publishing content to an environment, Starsheet will automatically create an invalidation request to clear Cloudfront’s CDN cache of old versions of the content to ensure that new requests return the updated content as quickly as possible.

IAM Policy Template

The IAP policy template provided below will setup the correct permissions. You must substitute the following strings in the template with the relevant values from your AWS resources. The automatic setup process generates the same IAM Policy.
StringReplace With
{S3_BUCKET_NAME}The unique name you gave your bucket when it was created (available here)
{CLOUDFRONT_DISTRIBUTION_ID}The ID of your Cloudfront Distribution (available here)
{AWS_ACCOUNT_ID}Your AWS account ID (available here)
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": [
                "s3:GetObject",
                "s3:PutObject",
                "s3:DeleteObject",
                "s3:PutObjectAcl"
            ],
            "Resource": [
                "arn:aws:s3:::{S3_BUCKET_NAME}/*"
            ],
            "Effect": "Allow",
            "Sid": "S3ObjectActions"
        },
        {
            "Action": [
                "cloudfront:GetDistribution",
                "cloudfront:CreateInvalidation"
            ],
            "Resource": [
                "arn:aws:cloudfront::{AWS_ACCOUNT_ID}:distribution/{CLOUDFRONT_DISTRIBUTION_ID}"
            ],
            "Effect": "Allow",
            "Sid": "CloudfrontActions"
        }
    ]
}
The policy above assumes you are using a S3 bucket dedicated to Starsheet, and therefore grants permissions over the whole bucket, however you may limit Starsheet’s access to a specific subfolder if required.

IAM Setup Instructions