Skip to main content

Export to AWS S3

Overview

Our Raw and Event export features allow you to receive data into AWS S3. This document provides guidance on how to provision required AWS components along with a set of permissions sufficient for the GameAnalytics export service.

GameAnalytics export requires permissions to perform s3:PutObject and s3:PutObjectAcl actions to the bucket where the data is supposed to be stored. The export is performed under arn:aws:iam::118928031713:role/live-export-job-batch-copy-role role, which one could grant the required permissions using the following policy:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::118928031713:role/live-export-job-batch-copy-role"
      },
      "Action": ["s3:PutObject", "s3:PutObjectAcl"],
      "Resource": "arn:aws:s3:::<YOUR_BUCKET_NAME>/*"
    }
  ]
}

Where YOUR_BUCKET_NAME should be replaced with a name of the bucket to which the policy is attached.

Please ensure that the bucket has "Object Ownership" set to Bucket owner preferred:

Bucket ownership preferences

Encryption

It is highly recommended to setup the destination bucket with a service side encryption enabled. The provided cfn template ensures that the destination bucket uses AWS:KMS encryption by default.

If AWS:KMS default encryption is enabled, please make sure to grant GameAnalytics data role enough permissions to be able to use the key to write to the destination bucket via a KMS key policy:

{
  "Version": "2012-10-17",
  "Id": "allow-ga-write",
  "Statement": [
    {
      "Sid": "Enable IAM User Permissions",
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::<YOUR AWS ACCOUNT ID>:root"
      },
      "Action": "kms:*",
      "Resource": "*"
    },
    {
      "Sid": "Allow GameAnalytics to write the data",
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::118928031713:role/live-export-job-batch-copy-role"
      },
      "Action": "kms:GenerateDataKey",
      "Resource": "*"
    }
  ]
}

Helpers

To help you to provision all the required resources one can use pre-created AWS CloudFormation templates that you can find here.

Using AWS CLI tool

Prerequisites:

  • AWS CLI (installing the AWS CLI)
  • This repository (clone it)
  • JQ
  • AWS Account
  • Bucket where the CloudFormation templates will be uploaded

1. Upload the CloudFormation templates to S3 bucket

aws s3 sync ./cfn s3://<CFN_BUCKET_NAME>/gameanalytics/export/cfn/

2. Create the stack using aws cli

aws cloudformation create-stack --stack-name gameanalytics-data-export \
    --template-url https://<CFN_BUCKET_NAME>.s3.amazonaws.com/gameanalytics/export/cfn/s3.yaml \
    --parameters \
        ParameterKey=S3PolicyStackTemplateURL,ParameterValue=https://<CFN_BUCKET_NAME>.s3.amazonaws.com/gameanalytics/export/cfn/s3-policy.yaml

3. Wait until the stack is created

aws cloudformation describe-stacks --stack-name gameanalytics-data-export \
    | jq -r '.Stacks[].StackStatus'

4. Get the bucket ARN to provide the GameAnalytics export service

aws cloudformation describe-stacks --stack-name gameanalytics-data-export \
    | jq -r '.Stacks[].Outputs[].OutputValue'

If the stack is created successfully you should be able to see ARN of the created bucket, which would be similar to arn:aws:s3:::gameanalytics-data-export-s3bucket-81mhh0wqeskx.