Manage storage access
To manage storage access in Guidewire Home:
-
Select a star system.
-
From
Apps, select Storage Access or select it from your pinned apps.
Here, you can configure, delete, edit, and see the details of all the existing access points for your star system.
Access to this application is managed by Guidewire Hub. For details, see Access Cloud Platform apps and services.
View access points
In Storage access, you can view all the access points created for InsuranceSuite or for Cloud Data Access (CDA). For each application, you can view its bucket name and a list of created access points. For each access point, you can view the following details:
-
Type of an access point
You can configure an access point with IAM user, IAM role, or bucket policy type. For details, see Access types.
-
Status of an access key for an IAM user
10 days before an access key expires, the Storage Access app displays a notification with the number of days left. To check the exact number of days before an access key expires, select View details.
An access key is valid for 350 days.
-
Amazon Resource Name (ARN)
Unique ID that identifies resources like buckets and IAM roles.
In the Storage Access app, use it to assign an existing role to an access point.
View details
To view details of an access point, select View details. For each access point, you can check the following details:
-
Access point name
-
Account details
View AWS account ID.
-
Access point details
View access type and assigned permissions.
-
Access key details
For IAM users, you can manage access keys, check creation date and status of an access key.
Configure an access point
You can configure an access point to InsuranceSuite or to Cloud Data Access (CDA) with one of the following types:
For details, see Access types.
Configure IAM user
To configure an access point with the IAM user type:
-
Select + Configure access.
You can configure an access point to InsuranceSuite or to Cloud Data Access (CDA).
-
In Use own AWS account, select No.
An access point will be configured with Guidewire account.
-
In IAM user details, provide a description and contact e-mail for the user.
-
(Optional) In Security, add IP ranges and VPC endpoints.
Select to allow users to connect only from a specific IP range or VPC endpoint.
The IP addresses and ranges must be in the CIDR format.
By selecting IP ranges or VPC endpoints, you add the Condition section to the AWS permission statement. For details, see Security configuration.
Note that security settings are shared between IAM user and internal IAM role access points. This means that when you configure IP ranges and VPC endpoints for an IAM user, the same settings will automatically apply to an internal IAM role.
For IAM users created with Guidewire account, permissions are already set and can't be changed.
Configure IAM role
To configure an access point with the IAM role type:
-
Select + Configure access.
You can configure an access point to InsuranceSuite applications.
-
In Use own AWS account, select Yes.
-
In Create IAM role?, select Yes.
Provide AWS account ID.
Provide external ID to indicate who can assume the role and to prevent the confused deputy problem. You can add more than one external ID.
-
From Role details, select one of the following roles:
Internal that has inbound and outbound permissions assigned. Users can access integration folders and FileSystem. Recommended for internal teams in your organization.
External that is recommended for external vendors and third-party integrations. To create it, you need to provide an integration name.
-
For the External role, select permissions and provide Integration name.
You can limit the number of actions that a user can do. For details, see external role permissions.
Note:For the internal IAM role, permissions are already set and can't be changed.
-
(Optional) In Security, add IP ranges and VPC endpoints.
Select to allow users to connect only from a specific IP range or VPC endpoint.
The IP addresses and ranges must be in the CIDR format.
By selecting IP ranges or VPC endpoints, you add the Condition section to the AWS permission statement. For details, see Security configuration.
Note that security settings are shared between IAM user and internal IAM role access points. This means that when you configure IP ranges and VPC endpoints for an internal IAM role, the same settings will automatically apply to an IAM user.
In your AWS account, configure IAM role with required permissions to access Guidewire resources. For details, see IAM role statement.
Configure bucket policy
To configure an access point:
-
Select + Configure access.
You can configure an access point to InsuranceSuite or to Cloud Data Access (CDA).
-
In Use own AWS account, select Yes.
Provide internal AWS account ID.
-
In Create IAM role?, select No.
-
In Role details, provide an ARN to identify your IAM user or IAM role.
Note:For bucket policies, permissions are already set and can't be changed.
-
(Optional) In Security, add IP ranges and VPC endpoints.
Select to allow users to connect only from a specific IP range or VPC endpoint.
The IP addresses and ranges must be in the CIDR format.
By selecting IP ranges or VPC endpoints, you add the Condition section to the AWS permission statement. For details, see Security configuration.
In your AWS account, configure IAM role with required permissions to access Guidewire resources. For details, see IAM role for bucket policy.
Manage access keys
You can create and delete access keys for IAM users. For details, see Access keys.
Add an access key
To add an access key:
-
In the table, find the IAM user to which you want to add an access key.
-
Select View details.
-
Select + Add key.
An access key is valid for 350 days.
To increase security, generated secrets aren't stored in the Storage Access app. Copy and save the secret access key as you won't be able to access it again.
Delete an access key
You must have at least one access key for each IAM user. To delete an access key that you no longer need, add a new access key first.
To delete an access key:
-
In the table, find the IAM user whose access key you want to delete.
-
Select View details.
-
Select Delete next to the key that you want to delete.
Edit an access point
To modify settings of an access point, find the access point that you want to edit and select 
Edit.
Delete an access point
Delete access points that you no longer need. To delete an access point from a bucket:
-
In the table, find the access point that you want to delete.
-
Select
Delete. -
Select Delete.
Troubleshooting
Here are the most common issues related to Storage Access:
-
You can't create or delete a bucket policy access point.
Check if you provided the correct AWS account ID or external ID.
Check the provided statement for invalid principals and try again. If the error persists, contact Guidewire for support.