Skip to main content

Resources Required

Starsheet requires the following AWS resources:
  • A S3 Bucket, used to store the data that Starsheet generates for your project
  • A IAM User or IAM Role to allow Starsheet to authenticate with your AWS account
Additionally the following resources are optional, but strongly recommended:
  • A Cloudfront Distribution, which acts as a CDN to deliver content to end users at lower latency than loading from S3 directly
Using Cloudfront is strongly recommended if serving content directly to apps used by end users. It has the following benefits over loading content from S3:
  • Reduced download latency by serving content from a data centers geographically close to the user
  • Supports a custom domain name (eg. content.yourdomain.com)
  • Can be configured to automatically compress data to reduce download times (automatically configured when using our automatic setup)
  • AWS provides 1TB of data transfer and 10 million requests free per month

Authentication

Starsheet supports two methods of authentication against your AWS account:
  • IAM Role, which is where you are allowing Starsheet’s AWS user to assume a role on your account.
  • IAM User, which is where you setup a user on your AWS account and provide Startsheet with credentials (access key and secret) to access it.
Both methods are similar, in that you are granting an AWS Identify with specific permissions to act on your account but the setup process is subtly different between the two. AWS recommends using IAM Roles to grant external access to your AWS account as it avoids the need to generate and share account credentials.

Permissions Required

These instructions are for customers setting up AWS resources manually. If using Starsheet’s Cloudformation template, the AWS permissions described below will be configured automatically.
Starsheet requires the following permissions to the S3 bucket specified during the project setup process:
PermissionWhy it’s needed
s3:PutObjectUsed to upload the data generated from your Google Sheet(s) to your S3 bucket
s3:DeleteObjectUsed to delete an item from S3 when you perform an action in Startsheet to initiate a deletion (such as deleting an environment). Starsheet never deletes data unless you initiate it.
s3:PutObjectAclUsed to set permissions on an item to make them publicly available or private.
s3:GetObjectUsed to copy a content version to an environment when publishing to an environment
Additionally, if using Cloudfront to serve content, the following permissions are required to the Cloudfront Distribution:
PermissionWhy it’s needed
cloudfront:GetDistributionUsed by Starsheet to get the Cloudfront Domain Name and any Custom Domain Names mapped to the Cloudfront Distribution, which are used to generate the correct content URLs in the Startsheet application.
cloudfront:CreateInvalidationWhen publishing content to an environment, Starsheet will automatically create an invalidation request to clear Cloudfront’s CDN cache of old versions of the content to ensure that new requests return the updated content as quickly as possible.

IAM Policy Template

The IAP policy template provided below will setup the correct permissions. You must substitute the following strings in the template with the relevant values from your AWS resources. The automatic setup process generates the same IAM Policy.
StringReplace With
{S3_BUCKET_NAME}The unique name you gave your bucket when it was created (available here)
{CLOUDFRONT_DISTRIBUTION_ID}The ID of your Cloudfront Distribution (available here)
{AWS_ACCOUNT_ID}Your AWS account ID (available here)
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": [
                "s3:GetObject",
                "s3:PutObject",
                "s3:DeleteObject",
                "s3:PutObjectAcl"
            ],
            "Resource": [
                "arn:aws:s3:::{S3_BUCKET_NAME}/*"
            ],
            "Effect": "Allow",
            "Sid": "S3ObjectActions"
        },
        {
            "Action": [
                "cloudfront:GetDistribution",
                "cloudfront:CreateInvalidation"
            ],
            "Resource": [
                "arn:aws:cloudfront::{AWS_ACCOUNT_ID}:distribution/{CLOUDFRONT_DISTRIBUTION_ID}"
            ],
            "Effect": "Allow",
            "Sid": "CloudfrontActions"
        }
    ]
}
The policy above assumes you are using a S3 bucket dedicated to Starsheet, and therefore grants permissions over the whole bucket, however you may limit Starsheet’s access to a specific subfolder if required.

IAM Setup Instructions

  1. Create a new role in the IAM Console
  2. Select a custom trust policy a paste the following config. This allows Starsheet’s AWS account to assume the role you are creating. 
{
  "Version": "2012-10-17",
  "Statement": [
      {
          "Effect": "Allow",
          "Principal": {
              "AWS": "arn:aws:iam::715841338341:user/starsheet-customer-access"
          },
          "Action": "sts:AssumeRole"
      }
  ]
}
  1. Attach the IAM Policy Template provided above to the newly created role, making sure to substitute the placeholder values in the template.
  2. Copy the ARN from the newly created IAM role and enter it into the Starsheet project creation form. Starsheet will validate the credentials work when setting up the project. The ARN will be in the format arn:aws:iam::000000000000:role/your-role-name
  1. Create a new user using the IAM Console. The user does not require AWS Management Console access
  2. Attach the IAM Policy Template provided above to the newly created user, making sure to substitute the placeholder values in the template.
  3. Generate an access key and secret for the newly created IAM user and enter those credentials into the Starsheet project creation form. Starsheet will validate the credentials work when setting up the project.
I