Merge pull request #1771 from segmentio/marin/aws-updates

stayseesong · web-flow · commit d422b8db5111 · 2021-07-30T11:05:22.000-07:00
Add documentation about using multiple externalIds to AWS destination docs
diff --git a/src/connections/destinations/catalog/amazon-kinesis-firehose/index.md b/src/connections/destinations/catalog/amazon-kinesis-firehose/index.md
@@ -40,7 +40,7 @@ To get started:
 	  1. Follow [these instructions](http://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-user.html#roles-creatingrole-user-console) to create an IAM role to allow Segment permission to write to your Kinesis Firehose Stream.
 	  2. When prompted to enter an Account ID, enter `595280932656`.
 	  3. Select the checkbox to enable **Require External ID**.
-	  4. Enter your Segment Source ID as the **External ID**. This can be found in Segment by navigating to **Connections > Sources** and choosing the source you want to connect to your Kinesis Firehose destination. Click the **Settings** tab and choose **API Keys**.  
+	  4. Enter your Segment Source ID as the **External ID**. This can be found in Segment by navigating to **Connections > Sources** and choosing the source you want to connect to your Kinesis Firehose destination. Click the **Settings** tab and choose **API Keys**.
     - **Note:** If you have multiple sources using Kinesis, enter one of their source IDs here for now and then follow the procedure outlined in the [Multiple Sources](#best-practices) section at the bottom of this doc once you’ve completed this step and saved your IAM role.
       5. When adding permissions to your new role, find the policy you created in step 2 and attach it.
 
@@ -180,17 +180,17 @@ To attach multiple sources to your IAM role:
     }
     ```
 
-#### Use a single secret ID
+#### Use Secret ID
 
-If you have many sources using Kinesis that it's impractical to attach all of their IDs to your IAM role, you can set a single ID to use instead. 
+If you have many sources using Kinesis that it's impractical to attach all of their IDs to your IAM role, you can instead opt to set a Secret ID.
 
-To set this value for a single Secret ID:
+To set this value for a Secret ID:
 1. Go to the Kinesis Firehose destination settings from each of your Segment sources.
 2. Click **Secret ID** and enter your Workspace ID.
-    * **NOTE:** For security purposes, Segment recommends you to use your Segment Workspace ID as your Secret ID. If you’re using a Secret ID different from your Workspace ID, you're susceptible to attacks. You can find your Workspace ID by going to:  **Settings > Workspace Settings > ID** from the Segment dashboard.
+    * **NOTE:** For security purposes, Segment recommends you to use your Segment Workspace ID as your Secret ID. If you’re using a Secret ID different from your Workspace ID, please change it to make your account more secure. You can find your Workspace ID by going to:  **Settings > Workspace Settings > ID** from the Segment dashboard.
 3. Once all of your sources are updated to use this value, find the IAM role you created for this destination in the AWS Console in **Services > IAM > Roles**.
 4. Select the role and navigate to the **Trust Relationships** tab.
-5. Click **Edit trust relationship**. You should see a snippet that looks something that looks like this:
+5. Click **Edit trust relationship**. You should see a snippet that looks something like this:
 
     ```json
     {
@@ -211,4 +211,8 @@ To set this value for a single Secret ID:
       ]
     }
     ```
-6. Replace the value of `sts:ExternalId` ( "YOUR_SEGMENT_SOURCE_ID") with the Secret ID / Workspace ID value from the previous step.
+6. Replace the value of `sts:ExternalId` ( "YOUR_SEGMENT_SOURCE_ID") with the Secret ID value from the previous step. In the case of requiring the use of multiple secretIds, replace the `sts:ExternalId` setting above with:
+
+   ```
+    "sts:ExternalId": ["A_SECRET_ID", "ANOTHER_SECRET_ID"]
+   ```
diff --git a/src/connections/destinations/catalog/amazon-kinesis/index.md b/src/connections/destinations/catalog/amazon-kinesis/index.md
@@ -48,7 +48,7 @@ To get started:
 4. Create a new Kinesis destination.
    1. In the Segment source that you want to connect to your Kinesis destination, click **Add Destination**. Search and select the **Amazon Kinesis** destination.
    2. Enter the **Role Address**, **Stream Region**, **Stream Name**, and **Secret ID**.
-   * **NOTE:** For security purposes, Segment recommends you to use your Workspace ID as your Secret ID. If you’re using a Secret ID different from your Workspace ID, you’re susceptible to attacks. You can find your Workspace ID by going to: **Settings > Workspace Settings > ID**.
+   * **NOTE:** For security purposes, Segment recommends you to use your Workspace ID as your Secret ID. If you’re using a Secret ID different from your Workspace ID, please change it to make your account more secure. You can find your Workspace ID by going to: **Settings > Workspace Settings > ID**.
 
