Who can use this feature?
- Available with Data Direct.
- Requires an admin or architect role to configure.
Introduction
Amazon S3 is an object storage service offering industry-leading scalability, data availability, security, and performance. With our Data Direct integration, you can sync Fullstory's structured, behavioral event data directly to Amazon S3.
Enabling the S3 integration (AWS)
Manual Configuration
Notes:
- Fullstory should only be granted access to read/write the data that we will be managing as part of this sync.
To ensure all sensitive data remains secure, Fullstory uses AWS web identity federation to access S3 resources required for Data Direct. This role should not be given permission to access any other data.
Setup IAM Roles and Policies
Fullstory uses AWS Web Identity Federation to access S3 resources required for Data Direct to ensure all sensitive data remains secure. This role should not be permitted to access any other data.
Fullstory's services will assume the following role, and they will be able to upload data to S3.
Step 1: Setup assumable role
- Navigate to IAM roles.
- Roles > Create Role.
- Choose Web Identity.
- For Identity Provider, select Google.
- For Audience, please insert one of the following values according to your Fullstory data realm (if your Fullstory org ID has
eu1
in it, then you are a European customer):
For North American customers:
116984388253902328461
For European customers:
107589159240321051166
- Click Next.
- You do not need to add any permissions. Click Next.
- Give the role a name.
Example:
fullstory_s3_loader
- Click Create role.
- Navigate to the role you just created, then:
- Select Trust relationships and replace the contents with the following to allow Fullstory to assume this role so that we can upload files to S3. Remember to replace the audience value with the one required for your data realm.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Federated": "accounts.google.com"
},
"Action": "sts:AssumeRoleWithWebIdentity",
"Condition": {
"StringEquals": {
"accounts.google.com:aud": "<audience for your Fullstory region from above>"
}
}
}
]
}
- Click Update Policy.
S3 Setup Instructions
Step 1: Create an S3 bucket or use an existing bucket
You can create a new S3 bucket by navigating to the S3 dashboard:
- Click Create bucket.
- Give the bucket a name.
- Select Block all public access.
- Click Create bucket.
Step 2: Grant the IAM role access to the bucket
After creating the bucket, go to the new bucket's detail page and navigate to:
- Permissions > Bucket policy.
- Click Edit.
- Paste the following policy replacing your role ARN and bucket name:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "<your role ARN from the previous step>"
},
"Action": [
"s3:PutObject"
],
"Resource": [
"arn:aws:s3:::<your bucket name>/*"
]
}
]
}
- Click Save changes.
To limit Fullstory's access to certain prefixes, uses the Resource section of the statement to provide a specific prefix.
Enabling the S3 Integration in Fullstory
Now that all of the AWS resources have been created, all that is left is to provide Fullstory with the correct identifiers to make a secure connection to load data.
- In Fullstory, navigate to Settings > Integrations > Destinations.
- Click Install next to the S3 Option
- Using the values recorded in the previous steps, fill in the form.
- Click Save.
After saving, data will flow into your bucket within an hour.
Some tips:
- The IAM role ARN is only used for loading data into your warehouse. It is not capable of accessing or modifying users.
- The region should be a valid AWS region and should be the same region as your S3 bucket. Cross-region resources are not supported at this time.
- The role session name is optional; one will be assigned if not provided. Advice on when and how to use role session names can be found in AWS documentation.
FAQ
Can you set up more than one data destination in your account?
Yes. Repeat setup steps for different destinations as needed.