Manual Setup

Resources Required

Starsheet requires the following AWS resources:

A S3 Bucket, used to store the data that Starsheet generates for your project
A IAM User or IAM Role to allow Starsheet to authenticate with your AWS account

Additionally the following resources are optional, but strongly recommended:

A Cloudfront Distribution, which acts as a CDN to deliver content to end users at lower latency than loading from S3 directly

Authentication

Starsheet supports two methods of authentication against your AWS account:

IAM Role, which is where you are allowing Starsheet’s AWS user to assume a role on your account.
IAM User, which is where you setup a user on your AWS account and provide Startsheet with credentials (access key and secret) to access it.

Both methods are similar, in that you are granting an AWS Identify with specific permissions to act on your account but the setup process is subtly different between the two.

AWS recommends using IAM Roles to grant external access to your AWS account as it avoids the need to generate and share account credentials.

Permissions Required

These instructions are for customers setting up AWS resources manually. If using Starsheet’s Cloudformation template, the AWS permissions described below will be configured automatically.

Starsheet requires the following permissions to the S3 bucket specified during the project setup process:

Permission	Why it’s needed
`s3:PutObject`	Used to upload the data generated from your Google Sheet(s) to your S3 bucket
`s3:DeleteObject`	Used to delete an item from S3 when you perform an action in Startsheet to initiate a deletion (such as deleting an environment). Starsheet never deletes data unless you initiate it.
`s3:PutObjectAcl`	Used to set permissions on an item to make them publicly available or private.
`s3:GetObject`	Used to copy a content version to an environment when publishing to an environment

Additionally, if using Cloudfront to serve content, the following permissions are required to the Cloudfront Distribution:

Permission	Why it’s needed
`cloudfront:GetDistribution`	Used by Starsheet to get the Cloudfront Domain Name and any Custom Domain Names mapped to the Cloudfront Distribution, which are used to generate the correct content URLs in the Startsheet application.
`cloudfront:CreateInvalidation`	When publishing content to an environment, Starsheet will automatically create an invalidation request to clear Cloudfront’s CDN cache of old versions of the content to ensure that new requests return the updated content as quickly as possible.

IAM Policy Template

The IAP policy template provided below will setup the correct permissions. You must substitute the following strings in the template with the relevant values from your AWS resources. The automatic setup process generates the same IAM Policy.

String	Replace With
`{S3_BUCKET_NAME}`	The unique name you gave your bucket when it was created (available here)
`{CLOUDFRONT_DISTRIBUTION_ID}`	The ID of your Cloudfront Distribution (available here)
`{AWS_ACCOUNT_ID}`	Your AWS account ID (available here)

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": [
                "s3:GetObject",
                "s3:PutObject",
                "s3:DeleteObject",
                "s3:PutObjectAcl"
            ],
            "Resource": [
                "arn:aws:s3:::{S3_BUCKET_NAME}/*"
            ],
            "Effect": "Allow",
            "Sid": "S3ObjectActions"
        },
        {
            "Action": [
                "cloudfront:GetDistribution",
                "cloudfront:CreateInvalidation"
            ],
            "Resource": [
                "arn:aws:cloudfront::{AWS_ACCOUNT_ID}:distribution/{CLOUDFRONT_DISTRIBUTION_ID}"
            ],
            "Effect": "Allow",
            "Sid": "CloudfrontActions"
        }
    ]
}

The policy above assumes you are using a S3 bucket dedicated to Starsheet, and therefore grants permissions over the whole bucket, however you may limit Starsheet’s access to a specific subfolder if required.

IAM Setup Instructions

Create a new role in the IAM Console
Select a custom trust policy a paste the following config. This allows Starsheet’s AWS account to assume the role you are creating.

{
  "Version": "2012-10-17",
  "Statement": [
      {
          "Effect": "Allow",
          "Principal": {
              "AWS": "arn:aws:iam::715841338341:user/starsheet-customer-access"
          },
          "Action": "sts:AssumeRole"
      }
  ]
}

Attach the IAM Policy Template provided above to the newly created role, making sure to substitute the placeholder values in the template.
Copy the ARN from the newly created IAM role and enter it into the Starsheet project creation form. Starsheet will validate the credentials work when setting up the project. The ARN will be in the format arn:aws:iam::000000000000:role/your-role-name

About Starsheet

Project Setup

Managing Content

Advanced Topics

Resources Required

Authentication

Permissions Required

IAM Policy Template

IAM Setup Instructions

About Starsheet

Project Setup

Managing Content

Advanced Topics

​Resources Required

​Authentication

​Permissions Required

​IAM Policy Template

​IAM Setup Instructions

Resources Required

Authentication

Permissions Required

IAM Policy Template

IAM Setup Instructions