 ## Page
 If you're not familiar with the Segment Specs, take a look to understand what the [Page method](https://segment.com/docs/connections/spec/page/) does. An example call would look like:
@@ -213,11 +213,11 @@ The Kinesis destination defaults to use PutRecords. A previous version of the IA
    ```
 After you update the IAM policy, Segment systems default to use PutRecords for more efficient data transmission. This is a zero-downtime change and doesn't impact your data other than increasing the deliverability success rate.
 
-### Use a single secret ID
-If you have many sources using Kinesis that it's impractical to attach all of their IDs to your IAM role, you can instead opt to set a single ID to use. To set this value:
+### Use secret ID
+If you have many sources using Kinesis that it's impractical to attach all of their IDs to your IAM role, you can instead opt to set a secret ID. To set this value:
 1. Go to **Connections > Destinations > Amazon Kinesis** for each of your Segment sources.
 2. Click **Secret ID** and enter your Workspace ID.
-    * **NOTE:** For security purposes, Segment recommends you to use your Workspace ID as your Secret ID. If you’re using a Secret ID different from your Workspace ID, you're susceptible to attacks. You can find your Workspace ID by going to:  **Settings > Workspace Settings > ID**.
+    * **NOTE:** For security purposes, Segment recommends you to use your Workspace ID as your Secret ID. If you’re using a Secret ID different from your Workspace ID, please change it to make your account more secure. You can find your Workspace ID by going to:  **Settings > Workspace Settings > ID**.
 3. Once all of your sources have been updated to use this value, find the IAM role you created for this destination in the AWS Console in **Services > IAM > Roles**.
 4. Click on the role and navigate to the **Trust Relationships** tab.
 5. Click **Edit trust relationship**. You should see a snippet that looks something that looks like this:
@@ -241,4 +241,8 @@ If you have many sources using Kinesis that it's impractical to attach all of th
       ]
     }
     ```
-6. Replace the value of `sts:ExternalId` (`"YOUR_SEGMENT_SOURCE_ID"`) with your Secret ID.
+6. Replace the value of `sts:ExternalId` (`"YOUR_SEGMENT_SOURCE_ID"`) with your Secret ID. In the case of requiring the use of multiple secretIds, replace the `sts:ExternalId` setting above with:
+
+   ```
+    "sts:ExternalId": ["A_SECRET_ID", "ANOTHER_SECRET_ID"]
+   ```
diff --git a/src/connections/destinations/catalog/amazon-lambda/index.md b/src/connections/destinations/catalog/amazon-lambda/index.md
@@ -77,7 +77,7 @@ Using CloudFormation minimizes the setup steps needed, and is Segment's recommen
 
    5. Give your stack a name.
    6. For the **ExternalId** parameter, enter the "External ID" setting in your Segment Lambda destination settings. This should be your **Workspace ID**.
-      * **NOTE:** For security purposes, Segment recommends you to use your Workspace ID as your External ID. If you’re currently using an External ID different from your Workspace ID, you’ll be susceptible to attacks. You can find your Workspace ID by going to:  **Settings > Workspace Settings > ID**.
+      * **NOTE:** For security purposes, Segment recommends you to use your Workspace ID as your External ID. If you’re currently using an External ID different from your Workspace ID, please change it to make your account more secure. You can find your Workspace ID by going to:  **Settings > Workspace Settings > ID**.
    7. The **LambdaARN** parameter corresponds to the **Lambda** setting in your Segment Lambda destination settings.
 
       ![](images/CloudFormationStackDetails.png)
@@ -145,7 +145,7 @@ To create an IAM role:
 
     ![](images/LambdaTrustRelationship.png)
 
-7. Copy and paste the following code into your trust relationship. You should replace `<your-source-id>` with either the Source ID of the attached Segment source (the default) or whatever custom external ID you set in your AWS Lambda destination settings.
+7. Copy and paste the following code into your trust relationship. You should replace `<your-source-id>` with either the Source ID of the attached Segment source (the default) or the External ID set in your AWS Lambda destination settings.
   * `arn:aws:iam::595280932656:root` refers to Segment's AWS Account, and is what allows Segment's Destination to access the role to invoke your Lambda.
 
