1. Docs
  2. Send Data to Honeycomb
  3. Honeycomb Telemetry Pipeline
  4. Enhance with Archive
  5. AWS Console Setup

Set Up an Amazon S3 Archive with AWS Console

Ent+
Note
This feature is available as an add-on for the Honeycomb Enterprise plan. Please contact your Honeycomb account team for details.

To set up trace and log rehydration from your Amazon S3 bucket, you’ll need to create an AWS IAM role with:

  • Access to your S3 bucket and permission to list and retrieve objects.
  • A trust policy that grants a Honeycomb IAM role permission to use the role when interacting with the S3 bucket.

You can use the AWS Management Console or Terraform to create the necessary AWS resources. After you’ve created the IAM policy and role, you’ll need to contact your Honeycomb account team to finish setting up your S3 archive.

Create an IAM Policy 

First, create an IAM policy with permissions for listing and retrieving objects from your Amazon S3 bucket:

  1. Sign in to the AWS Management Console and open the IAM console.

  2. In the navigation pane on the left, choose Policies.

  3. Select Create policy.

  4. In the Policy editor, select the JSON option.

  5. Paste the following JSON policy document into the editor, replacing <bucket name> with the name of your Amazon S3 bucket

    {
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AllowAccessToArchiveBucket",
            "Effect": "Allow",
            "Action": [
                "s3:GetObject",
                "s3:ListBucket",
                "s3:GetBucketLocation"
            ],
            "Resource": [
                "arn:aws:s3:::<bucket name>/*",
                "arn:aws:s3:::<bucket name>"
            ]
        }
    ]
}

  6. If there are no warnings or errors, select Next.

  7. Name the policy and provide an optional description. Remember the name of the policy, you’ll need it when creating the IAM role.

  8. Select Create Policy.

Create the IAM Role 

Next, create an IAM role with permissions to interact with your Amazon S3 bucket, and give Honeycomb permission to use this role when interacting with the bucket.

  1. Sign in to the AWS Management Console and open the IAM console.

  2. In the navigation pane, choose Roles and then choose Create role.

  3. Select the Custom trust policy role type.

  4. In the Custom trust policy section, use one of the following custom trust policies for the role:

    For Production US teams:

    {
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::702835727665:role/production-eks-bulk-ingest-role"
            },
            "Action": "sts:AssumeRole"
        }
    ]
}

    For Production EU teams:

    {
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::919259170365:role/production-eu1-eks-bulk-ingest-role"
            },
            "Action": "sts:AssumeRole"
        }
    ]
}

  5. Select Next.

  6. In the Permissions policies section, type the name of the IAM policy that has the permissions on your Amazon S3 bucket in the search bar.

  7. Select the checkbox to the left of the IAM policy name in the results below the Search bar.

  8. You can skip setting a permissions boundary, which will be at the bottom of this page.

    Screenshot of the optional set permission boundaries step.

  9. Select Next.

  10. Give the IAM role a name and an optional description.

  11. Select Create Role.

Share with Your Honeycomb Account Team 

To complete your setup, share the following information with your Honeycomb account team:

  • The name of your AWS S3 bucket.
  • ARN of the IAM role that will interact with that bucket
  • s3_prefix from your OpenTelemetry Collector exporter configuration, if specified.
  • s3_partition_format from your OpenTelemetry Collector exporter configuration, if specified.

How to Find the ARN of the IAM Role in the AWS Console 

  1. In the navigation pane of the IAM service in the console, choose Roles.
  2. In the Search bar, type the name of the IAM role created. Choose the name of the IAM role in the results below the Search bar.
  3. In the Summary section, under the ARN heading, use the copy icon next to the ARN to copy the ARN value to your clipboard.
  4. Share this value with your Honeycomb account team.
On this page: