1. Docs
2. Send Data to Honeycomb
3. Honeycomb Telemetry Pipeline
4. Enhance with Archive
5. Terraform Setup

Set Up an Amazon S3 Archive with Terraform

Table of Contents

To set up trace and log rehydration from your Amazon S3 bucket, you’ll need to create an AWS IAM role with:

• Access to your S3 bucket and permission to list and retrieve objects.
• A trust policy that grants a Honeycomb IAM role permission to use the role when interacting with the S3 bucket.

You can use Terraform or the AWS Management Console to create the necessary AWS resources. After you’ve created the IAM policy and role, you’ll need to contact your Honeycomb account team to finish setting up your S3 archive.

Create an IAM Policy 

First, create an IAM policy with permissions for listing and retrieving objects from your Amazon S3 bucket:

data "aws_iam_policy_document" "s3_bucket_access" {
  statement {
    effect = "Allow"
    actions = [
      "s3:GetObject",
      "s3:ListBucket",
      "s3:GetBucketLocation"
    ]

    resources = [
      your_s3_bucket_arn,
      "${your_s3_bucket_arn}/*"
    ]
  }
}

resource "aws_iam_policy" "s3_bucket_access" {
  name   = "${var.env}_s3_bucket_access"
  policy = data.aws_iam_policy_document.s3_bucket_access.json
}

Create the IAM Role 

Next, create an IAM role with permission to access your Amazon S3 bucket and give Honeycomb permission to use this role when interacting with your Amazon S3 bucket:

data "aws_iam_policy_document" "hny_assume_role_policy" {
  statement {
    effect = "Allow"
    actions = [
      "sts:AssumeRole"
    ]
    principals {
      type = "AWS"
      identifiers = [honeycomb_role_arn]
    }
  }
}

resource "aws_iam_role" "hny_s3_bucket_access_role" {
  name               = "${var.env}-hny-s3-bucket-access-role"
  assume_role_policy = data.aws_iam_policy_document.hny_assume_role_policy.json
}

Replace honeycomb_role_arn in the above example with one of the following ARN values:

For Production US teams:

"arn:aws:iam::702835727665:role/production-eks-bulk-ingest-role"

For Production EU teams:

"arn:aws:iam::919259170365:role/production-eu1-eks-bulk-ingest-role"

Attach the Policy to the Role 

Attach the "s3_bucket_access" policy you created to your new IAM role:

resource "aws_iam_role_policy_attachment" "s3_bucket_access" {
  role       = aws_iam_role.s3_bucket_access_role.name
  policy_arn = aws_iam_policy.s3_bucket_access.arn
}

Share with Your Honeycomb Account Team 

To complete your setup, share the following information with your Honeycomb account team:

• The name of your Amazon S3 bucket.
• ARN of the IAM role that will interact with your bucket.
• s3_prefix from your OpenTelemetry Collector exporter configuration, if specified.
• s3_partition_format from your OpenTelemetry Collector exporter configuration, if specified.

How to Find the ARN of the IAM Role in the AWS Console 

1. In the navigation pane of the IAM service in the console, choose Roles.
2. In the Search bar, type the name of the IAM role created. Choose the name of the IAM role in the results below the Search bar.
3. In the Summary section, under the ARN heading, use the copy icon next to the ARN to copy the ARN value to your clipboard.
4. Share this value with your Honeycomb account team.

Did you find what you were looking for?

Yes No

---

If you have questions, join our Pollinators Community Slack!
Pro/Enterprise users can visit Honeycomb Support or email support@honeycomb.io.

Submit