# LogPush for Amazon S3 (AWS)

## Overview

Our services will periodically push audit logs to customer-managed AWS S3 bucket. Authentication and authorization are securely handled by AWS Security Token Service with an explicit trust relationship between Sourcegraph-owned GCP identity (GCP Service Account) and the customer-managed AWS S3 bucket.

## Steps

To enable this feature, please contact your assigned Customer Engineer (CE) or support team to obtain the specific instruction. Below is a high level overview of the steps.

-   Sourcegraph provides below information to customer:
    -   GCP identity (GCP Service Account)
    -   a unique file to prove bucket ownership
-   Customer to perform the following:
    -   creates a S3 bucket
    -   configures the trust relationship with AWS IAM
    -   uploads the ownership file to prove bucket ownership
-   Customer to inform Sourcegraph of the S3 bucket ARN and the AWS IAM role ARN

Once completed, Sourcegraph will complete the LogPush configuration and start sending logs to the customer-managed S3 bucket.

## FAQ

### How does the authentication work?

Sourcegraph will provide instructions on how to configure the trust relationship between the Sourcegraph-owned GCP identity (GCP Service Account) and the customer-managed AWS S3 bucket. We will also provide the example configuration in Terraform. At a high level:

-   Customer creates a AWS IAM role:
    -   with a policy to permit such role to access the S3 bucket
    -   with a policy to permit the Sourcegraph-owned GSA to assume such role
-   Sourcegraph assumes the provisioned AWS IAM role to access the bucket