 > note ""
@@ -171,10 +171,10 @@ To create an IAM role:
     }
     ```
 
-If you have multiple Sources using this Role, replace the `sts:ExternalId` setting above with:
+If you have multiple Sources using this Role, or require the use of multiple External Ids, replace the `sts:ExternalId` setting above with:
 
 ```
-    "sts:ExternalId": ["YOUR_SEGMENT_SOURCE_ID", "ANOTHER_SOURCE_ID", "A_THIRD_SOURCE_ID"]
+    "sts:ExternalId": ["YOUR_SEGMENT_SOURCE_ID", "ANOTHER_SOURCE_ID", "AN_EXTERNAL_ID", "ANOTHER_EXTERNAL_ID"]
 ```
 
 ### Configure Segment Lambda Destination
diff --git a/src/connections/destinations/catalog/amazon-personalize/index.md b/src/connections/destinations/catalog/amazon-personalize/index.md
@@ -694,7 +694,7 @@ To create an IAM role:
 > note ""
 > **NOTE:** Your Source ID can be found by navigating to **Settings > API Keys** from your Segment source homepage.
 >
-> If you're using an External ID, for security purposes, Segment recommends you to use your Segment Workspace ID as your External ID. If you use an External ID different from your Workspace ID, you’re susceptible to attacks. You can find your Workspace ID by going to:  **Settings > Workspace Settings > ID** in the Segment dashboard.
+> If you're using an External ID, for security purposes, Segment recommends you to use your Segment Workspace ID as your External ID. If you use an External ID different from your Workspace ID, please change it to make your account more secure. You can find your Workspace ID by going to:  **Settings > Workspace Settings > ID** in the Segment dashboard.
 
 ```json
 {
@@ -716,10 +716,10 @@ To create an IAM role:
 }
 ```
 
-If you have multiple Source's using this Role, replace the `sts:ExternalId` setting above with
+If you have multiple Sources using this Role, or require the use of multiple externalIds, replace the `sts:ExternalId` setting above with:
 
-```json
-    "sts:ExternalId": ["YOUR_SEGMENT_SOURCE_ID", "ANOTHER_SOURCE_ID", "A_THIRD_SOURCE_ID"]
+```
+    "sts:ExternalId": ["YOUR_SEGMENT_SOURCE_ID", "ANOTHER_SOURCE_ID", "AN_EXTERNAL_ID", "ANOTHER_EXTERNAL_ID"]
 ```
 
 ### Build a Lambda Function to Process Segment Events

Original file line number	Diff line number	Diff line change
`@@ -694,7 +694,7 @@ To create an IAM role:`
`694`	`694`	`> note ""`
`695`	`695`	`> NOTE: Your Source ID can be found by navigating to Settings > API Keys from your Segment source homepage.`
`696`	`696`	`>`
`697`		`-> If you're using an External ID, for security purposes, Segment recommends you to use your Segment Workspace ID as your External ID. If you use an External ID different from your Workspace ID, you’re susceptible to attacks. You can find your Workspace ID by going to: Settings > Workspace Settings > ID in the Segment dashboard.`
	`697`	`+> If you're using an External ID, for security purposes, Segment recommends you to use your Segment Workspace ID as your External ID. If you use an External ID different from your Workspace ID, please change it to make your account more secure. You can find your Workspace ID by going to: Settings > Workspace Settings > ID in the Segment dashboard.`
`698`	`698`
`699`	`699`	```json
`700`	`700`	`{`
`@@ -716,10 +716,10 @@ To create an IAM role:`
`716`	`716`	`}`
`717`	`717`	```
`718`	`718`
`719`		-If you have multiple Source's using this Role, replace the `sts:ExternalId` setting above with
	`719`	+If you have multiple Sources using this Role, or require the use of multiple externalIds, replace the `sts:ExternalId` setting above with:
`720`	`720`
`721`		-```json
`722`		`- "sts:ExternalId": ["YOUR_SEGMENT_SOURCE_ID", "ANOTHER_SOURCE_ID", "A_THIRD_SOURCE_ID"]`
	`721`	+```
	`722`	`+ "sts:ExternalId": ["YOUR_SEGMENT_SOURCE_ID", "ANOTHER_SOURCE_ID", "AN_EXTERNAL_ID", "ANOTHER_EXTERNAL_ID"]`
`723`	`723`	```
`724`	`724`
`725`	`725`	`### Build a Lambda Function to Process Segment Events`