--- title: Creating an AWS IAM role for Fastly logging summary: null url: >- https://www.fastly.com/documentation/guides/integrations/streaming-logs/creating-an-aws-iam-role-for-fastly-logging --- Before adding [Amazon S3](/guides/integrations/logging-endpoints/object-and-cloud-storage/log-streaming-amazon-s3) or [Amazon Kinesis](/guides/integrations/logging-endpoints/data-streaming-and-message-queues/log-streaming-amazon-kinesis-data-streams) as a logging endpoint for Fastly services, we recommend creating an [Identity and Access Management (IAM) role](https://docs.aws.amazon.com/IAM/latest/UserGuide/introduction.html) in AWS specifically for Fastly. Using your Fastly customer account ID and the Fastly AWS account number, you can set up a role to give Fastly access to your S3 bucket or Kinesis data stream for log delivery using temporary credentials instead of long-term credentials like an access key and secret key pair. You can do this through the [AWS Management Console](#creating-an-iam-role-through-the-aws-management-console) or the [AWS CLI](#creating-an-iam-role-through-the-aws-cli). ## Creating an IAM role through the AWS Management Console Follow the steps below to create an IAM role through the AWS Management Console. 1. Log in to the AWS Management Console and open the IAM console. 1. Create a permission policy that gives Fastly permission to write objects to AWS. Click **Create policy**. 1. Click **JSON**. Copy and paste one of the following templates, replacing the name in the resource field with the Amazon Resource Name (ARN) of the Amazon S3 bucket or Kinesis data stream you want Fastly to write logs to. ```json context="Amazon S3 template" { "Version": "2012-10-17", "Statement": { "Effect": "Allow", "Action": [ "s3:PutObject", "s3:AbortMultipartUpload" ], "Resource": "arn:aws:s3:::YourS3BucketName/*" } } ``` ```json context="Amazon Kinesis template" { "Version": "2012-10-17", "Statement": { "Effect": "Allow", "Action": [ "kinesis:PutRecords", "kinesis:ListShards" ], "Resource": "arn:aws:kinesis:::stream/" } } ``` 1. Click **Create policy**. 1. [Create a role](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-user.html) with the trust and permissions policies attached. Select **Roles** from the navigation panel, and then click **Create role**. 1. For **Select type of trusted entity**, select **Another AWS account**. 1. For **Account ID**, enter the Fastly AWS account ID (`717331877981`). 1. Select **Require external ID**. 1. In the **External ID** field, enter your Fastly customer account ID. 1. Click **Next: Permissions**. 1. Select the checkbox next to the permission policy you created above. 1. Click **Next: Tags**. 1. *(Optional)* Add metadata to the role by attaching tags as key–value pairs. For more information about using tags in IAM, check out Amazon's documentation on [tagging IAM resources](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_tags.html). 1. Click **Next: Review**. Complete the following fields: * In the **Role name** field, enter a name for your role. Role names must be unique within your AWS account. They are not distinguished by case. Because other AWS resources might reference the role, you can't edit the name of the role after it has been created. * *(Optional)* In the **Role description** field, enter a description for the new role. 1. Review the role and then click **Create role**. The role you created appears in the list of roles on the **Roles** tab. 1. Follow the instructions in [Enabling Regional Tokens](#enabling-regional-tokens) to ensure your AWS account is set up to allow tokens using regional STS endpoints. After you create your new role, select the role from the **Roles** tab to view details about the role, including the Role ARN. You will need this ARN to create your logging endpoint. > **HINT:** If you're using Amazon Kinesis Data Streams, you may also need to add a resource-based policy to your stream. Refer to the instructions in the [Adding a resource-based policy to a Kinesis data stream](#adding-a-resource-based-policy-to-a-kinesis-data-stream) section. ## Creating an IAM role through the AWS CLI Follow the steps below to create an IAM role through the AWS CLI: 1. Create a trust policy in JSON using your Fastly customer account ID and the Fastly AWS account number using one of the following templates. Copy the template to a text editor and replace `FastlyCustomerAccountID` with your customer account ID and `Sid` with the name of your policy. Save the file to your file system. ```json context="Amazon S3 template" { "Version": "2012-10-17", "Statement": { "Condition": { "StringEquals": { "sts:ExternalId": "FastlyCustomerAccountID" } }, "Action": "sts:AssumeRole", "Principal": { "AWS": "717331877981" }, "Effect": "Allow", "Sid": "S3LoggingTrustPolicy" } } ``` ```json context="Amazon Kinesis template" { "Version": "2012-10-17", "Statement": { "Condition": { "StringEquals": { "sts:ExternalId": "FastlyCustomerAccountID" } }, "Action": "sts:AssumeRole", "Principal": { "AWS": "717331877981" }, "Effect": "Allow", "Sid": "KinesisLoggingTrustPolicy" } } ``` 1. Create a permission policy in JSON using the Amazon Resource Name (ARN) of the S3 bucket or Kinesis data stream you want Fastly to write logs to. Copy the template to a text editor and replace the name in the resource field with the name of the S3 bucket or Kinesis data stream. Save the file to your file system. ```json context="Amazon S3 template" { "Version": "2012-10-17", "Statement": { "Effect": "Allow", "Action": [ "s3:PutObject", "s3:AbortMultipartUpload" ], "Resource": "arn:aws:s3:::YourS3BucketName/*" } } ``` ```json context="Amazon Kinesis