We expect attachments/files sent while creating the job should either be
- Publicly accessible links or
- Private URLs when object hosted on AWS S3 or
- Private URLs or gs protocol URI (gs://) when object hosted on GCP
S3 IAM Access
If you use AWS S3 to store data and if you create jobs with attachments as http: or https:,
We will fetch your data using Cross-account Access.
Cross-account Access
We will directly fetch attachments from your S3 bucket, using AWS account ID 475757276268 (canonical ID d4b5723a54db6f9da8a68f4c24233880793bf1d68dd11e7e2b4989bd2c71c59a), which you can grant access to on a per-object basis using ACLs or using bucket policies.
For most customers, we recommend setting a Bucket Policy that shares the bucket's contents with Playment's account.
A sample Bucket Policy below - please be sure to replace YOUR_BUCKET_NAME with the name of your bucket, leaving the /* as shown or replacing it with a more specific bucket path to further restrict access.
Please note that if using Access Control Lists (ACLs), each object must have its ACL individually updated to grant read access to our account, as Bucket ACLs cannot grant read permissions to the objects inside.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "playment-s3-access",
"Action": [
"s3:GetObject"
],
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::475757276268:root"
]
},
"Resource": "arn:aws:s3:::YOUR_BUCKET_NAME/*"
}
]
}
Please note that this authentication mechanism suffers from the confused deputy problem — a third party that can guess your S3 URLs will be able to submit tasks with your data.
Google Cloud Storage Access
If you use Google Cloud Storage to store data, if you submit tasks with attachments as gs: protocol URIs, rather than http: or https:, we will use the Google Cloud Storage API to fetch your data. For example, instead of sending https://storage.googleapis.com/bucket/key, you would send gs://bucket/key.
We will fetch attachments from your GCS bucket, using our GCP service account [email protected]. You can grant access to this service account on a per-object basis with ACLs, or on a per-bucket basis with Cloud IAMPermissions.
IP Whitelisting
Playment uses a consistent set of IP addresses to fetch data and send callbacks, allowing for IP whitelisting of attachments sent to us, as well as for callback endpoints, to increase data security.
If you are enabling IP whitelisting, we request that you whitelist access to your data to the listed IP addresses below, and we will only fetch content using these IP addresses. In this way, you can secure your content from the public while still allowing Playment to access it.
52.66.129.133
Please let us know here if you face any issue with data security.