Begin defining an Amazon S3 federated provider

To set up federated search for Amazon S3 on your Splunk Cloud Platform deployment, you must define one or more federated providers for that deployment. A federated provider definition gives your Splunk Cloud Platform deployment the means to establish a connection with a specific Amazon S3 account and search over specific datasets in that Amazon S3 account.

This task covers the Provider basics step of the workflow for creating an Amazon S3 federated provider. In this task you name your Amazon S3 federated provider definition and provide the account ID for the AWS account that has the Amazon S3 data that you want to search.

Prerequisites

  • You must have the following things:
    • A role on your Splunk Cloud Platform deployment with the admin_all_objects capability. See Define roles on the Splunk platform with capabilities in Securing Splunk Cloud Platform.
    • An AWS account and an AWS IAM role with permissions that let you attach and modify policies for Amazon S3 locations and an AWS Glue data catalog. Contact your AWS administrator for assistance with permissions.
  • You must turn on token authentication for your Splunk Cloud Platform deployment. See Enable or disable token authentication in Securing Splunk Cloud Platform.

Steps

  1. On your Splunk Cloud Platform deployment, in Splunk Web, select Settings, then Federation.
  2. On the Federated Providers tab of the Federation page, select Add federated provider.
  3. Select the Amazon S3 federated provider type and select Next.
  4. On Provider basics, the first step of the Add a new federated provider workflow, enter a unique Provider name. The provider name can contain only alphanumeric characters, underscores, and hyphens.
  5. Enter the 12-digit AWS Account ID for the AWS account that has Amazon S3 buckets that you want to search.
  6. Select Continue to move on to the Provider details step of the Create provider workflow.
    See Define Amazon S3 provider details.