Create a RudderStack IAM role for AWS-based destinations

Create a RudderStack IAM role for authenticating AWS-based destinations.

warning

This guide is applicable only for RudderStack Cloud users. As the access keys-based authentication method is deprecated, RudderStack recommends setting up a RudderStack IAM role for authenticating your AWS destinations.

Note that this guide is not applicable for the following users:

This guide contains the steps to create an IAM role for authenticating RudderStack while setting up the following AWS destinations:

Cloud destinations

Warehouse destinations


info
See the RudderStack IAM Role for Redshift guide to create an IAM role for authenticating RudderStack while setting up the Redshift destination.

Create RudderStack IAM role

To set up a new RudderStack IAM role, follow these steps:

  1. Sign in to your AWS Management Console and open the IAM console.
  2. In the left navigation pane, click Roles followed by Create role.
  3. Under Trusted entity type, select AWS account:
Setting up AWS IAM Role for RudderStack
  1. Select Another AWS account and under Account ID, enter 422074288268, the account ID associated with RudderStack.
  2. Under Options check Require external ID and enter your workspace ID as the External ID.
warning
RudderStack currently does not support MFA setting that restricts the role only to the users who sign in using multi-factor authentication (MFA). Hence, do not check the Require MFA option.
Setting up AWS IAM Role for RudderStack
  1. Review all settings carefully and click Next to proceed.
  2. Select your destination-specific permission policies applicable for the RudderStack IAM role. To create a new policy from scratch, click Create policy. For more information, refer to the Creating IAM policies guide.
  3. Optional: You can also set a permissions boundary. Expand the Set permissions boundary section, choose Use a permissions boundary to control the maximum role permissions, and select the policy to use for the permissions boundary. An example is shown below:
Setting up AWS IAM Role for RudderStack
  1. Review all settings carefully and click Next to proceed.
  2. Enter a unique name for your role. Note that this name cannot be distinguished by case. For example, you cannot create a role named RUDDERSTACK if rudderstack already exists.
warning
You cannot edit the name of the role after it has been created.
  1. Optional: Enter the description for this role.
  2. To edit the use case or permissions for the role, click the Edit button next to the Step 1: Select trusted entities or Step 2: Add permissions, respectively.
Setting up AWS IAM Role for RudderStack
  1. Optional: You can also add metadata to the role by attaching tags as key-value pairs. For more information, refer to the Tagging IAM resources guide.
  2. Click Create role to complete the setup.
  3. Finally, note the ARN of this newly created role.
Setting up AWS IAM Role for RudderStack

This ARN is required while configuring your AWS destination when you enable the Role-based Authentication setting:

Setting up AWS IAM Role for RudderStack

Destination-specific policy permissions

Refer to the following sections for the destination-specific policy permissions:


Questions? Contact us by email or on Slack