Offloading analytics data to S3

Configure analytics to offload data to AWS S3 storage.

Before you begin

To configure the analytics data offload, you must be assigned the following permissions in the provider organization:

  • api-analytics:view
  • api-analytics:manage

Procedure

  1. Create an AWS S3 bucket to store your data:
    1. Sign in to the Amazon Web Services S3 page.

      If you don't have an AWS account, you can create it now by clicking Complete Sign Up in the page banner.

    2. Create an S3 bucket.

      Create an S3 bucket in the same region as your API Connect instance (for example, for us-east, use the us-east-1 region). Provide a name for the bucket, and select the default storage options. Your Analytics data will be offloaded to this bucket.

      For information on creating and using AWS S3 storage, see the Amazon S3 User Guide.

  2. Create an IAM policy to control access to your new S3 bucket.
    1. Navigate to the AWS Identity and Access Management page.
    2. In the IAM navigation list, click Policies.
    3. On the Policies page, click Create policy.
    4. Select the JSON tab.
    5. Paste the following JSON code to define the access policy.
      Attention: In the code, replace <BUCKET_NAME> with the name of your new S3 bucket, making sure not to delete or overwrite the * that follows the bucket's name.
      {
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "s3:ListBucket",
                "s3:GetBucketLocation",
                "s3:DeleteObject",
                "s3:PutObject",
                "s3:GetObject",
                "s3:AbortMultipartUpload",
                "s3:ListMultipartUploadParts",
                "s3:ListBucketMultipartUploads"
            ],
            "Resource": "arn:aws:s3:::<BUCKET_NAME>*"
        }
    ]
}

      For information on creating an access policy, see the AWS Identity and Access Management User Guide.

    6. Optional: Click Next: Tags and create tags to identify the policy.
    7. Click Next: Review.
  3. Create an IAM role (the role will be assigned to the new access policy).
    1. In the IAM navigation list, click Roles.
    2. On the Roles page, click Create role.
    3. In the "Select Trusted Entity" section, select AWS account as the trusted entity type.
    4. Then, for "An AWS account" select Another AWS account and provide the following information about the account:
      • Account ID: Enter 623947394061 as the ID for API Connect Enterprise as a Service.
      • Options: Select Require external ID
      • External ID: Provide an identifier for the API Connect Enterprise as a Service account; for example, ibm-apiconnect-offload. The ID must be unique within your AWS account.
    5. Click Next.
    6. In the "Add permissions" section, select the IAM policy that you created in step 2, and click Next.
    7. Provide a Name and Description for the new role.
    8. Click Create.
    9. When the confirmation page displays, note down the following values for use in configuring data offload to the new S3 bucket:
      • Role ARN (Amazon Resource Name)
      • External ID
      • S3 bucket name
  4. Configure Analytics data offloading in API Connect Enterprise as a Service:
    1. Open your API Connect service instance.
    2. Click Analytics > Offload settings.
    3. Select S3 as your storage type.
    4. Provide the following information about your S3 bucket:
      • Bucket name: Your new S3 bucket name, created in step 1.
      • Region: us-east-1, also specified in step 1.
      • Role ARN: Copied from the IAM role confirmation page in step 3.
      • External ID: The unique identifier that you assigned to the AWS account in step 3.
    5. Click Save.

    Configuring analytics offload settings takes approximately 15 minutes to finish; the "Offload configured" message displays when the configuration is complete.