AWS Marketplace

How to access AWS Data Exchange data products without owning an AWS account

When a customer wants to subscribe and get access to a data product listed on AWS Data Exchange, they use their own Amazon Web Services (AWS) account for subscription. They can then use resources in their AWS account, such as AWS artificial intelligence and machine learning (AI/ML) and analytics services or third-party tools, to immediately get started analyzing and deriving value from data.

Occasionally, it may happen that a data subscriber needs to access a data product, but they are temporarily without an AWS account. This can be the case when a team that is part of a company needs to quickly access an AWS Data Exchange data product, but they don’t have a company AWS account available yet.

When publishing their data on AWS Data Exchange, data providers can adopt a configuration that enables data subscribers to subscribe and access data product(s) without requiring data subscribers to own an AWS account.

In this post, we share a solution that can be adopted by data providers to enable specific data subscribers to access their data products without requiring data subscribers to own an AWS account. Data providers can choose which data product(s) the data subscriber will be entitled to access and use.

Prerequisites

A data provider that wants to deploy the solution described in this post must be familiar with AWS Organizations and AWS IAM Identity Center.

If you’re not familiar with these service, you can get more information from the AWS IAM Identity Center documentation and AWS Organizations documentation.

Solution overview

To enable a data subscriber to access an AWS Data Exchange data product without owning an AWS account, the data provider needs to take care of two key points: authenticating and authorizing the data subscriber and providing an AWS account for the data subscriber.

Regarding authentication, the data provider can use AWS IAM Identity Center to authenticate data subscribers. When using IAM Identity Center, they can choose any identity provider supported by IAM Identity Center.

We’ll provide a guide to use IAM Identity Center as the identity provider. If you’re interested in using other identity providers, you can check AWS Data Exchange workshop, which provides a step-by-step guide, or you can contact us to get more options and details.

Regarding authorization, the data provider will use AWS Organizations to create one AWS account for each data subscriber they want to give access to. The data provider will use AWS Organizations Organizational Units (OUs) as a logical container of AWS accounts that will be used by data subscribers to access AWS Data Exchange data products. Fine-grained permissions will be defined at the OU level using service control policies and will be applied to all AWS accounts contained in the OU.

The overall workflow is composed of seven steps. Figure 1 shows the architecture diagram of the solution overview.

Figure 1. Solution overview

Figure 1. Solution overview

Steps 1–3 are one-time setup steps. These steps are done by data provider to set up this solution in their AWS account.

Steps 4–7 are to be repeated for each data subscriber that data provider wants to onboard.

These are the steps to be performed by data provider:

  • Step 1. Create governance account. This account will be used to deploy AWS Organizations and IAM Identity Center.
  • Step 2. Configure AWS Organizations in the governance account and creates an AWS Organizations OU.
  • Step 3. Configure AWS IAM Identity Center in the governance account.
  • Step 4. Create an AWS account (called DSAccount) that will be dedicated to a specific data subscriber.
  • Step 5. Subscribe DSAccount to the AWS Data Exchange data product(s).
  • Step 6. Configure the data subscriber identity and credentials in their identity provider of choice. For the purposes of this post, we’ll use IAM Identity Center to automatically notify the data subscriber with their credentials and provide the first sign-in option.
  • Last step has to be performed by data subscriber:
  • Step 7. Use the credential provided to authenticate on IAM Identity Center hosted UI. IAM Identify Center will authenticate data subscriber against the identity provider configured by the data provider. Once authenticated, the data subscriber will access the data provider’s data products using the DSAccount temporary credentials. The data provider can now track the data subscriber’s costs and usage by checking the DSAccount billing.

Solution walkthrough: How to access AWS Data Exchange data products without owning an AWS account

Step 1. Create an AWS Account (Governance account)

If you don’t have an AWS Account already, you can create an AWS account.

Step 2. Set up AWS Organizations in the governance account

  1. Sign in to your AWS account and open the AWS Organizations console.
  2. In the introduction page, choose Create an organization.
  3. In the confirmation dialog box, choose Create an organization.
  4. Verify your email address within 24 hours.

If you need further help, check “Create your organization” documentation page.

Create an OU
  1. Go to AWS accounts on the AWS Organizations console.
  2. Select Root.
  3. Select Actions, and under Organizational Unit choose Create new.
  4. In the Organizational unit name field enter the OU name. You can use “External Subscribers” as the OU name.
  5. Select Create organizational unit.

Step 3. Configure AWS IAM Identity Center in the governance account

  1. Go to IAM Identity Center.
  2. Select the AWS Region where you want to enable IAM Identity Center. For this post, you can select the US East ( N. Virginia ) Region.
  3. Choose Enable IAM Identity Center, then choose Enable.

Data subscriber onboarding

The data provider has to complete the following steps for each data subscriber that they want to onboard in this solution.

Step 4. Create an AWS account for the data subscriber (DSAccount).

With this step, the data provider will create the AWS account (called “DSAccount”) that the data subscriber will use to access the data provider’s data product(s) on AWS Data Exchange.

  1. Go to the AWS Organizations console and select Add an AWS account.
  2. In the AWS account name field, enter the data subscriber name, such as “Subscriber-1”.
    In the Email address of the account’s owner field, enter the email address of the AWS account owner. This should be an email of the data providers.
  3. In the IAM role name field, enter a name for the IAM role, such as “OrganizationAccountAccessRole.”
    Select Create AWS account.

Once the account creation is completed:

  1. Go to the AWS Organizations console.
  2. Select the AWS account you just created.
  3. Select Actions, then select Move, and then select the “External Subscribers” OU previously created. Then choose Move AWS account.

