LiveRamp Identity in the ADX Marketplace
LiveRamp’s Identity in the ADX Marketplace allows you to access the following solutions:
Identity resolution: Resolve online identifiers (cookies, mobile device IDs, and CTV IDs) and offline identifiers (personally-identifiable information, such as names, addresses, phones, and emails) to RampIDs, LiveRamp’s persistent pseudonymous identifier for persons and households. Identity resolution allows you to have a more holistic view of your data at an individual or household level. A common use case for identity resolution includes resolution of device-based exposure logs from DSPs into RampIDs, driving more accurate insights and analytics. You can also input an individual-based RampID and get back any household-based RampID that might be associated with that individual.
Identity Translation: Translate RampIDs from one partner encoding to RampIDs in another partner encoding. Translation allows you to connect your LiveRamp identities with partner datasets to solve problems of interest, enabling more accurate analytics and data collaboration at a person or household based view.
You can access LiveRamp Identity within the AWS ADX Marketplace, meaning identity resolution and translation can be performed within AWS.
Workflow Diagram
See the diagram below for a representation of the identity workflow in AWS.
Enable LiveRamp Identity in ADX
Before you can perform identity resolution or translation in ADX, the following steps must be completed:
Note
To contract with LiveRamp directly (outside of the ADX Marketplace), contact your LiveRamp representative.
You subscribe to LiveRamp Identity Resolution via the ADX Marketplace.
You execute a contract with LiveRamp via the ADX Marketplace listing, which includes the granting of the needed authorization and credentials.
You perform RampID Attestation to attest you will follow appropriate usage of RampIDs and/or the LiveRamp Data Ethics team performs a review.
You provide LiveRamp with your AWS cloud region (for example, “US-East-1”) prior to the contract execution.
Note
The ADX offer will be made and accepted in US-East-2 and API calls will be made from US-East-2.
The region you provide for your contract is where your buckets need to be. As long as your buckets are in US-East-1, your job (compute at LiveRamp's end for your job) will run in US-East-1 and will not incur cross-region data transfer costs. For bucket regions other than US-East-1 and US-West-2, you need
cross region
to be true in your incoming request and it will run in US-East-1.
You provide LiveRamp with access to your AWS S3 buckets (see the section below for more information).
Once these steps have been performed, see the appropriate article below for information on performing the desired process:
Provide Access to LiveRamp
Data files for processing must reside in a S3 bucket to be picked up by the Identity service. LiveRamp must be given IAM User access to the S3 bucket via the bucket policy provided below.
The process uses two S3 bucket locations, one for input files and one for output files. LiveRamp recommends that the s3 buckets utilized should be used exclusively for LiveRamp processing and host no other data outside of the files necessary for processing. Enabling AWS default encryption policy SSE-S3 is recommended for both locations (for more information, see this AWS article).
Note
While you can use one set of S3 buckets for more than one LiveRamp identity processes (for example, if you’ll be performing both identity resolution and translation), you might prefer to have different sets for each process type.
We also recommend that access granted to LiveRamp follow the principles of least privilege, meaning that you provide LiveRamp the minimal access required to process your data.
Input Bucket Permissions
The s3 permissions needed for the input bucket for LiveRamp processing are:
{ "Version": "2012-10-17", "Statement": [ { "Sid": "LiveRampInputS3Acl", "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::715724997226:user/adx-customer-s3-user-prod" }, "Action": [ "s3:GetObject", "s3:GetBucketAcl", "s3:ListBucket", "s3:GetBucketLocation", "s3:GetObjectVersion" ], "Resource": [ "arn:aws:s3:::<input-bucket-name>", "arn:aws:s3:::<input-bucket-name>/*" ] } ] }
Output Bucket Permissions
The s3 permissions needed for the output bucket for LiveRamp processing are:
{ "Version": "2012-10-17", "Statement": [ { "Sid": "LiveRampOutputS3Acl", "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::715724997226:user/adx-customer-s3-user-prod" }, "Action": [ "s3:PutObject", "s3:GetObject", "s3:GetBucketAcl", "s3:DeleteObjectVersion", "s3:ListBucket", "s3:DeleteObject", "s3:GetBucketLocation", "s3:GetObjectVersion" ], "Resource": [ "arn:aws:s3:::<output-bucket-name>", "arn:aws:s3:::<output-bucket-name>/*" ] } ] }
Use KMS Encryption
If you plan to use KMS encryption on the input and output buckets, update your policy to allow our IAM user access to the key. Configuration can be completed through the following:
{ "Sid": "Allow use of the key", "Effect": "Allow", "Principal": { "AWS": [ "arn:aws:iam::574365156811:role/Admin", "arn:aws:iam::715724997226:root" ] }, "Action": [ "kms:Encrypt", "kms:Decrypt", "kms:ReEncrypt*", "kms:GenerateDataKey*", "kms:DescribeKey" ], "Resource": "*" }