LogPush for Amazon S3 (AWS)

Overview

Our services will periodically push audit logs to customer-managed AWS S3 bucket. Authentication and authorization are securely handled by AWS Security Token Service with an explicit trust relationship between Sourcegraph-owned GCP identity (GCP Service Account) and the customer-managed AWS S3 bucket.

Steps

To enable this feature, please contact your assigned Customer Engineer (CE) or support team to obtain the specific instruction. Below is a high level overview of the steps.

• Sourcegraph provides below information to customer:
  • GCP identity (GCP Service Account)
  • a unique file to prove bucket ownership
• Customer to perform the following:
  • creates a S3 bucket
  • configures the trust relationship with AWS IAM
  • uploads the ownership file to prove bucket ownership
• Customer to inform Sourcegraph of the S3 bucket ARN and the AWS IAM role ARN

Once completed, Sourcegraph will complete the LogPush configuration and start sending logs to the customer-managed S3 bucket.

FAQ

How does the authentication work?

Sourcegraph will provide instructions on how to configure the trust relationship between the Sourcegraph-owned GCP identity (GCP Service Account) and the customer-managed AWS S3 bucket. We will also provide the example configuration in Terraform. At a high level:

• Customer creates a AWS IAM role:
  • with a policy to permit such role to access the S3 bucket
  • with a policy to permit the Sourcegraph-owned GSA to assume such role
• Sourcegraph assumes the provisioned AWS IAM role to access the bucket