I have AWS Pinpoint in Account A and a Kinesis Data Firehose in Account B, which stores the data in S3 in account B. There is an option in pinpoint to stream events directly to Kinesis Streams ( I am using Firehose for my use case. ). But using AWS console the Firehose stream present in account B is not listed in account A for generating the connection.
So I tried using IAM Assume Role for cross account access. I created RoleA in account A (Pinpoint) RoleB in account B (Firehose)
RoleB - Identity Policy
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"firehose:PutRecordBatch",
"firehose:DescribeDeliveryStream"
],
"Resource": [
"arn:aws:firehose:*region*:*AccountB_id*:deliverystream/*FirehoseStreamName*"
]
}
]
}
RoleB - Trust Policy
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::*AccountA_id*:role/*RoleA*"
]
},
"Action": "sts:AssumeRole"
}
]
}
RoleA- Identity Policy
{
"Version": "2012-10-17",
"Statement": {
"Effect": "Allow",
"Action": "sts:AssumeRole",
"Resource": "arn:aws:iam::*AccountB_id*/*RoleB*"
}
}
Since It was not possible to connect firehose and pinpoint using console I used the AWS CLI and recieved error
aws-cli command
aws pinpoint put-event-stream --application-id *accA-pinpoint-project-id* --write-event-stream '{"DestinationStreamArn": "*accB-firehose-arn*", "RoleArn": "*accA-role-arn*"}' --profile *accA-profile*
error
An error occurred (BadRequestException) when calling the PutEventStream operation: Destination stream validation failed. Check Destination and Role ARN values and make sure the IAM Role is configured correctly.
So Please help me out if anyone has done the cross-account connection between these two services.
