S3 Warehouse Setup
Last updated
Was this helpful?
Last updated
Was this helpful?
When an S3 warehouse is setup as a destination in Freshpaint, you will be provided with read-only access to a specific subdirectory of an s3 bucket in our account.
To get started, please reach out to and provide the following information:
Your AWS Account ID
(Optional) Specify the AWS Principal(s) that will be trusted to assume the IAM role with access to the bucket. By default, we’ll trust your account’s root user. See Permissions for more details.
Once this information is received, we'll complete the setup on our end, and then follow up to inform you once access has been granted to the s3 subdirectory.
There is an IAM role in the Freshpaint account that has read-only access to the specific subdirectory of the S3 bucket containing your Freshpaint data. There are two options for configuring the AWS permissioning to grant you cross-account access to assume this role.
By default, Freshpaint will trust your account's root user to assume the role. Your AWS Account Administrator will need to delegate this permission to the specific users or roles that need to access the Freshpaint S3 bucket.
You can instead provide to Freshpaint Support the ARN of an IAM role in your account. In this case, you need to perform role chaining in order to access the data in S3.
First, you need to assume the role in your account. Your AWS Account Administrator may need to grant your user permission to assume the role.
Once you've assumed the role in your account, you can assume the role in Freshpaint's account. Again, your AWS Account Administrator may need to grant the role permission to assume the role in Freshpaint's account.
Run aws sts get-caller-identity to make sure that you've assumed the correct role. If the role is not what you expected, you may need to specify an AWS profile (e.g. aws sts get-caller-identify --profile freshpaint_role). Then, run aws s3 ls perfalytics-warehouse-event-store/<Freshpaint environment id>/ to list the top level prefixes of your Freshpaint data.
Note that role chaining is not possible in the AWS web console; we recommend using the to access to your s3 warehouse in this case. You can read about how to perform role chaining in the .
We recommend using the AWS CLI to validate access to your S3 data. Make sure to so that you can assume the role in Freshpaint's account that has access to your data.