To setup your Snowplow pipeline, we need you to create a sub-account dedicated to Snowplow, then set up a user within this sub-account with the appropriate permissions (using an IAM policy) to set up the pipeline. The process for this is as follows:
Create sub-account
- From your main AWS account, set up an Organisation if you haven’t done so already.
- Create a member account (the sub-account) in that organization
- Sign out and sign into the new sub-account. Everything Snowplow-related will take place within this account from here in.
- Follow these instructions to create a policy using the policy list below.
Set up Role and IAM permissions
- Access the IAM control panel within the sub-account
- Go to Access management > Roles and select Create role
- Select “Another AWS account”
(Account ID: 793733611312 Require MFA: true) - Select the policy you created earlier
- Call the role “SnowplowAdmin” or similar
Once this role has been created please share the IAM role ARN (Amazon Resource Name) with us via Insights console.
Policy List
"acm:*",
"apigateway:*",
"application-autoscaling:*",
"autoscaling:*",
"aws-marketplace:Subscribe",
"aws-marketplace:Unsubscribe",
"aws-marketplace:ViewSubscriptions",
"cloudformation:*",
"cloudfront:*",
"cloudwatch:*",
"dynamodb:*",
"ec2:*",
"es:*",
"elasticbeanstalk:*",
"elasticloadbalancing:*",
"elasticmapreduce:*",
"execute-api:*",
"events:*",
"iam:*",
"kinesis:*",
"lambda:*",
"logs:*",
"rds:*",
"redshift:*",
"s3:*",
"sns:*",
"ssm:*",
"support:*",
"route53:*",
"ecs:*",
"kms:List*",
"kms:DescribeKey",
"secretsmanager:CreateSecret",
"secretsmanager:TagResource",
"secretsmanager:DescribeSecret",
"secretsmanager:GetResourcePolicy",
"secretsmanager:PutSecretValue",
"secretsmanager:GetSecretValue"
Code language: JavaScript (javascript)
For complete documentation from Amazon go here.