template" { "Version": "2012-10-17", "Statement": { "Effect": "Allow", "Action": [ "kinesis:PutRecords", "kinesis:ListShards" ], "Resource": "arn:aws:kinesis:::stream/" } } ``` 1. From the command line, create a role and attach the trust policy to the role. Replace `YourRoleName` with the name of your role and `file://trust-policy-file.json` with the name and location of the file in which you created your trust policy. ```term copy $ aws --profile personal iam create-role --role-name YourRoleName --assume-role-policy-document file://trust-policy-file.json ``` Here's what the successful response to this command looks like: ```json { "Role": { "Path": "/", "RoleName": "YourRoleName", "RoleId": "ABCD1234ZHHQGKDRUMGFH", "Arn": "arn:aws:iam::AmazonResourceName:role/YourRoleName", "CreateDate": "2021-03-19T23:14:27+00:00", "AssumeRolePolicyDocument": { "Version": "2012-10-17", "Statement": { "Condition": { "StringEquals": { "sts:ExternalId": "abc12345-defg-6789-hijk-lmno10111213" } }, "Action": "sts:AssumeRole", "Principal": { "AWS": "717331877981" }, "Effect": "Allow", "Sid": "RoleForS3" } } } } ``` > **IMPORTANT:** Take note of the value in the `Arn` field. This is the ARN for the role, which you will need to create your logging endpoint. 1. Create the permission policy. Replace `YourPolicyName` with the name of your policy and `file://permission-policy-file.json` with the name and location of the file in which you created your trust policy. ```term copy $ aws --profile personal iam create-policy --policy-name YourPolicyName --policy-document file://permissions-policy-file.json ``` Here's what the successful response to this command looks like: ```json { "Policy": { "PolicyName": "YourPolicyName", "PolicyId": "ABCDJH5Z123CTIKFWXYZ", "Arn": "arn:aws:iam::AmazonResourceName:policy/YourPolicyName", "Path": "/", "DefaultVersionId": "v1", "AttachmentCount": 0, "PermissionsBoundaryUsageCount": 0, "IsAttachable": true, "CreateDate": "2021-03-19T23:17:42+00:00", "UpdateDate": "2021-03-19T23:17:42+00:00" } } ``` 1. Attach the permissions policy to the role. Replace `YourRoleName` with the name of your role and the value after `--policy-arn` with the ARN of your permission policy. ```term copy $ aws --profile personal iam attach-role-policy --role-name YourRoleName --policy-arn arn:aws:iam::123453306678:policy/AllowLoggingBucketWrites ``` 1. Follow the instructions in [Enabling Regional Tokens](#enabling-regional-tokens) to ensure your AWS account is set up to allow tokens using regional STS endpoints. > **HINT:** If you're using Amazon Kinesis Data Streams, you may also need to add a resource-based policy to your stream. Refer to the instructions in the [Adding a resource-based policy to a Kinesis data stream](#adding-a-resource-based-policy-to-a-kinesis-data-stream) section. ## Adding a resource-based policy to a Kinesis data stream If you're configuring Amazon Kinesis Data Streams as your logging endpoint, you may also need to attach a resource-based policy to the target stream to allow Fastly's AWS account and your IAM role to write to it. 1. In the AWS Management Console, open **Kinesis** and select your data stream. 1. Open the **Data stream sharing** tab, then choose **Create sharing policy**, or edit the JSON policy directly. 1. Add a policy that allows the Fastly AWS account (`717331877981`) and the IAM role you created to write to the stream: ```json { "Version": "2012-10-17", "Id": "writePolicy", "Statement": [{ "Sid": "FastlyWrite", "Effect": "Allow", "Principal": { "AWS": [ "arn:aws:iam::717331877981:root", "arn:aws:iam:::role/" ] }, "Action": [ "kinesis:DescribeStreamSummary", "kinesis:ListShards", "kinesis:PutRecord", "kinesis:PutRecords" ], "Resource": "arn:aws:kinesis:::stream/" }] } ``` ## Enabling Regional Tokens Fastly uses the [AWS Security Token Service API](https://docs.aws.amazon.com/STS/latest/APIReference/welcome.html) to request temporary credentials to write logs to AWS endpoints like S3 and Kinesis. Tokens can be requested from a single, global endpoint or from regional endpoints, though AWS recommends the use of Regional STS endpoints for reduced latency and improved redundancy. Regardless of where your AWS S3 bucket or Kinesis stream is located, you must enable all of the Regional endpoints that Fastly uses to acquire tokens to provide the highest level of redundancy and token validity. For example, even though your S3 bucket may be located in `us-west-1`, Fastly may acquire the token to write to your bucket from a different region (e.g., `us-east-2`). Follow the instructions in [Activating and deactivating AWS STS in an AWS Region](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_enable-regions.html#sts-regions-activate-deactivate) to activate all of the following regional endpoints that may be used by Fastly to acquire tokens. * US East (N. Virginia) *Always active*: `https://sts.us-east-1.amazonaws.com` * US East (Ohio): `https://sts.us-east-2.amazonaws.com` * US West (N. California): `https://sts.us-west-1.amazonaws.com` * US West (Oregon): `https://sts.us-west-2.amazonaws.com` ## What's next Use the IAM role you created to add [Amazon S3](/guides/integrations/logging-endpoints/object-and-cloud-storage/log-streaming-amazon-s3) or [Amazon Kinesis](/guides/integrations/logging-endpoints/data-streaming-and-message-queues/log-streaming-amazon-kinesis-data-streams) as a logging endpoint. ## Related content * [Log streaming to Amazon S3](/guides/integrations/logging-endpoints/object-and-cloud-storage/log-streaming-amazon-s3) * [Log streaming to Amazon Kinesis](/guides/integrations/logging-endpoints/data-streaming-and-message-queues/log-streaming-amazon-kinesis-data-streams)