Unify and manage your data

LCA as AWS Lambda: Identity and Access Management

You can use AWS Lambda: Identity and Access Management to implement LCA.

To invoke the Lambda functions hosted in a customer AWS account, Reltio can use:

  • AWS credentials (Access Key, Secret Key), not enabled with MFA.
  • IAM roles for delegate access - This is the recommended approach.

Access with AWS Credentials

To use the regular credentials-based access to your LCA Handlers implemented as AWS Lambda Functions, open a Support ticket with this information:

  • Environment name (Dev, Test, Prod, Preview)
  • Tenant name (Reltio Tenant ID)
  • AWS Access Key and AWS Secret Key of the AWS Account where the Lambda Functions are hosted.
Do not enable MFA on the account, otherwise you'll get an error similar to:
An error occurred (InvalidSignatureException) when calling the ListFunctions operation: The request signature we calculated does not match the signature you provided. Check your AWS Secret Access Key and signing method. Consult the service documentation for details.

Access with IAM Role

To use the IAM role-based access to your LCA Handlers implemented as AWS Lambda Functions, create the AssumeRole in your AWS account, with access to the particular AWS services (S3, Lambda).

For security reasons, we recommend you use IAM roles (with temporary security credentials) instead of sharing the AWS standard long-term credentials. For configuration details, see the AWS IAM roles documentation.

Note: This role must have a Trusted Relationship with the Reltio AWS account. Contact the Reltio Customer Success representative with a request for Reltio AWS account information.

Use External ID in AssumeRole requests

The Reltio Platform secures interaction with AWS Lambda functions using AccessKeys and IAM Role-Based Access, optionally combined with an External ID for enhanced security.

  • External ID: A security feature for cross-account role assumption to prevent unauthorized access. For detailed guidance, see the AWS documentation on External IDs.
  • AWS Lambda Access: The execution of Lambda functions within an AWS account using Access Keys or IAM Roles, potentially enhanced by an External ID.

Secure access

Administrators set up access to AWS resources in two primary ways:

  • Using AWS AccessKey and SecretKey, administrators can directly invoke Lambda functions.

  • IAM Role-Based Access involves using an IAM role from your AWS account. This can include an External ID for additional security, which should be a unique identifier like a UUID and adhere to the regular expression pattern (regex) [\\w+=,.@:/-]*.

To establish secure access, create an IAM role within the AWS account with necessary permissions for Lambda and S3 access, including an External ID if needed. Ensure the role grants the appropriate permissions and establish a trust relationship with the Reltio AWS account.

Note: Generate and use unique External IDs for each role to maintain secure access controls. Make the External ID visible but non-editable to prevent unauthorized changes.