Set Up an Amazon S3 Archive with AWS Console

Ent+ Use the AWS Management Console to create the IAM policy and role that Honeycomb uses to access your S3 archive for trace and log rehydration.

This feature is available as an add-on for the Honeycomb Enterprise plan. Please contact your Honeycomb account team for details.

To enable trace and log rehydration from your Amazon S3 archive, you will need an AWS IAM role that includes:

Permissions to list and retrieve objects from your S3 bucket.
A trust policy that allows the Honeycomb IAM role to assume this role when interacting with your archive.

This guide walks you through creating these resources in the AWS Management Console. If you prefer, you can use Terraform instead. After you create the IAM policy and role, share the details with your Honeycomb account team, so they can complete your S3 archive setup.

Create an IAM Policy

First, create an IAM policy with permissions for listing and retrieving objects from your Amazon S3 bucket:

Sign in to the AWS Management Console and open the IAM console.
In the navigation pane, choose Policies.
Select Create policy.
In the Policy editor, choose the JSON option.

Copy the JSON policy that corresponds to your encryption method, then paste it into the editor:

SSE-S3 (default)
SSE-KMS

Replace the placeholder ARNs in the Resource element with the actual ARNs for your bucket.

{
"Version": "2012-10-17",
"Statement": [
    {
        "Sid": "AllowAccessToArchiveBucket",
        "Effect": "Allow",
        "Action": [
            "s3:GetObject",
            "s3:ListBucket",
            "s3:GetBucketLocation"
        ],
        "Resource": [
            "arn:aws:s3:::<bucket name>/*",
            "arn:aws:s3:::<bucket name>"
        ]
    }
]
}

Replace the placeholder ARNs in the Resource elements with the actual ARNs for your bucket and AWS KMS key. For the KMS key, specify the full key, not an alias.

{
"Version": "2012-10-17",
"Statement": [
    {
        "Sid": "AllowAccessToArchiveBucket",
        "Effect": "Allow",
        "Action": [
            "s3:GetObject",
            "s3:ListBucket",
            "s3:GetBucketLocation"
        ],
        "Resource": [
            "arn:aws:s3:::<bucket name>/*",
            "arn:aws:s3:::<bucket name>"
        ]
    },
    {
        "Sid": "AllowKMSDecryptionOfArchiveBucket",
        "Effect": "Allow",
        "Action": [
            "kms:Decrypt"
        ],
        "Resource": [
            "arn:aws:kms:<region>:<acct#>:key/<UUID of key>"
        ]
    }
]
}

Fix any warnings or errors if necessary, then select Next.
Provide a name and optional description for the policy. Remember the policy name; you will use it when you create the IAM role.
Select Create Policy.

Create the IAM Role

Next, create an IAM role that can access your Amazon S3 bucket, and authorize Honeycomb to assume that role when interacting with your bucket:

Sign in to the AWS Management Console and open the IAM console.
In the navigation pane, select Roles, and then choose Create role.
For the role type, select Custom trust policy.

In the Custom trust policy section, use the appropriate trust policy, depending on your team’s Honeycomb instance: US:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::702835727665:role/production-eks-bulk-ingest-role"
            },
            "Action": "sts:AssumeRole"
        }
    ]
}

EU:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::919259170365:role/production-eu1-eks-bulk-ingest-role"
            },
            "Action": "sts:AssumeRole"
        }
    ]
}

Select Next.
In the Permissions policies section, search for the name of the IAM policy that you created in the previous section.
Select the checkbox for that IAM policy in the results.
Skip the permissions boundary:
Select Next.
Provide a name and optional description for the IAM role.
Select Create Role.

KMS Users: Check Your Key PolicyIf the data in your S3 bucket is encrypted with an AWS KMS encryption key, ensure that the corresponding KMS Key Policy allows this IAM Role to use the key to perform kms:Decrypt actions. If the IAM Role does not have permission to decrypt using the KMS key, rehydration will fail.

To complete your setup, share the following details with your Honeycomb account team:

The name of your AWS S3 bucket
The ARN of the IAM role that will interact with the bucket
To locate the IAM Role’s ARN:
1. In the IAM service’s navigation pane in the console, choose Roles.
2. Search for the name of the IAM role you created, then choose the role from the results.
3. In the Summary section, locate ARN, and use the copy icon to copy the ARN value to your clipboard.
s3_prefix from your OpenTelemetry Collector exporter configuration, if configured
s3_partition_format from your OpenTelemetry Collector exporter configuration, if configured
indexed_fields from your OpenTelemetry Collector exporter configuration, if you configured custom indexed fields

​Create an IAM Policy

​Create the IAM Role

​Share with Your Honeycomb Account Team

Create an IAM Policy

Create the IAM Role

Share with Your Honeycomb Account Team