LCA as AWS Lambda: Identity and Access Management
You can use AWS Lambda: Identity and Access Management to implement LCA.
To invoke Lambda functions hosted in your AWS account, Reltio uses IAM role-based access.
Reltio recommends the self-service setup in Reltio Console to create the tenant-specific Reltio IAM role, register your AWS IAM role, and validate the trust relationship.
Access with IAM Role
Use the self-service setup in Reltio Console to register your AWS IAM role details and request creation of the tenant-specific Reltio IAM role required for AWS Lambda access.
To get started, open Lifecycle Actions in Reltio Console and complete the AWS connection setup. For more information see Set up AWS Lambda connections for LCAs.
For security reasons, we recommend you use IAM roles (with temporary security credentials) instead of sharing the AWS standard long-term credentials. For configuration details, see the AWS IAM roles documentation.
Trust policy and permissions required for IAM role
The IAM role in your AWS account must include the following policies:
- A trust policy that allows Reltio to assume the role
- A permissions policy that allows the role to invoke Lambda functions
Trust policy examples
Use one of the following trust policies, depending on whether you are using an external ID for enhanced security.
// Example without external ID
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::123456789012:role/reltio.client.lca.[env].[tenant_id]"
},
"Action": "sts:AssumeRole"
}
]
}
// Example with external ID
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::123456789012:role/reltio.client.lca.[env].[tenant_id]"
},
"Action": "sts:AssumeRole",
"Condition": {
"StringEquals": {
"sts:ExternalId": "YOUR_EXTERNAL_ID"
}
}
}
]
}
Replace [env], [tenant_id], and YOUR_EXTERNAL_ID with values specific to your environment.
Permissions policy example
Attach the following permissions policy to the IAM role to allow the role to invoke Lambda functions.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"lambda:InvokeFunction",
"lambda:InvokeAsync"
],
"Resource": "arn:aws:lambda:*:YOUR_ACCOUNT_ID:function:*"
}
]
}
Replace YOUR_ACCOUNT_ID with your 12-digit AWS account ID. You can scope this policy to specific function ARNs if preferred.
Use External ID in AssumeRole requests
The Reltio Platform secures interaction with AWS Lambda functions using AccessKeys and IAM Role-Based Access, optionally combined with an External ID for enhanced security.
- External ID: A security feature for cross-account role assumption to prevent unauthorized access. For detailed guidance, see the AWS documentation on External IDs.
- AWS Lambda Access: The execution of Lambda functions within an AWS account using Access Keys or IAM Roles, potentially enhanced by an External ID.
Secure access
Administrators set up access to AWS resources in two primary ways:
-
Using AWS AccessKey and SecretKey, administrators can directly invoke Lambda functions.
-
IAM Role-Based Access involves using an IAM role from your AWS account. This can include an External ID for additional security, which should be a unique identifier like a UUID and adhere to the regular expression pattern (regex)
[\\w+=,.@:/-]*.
To establish secure access, create an IAM role within the AWS account with necessary permissions for Lambda and S3 access, including an External ID if needed. Ensure the role grants the appropriate permissions and establish a trust relationship with the Reltio AWS account.