For the NiFi setup, there will be 2 AWS accounts:

• Haptik (Account A)
• Client (Account B)

Perform the below steps in Client’s account:

1. Create a new s3 bucket or use the existing bucket in that account.
2. Now, create a new IAM role and add Permissions and Trust Policy to this role. These additions will help the Haptik user in getting validated while trying to act on the client's bucket. Upon validation, this user will have all those permissions which we have configured for our IAM role.
3. Now, copy the ARN created for our newly created IAM role. Example: arn:aws:iam::858894013917:role/s3-full-access-role
4. Also, copy the s3 bucket ARN. Example: arn:aws:s3:::pulkitbucket18. Haptik account will now map this Bucket ARN in their policy.
5. Map this Role ARN in the Haptik account with the user which is whitelisted above in the Client's account.
6. Note down the AWS Access Key, and AWS Secret Key from the Haptik account and keep handy.
7. Login to NiFi and open the PUT S3 processor and perform the following:
   1. Configure the Access Key and the Secret Key of Haptik.
   2. Configure Bucket name and Region of Client.
   3. Configure Assume Role ARN as <IAM role created in Client’s account>. Example: Assume Role ARN = arn:aws:iam::858894013917:role/s3-full-access-role
   4. Configure Assume Role Session Name as <role name>. Example: Assume Role Session Name => s3-full-access-role

Viola! We have configured Haptik account’s access key and secret key in NiFi so that our AWS user is able to log in first and then, it will take action like PUT s3 on the Client’s account based on Assume Role ARN configured in NiFi processor. As our Haptik account user is already whitelisted in the Client’s account, this action will be allowed and it will begin to work.