Skip to content

docs: onboarding guide for federated private S3 backends#18

Draft
alukach wants to merge 1 commit into
mainfrom
docs/330-federated-s3-onboarding
Draft

docs: onboarding guide for federated private S3 backends#18
alukach wants to merge 1 commit into
mainfrom
docs/330-federated-s3-onboarding

Conversation

@alukach

@alukach alukach commented Jun 20, 2026

Copy link
Copy Markdown

Draft. Addresses source-cooperative/source.coop#330 (app-side epic source-cooperative/source.coop#325).

Cross-repo, so it won't auto-close #330 — I'll close that manually on merge.

What

A new Connect a Private S3 Bucket guide under Using Source (docs/using-source/connect-private-s3.md, added to the sidebar after Access Data Through the Source Data Proxy).

It covers customer onboarding for federated backends:

  • How it works (the proxy is an OIDC IdP; it assumes a customer IAM role via AssumeRoleWithWebIdentity at request time — Source stores only the role ARN, no secret at rest).
  • The federation contract table: issuer https://data.source.coop, audience source-coop-data-proxy, subject scv1:conn:<connection-id>:<account>/<product> (trust-policy wildcard scv1:conn:<connection-id>:*).
  • Step-by-step: create the OIDC provider → create the role (trust policy + prefix-scoped read permission policy) → send Source the role ARN.
  • Copy-paste CloudFormation and Terraform, parameterized by connection id, bucket, and prefix.
  • Troubleshooting.

Matches the design pivot: one fixed product-grained subject → a single trust-policy template (the original issue's "per-subject_scope" examples are obsolete). Pairs with the in-UI sub-pattern preview in source-cooperative/source.coop#377.

⚠️ Why draft — needs confirmation before publishing

  1. Feature isn't live. The proxy-side federation (data.source.coop #137/#141) isn't shipped; https://data.source.coop/.well-known/openid-configuration currently returns 403. The guide documents an unreleased flow.
  2. Confirm the contract values against the deployed proxy before publishing: the exact aud (source-coop-data-proxy), the issuer host, and the sub format (scv1:conn:{id}:{account}/{product}). These come from the epic design; they must match what the proxy actually mints.
  3. Docusaurus build not run locally (would need a full npm install in the sandbox) — relying on CI/preview to confirm it builds. The doc is plain .md matching existing conventions, and the sidebar id matches the file path.

🤖 Generated with Claude Code

@alukach @claude
docs: onboarding guide for federated private S3 backends
27cd8e5 
Adds a "Connect a Private S3 Bucket" guide under Using Source: how Source serves
a private bucket via OIDC federation (Source stores only a role ARN, no
credentials), the federation contract (issuer / audience / subject), step-by-step
IAM setup, and copy-paste CloudFormation + Terraform parameterized by connection
id, bucket, and prefix.

Addresses source-cooperative/source.coop#330.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@vercel

vercel Bot commented Jun 20, 2026
edited
Loading

Copy link
Copy Markdown

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
docs-source-coop Ready Ready Preview, Comment Jun 20, 2026 4:12am

Request Review

@alukach alukach mentioned this pull request Jun 20, 2026
Open
3 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@alukach