Step 5. Data provider subscribes DSAccount to AWS Data Exchange data product

The data provider can now use the AWS account just created (DSAccount) to subscribe to AWS Data Exchange products.

Follow the instructions at the Subscribe to and access a product documentation page for a step-by-step guide on how to subscribe to an AWS Data Exchange data product.

For the purposes of this post, we’ll consider that the data product is delivered using AWS Data Exchange for Amazon S3.

See the AWS Data Exchange documentation for a step-by-step tutorial that explains how to subscribe and get access to a data product delivered using AWS Data Exchange for Amazon S3.

Step 6. Data provider configures data subscriber identity and credentials in IAM Identity Center

  1. Go to AWS IAM Identity Center, then select the Users menu and choose Add user.
  2. In the Username field, enter the user name of your choice. You can use “adx-subscriber1.”
  3. Enable the Send an email to this user with password setup instructions radio button.
  4. In the Email address and Confirm email address fields, enter the data subscriber email address.
  5. In the First name, Last name, and Display name enter the data subscriber’s first, last, and display names.
  6. Choose Next.

On the next page, you have the option to add the IAM Identity Center user to a group. There are different possible approaches to managing users and groups. For example, it’s possible to:

  • Create one group for each data subscriber that will access your data product(s). This is useful when you have more than one user for each data subscriber company.
  • Create one group for each data product you are offering if you need to provide different permissions for each data product but the same permissions to all users accessing the same data product.
  • Create different groups for different users or products if you need to provide tailored user experiences depending on user and product.

For this post, we’ll create one group for this data subscriber, and initially it will contain only one user.

  1. Choose Create group. This will open a second browser window or tab.
  2. In the Group name field, enter the group name. You can use “Data-subscriber-1-IAM-group.”
  3. Choose Create group. You’ll see a message confirming that the group was successfully created. You can now close this second browser window or tab.
  4. On the Add user to groups – optional page, choose Next.
  5. On the Review and add user page, in the Step 2: Add user to groups – optional section, choose Edit.
  6. Select the group you just created, named “Data-subscriber-1-IAM-group,” and choose Next.
  7. Choose Add user.
Assign IAM Identity Center user to AWS account DSAccount

Now that we have created an AWS IAM Identity Center user for the data subscriber, we need to associate this user with the AWS account (DSAccount) and with a IAM Identity Center Permission set.

The AWS account (DSAccount) will be later used by data subscriber to access the data product(s) on AWS Data Exchange.

The IAM Identity Center Permission set will define the permissions granted to data subscriber when using DSAccount. We’ll create a Permission set granting only permissions to list items and get items from the S3 Bucket containing Data Provider data.

  1. Go to AWS IAM Identity Center then select AWS accounts and select the AWS account DSAccount.
  2. Choose Assign users or groups. Select the Groups tab and select the Data-subscriber-1-IAM-group group that you created. Choose Next.
  3. Select the permission set to be assigned to the data subscriber. For the purposes of this post, you can create a new permission set using the policy shown in point 4 of this guide: Setting up and querying AWS Data Exchange for Amazon S3 (Test Product).
  4. Choose Next.On the following page, choose Submit.

Step 7. Data subscriber access data product through AWS IAM Identity Center

The data subscriber will receive an email from AWS IAM Identify Center as a result of actions run in “Step 4. Create an AWS account for the data subscriber (DSAccount)”.

The data subscriber will follow the instructions provided in this email to complete the first sign-in and access the AWS account “DSAccount.”

Using this account, the data subscriber can get access to AWS Data Exchange data and download data locally. For the purposes of this post, the data subscriber can review the instructions in Setting up and querying AWS Data Exchange for Amazon S3 (Test Product). They can follow the section, “To allow querying on the AWS Data Exchange for Amazon S3 (Test Product) data access data set using the AWS CLI,” steps 1–3.

Clean-up

Follow the steps below if you, as a data provider, want to remove the resources created in this blog:

Follow this guide to delete the “External Subscribers” Organizational Unit

Follow this guide to close AWS Account “DSAccount”

Follow this guide to close AWS Account “Governance”, which is AWS Organization management account. This action will also delete the instance of AWS Organizations.

Conclusion

In this post, we showed how data providers can enable data subscribers to access their data products on AWS Data Exchange without requiring data subscribers to own an AWS account.

If you want more details about this solution, or you want to know how to configure it with a different identity provider, check the AWS Data Exchange workshop.

If you want to quickly get started selling data through AWS Data Exchange, check Get started as a provider. If you want to subscribe to data products using your own AWS account, check Subscribing to data products on AWS Data Exchange.

About the authors

 

Diego Colombatto

Diego Colombatto is a principal partner solutions architect at AWS. He brings more than 15 years of experience in designing and delivering digital transformation projects for enterprises. At AWS, Diego works with partners and customers advising how to use AWS technologies to translate business needs into solutions. IT architectures, algorithmic trading, and cooking are some of his passions, and he’s always open to start a conversation on these topics.

Andrea Paganini

Andrea Paganini is an AWS Solutions Architect based in Italy. His focus is on Data and Analytics, and has extensive experience on Observability and Performance management.

He’s an enthusiast photographer and a sport addicted, and in his spare time you can find him in ultra trail running racers.

Luigi Seregni

Luigi Seregni is a customer delivery architect for Amazon Web Services. He works in the Global Financial Services team with the aim to guide the customers through their cloud transformation journey, focused on identifying and delivering technical and business outcomes through a combination of AWS Services and AWS Professional Services. Luigi has 10+ years of experience in multiple industries including banking and insurance, automotive, and media and entertainment.