home

Developer resources

ReltioProductsDeveloper resourcesRolesApplicationsObjectives
ReltioProductsDeveloper resourcesRolesApplicationsObjectives

Unify and manage your data

Show Contents

thumbnailDeveloper resources

LCA Implementation Using AWS Lambda

LCA as AWS Lambda: Identity and Access Management

You can use AWS Lambda: Identity and Access Management to implement LCA.

To invoke the Lambda functions hosted in a customer AWS account, Reltio can use:

  • AWS credentials (Access Key, Secret Key), not enabled with MFA.
  • IAM roles for delegate access (recommended).

Access with AWS Credentials

To use the regular credentials-based access to your LCA Handlers implemented as AWS Lambda Functions, open a Support ticket with this information:

  • Environment name (Dev, Test, Prod, Preview)
  • Tenant name (Reltio Tenant ID)
  • AWS Access Key and AWS Secret Key of the AWS Account where the Lambda Functions are hosted.
Do not enable MFA on the account, otherwise you'll get an error similar to:
An error occurred (InvalidSignatureException) when calling the ListFunctions operation: The request signature we calculated does not match the signature you provided. Check your AWS Secret Access Key and signing method. Consult the service documentation for details.

Access with IAM Role

To use the IAM role-based access to your LCA Handlers implemented as AWS Lambda Functions, create the AssumeRole in your AWS account, with access to the particular AWS services (S3, Lambda).

To get started, you must create a support ticket so that Reltio can create a tenant-specific IAM role in its AWS account. This role is required for establishing a trust relationship between your AWS environment and Reltio.

For security reasons, we recommend you use IAM roles (with temporary security credentials) instead of sharing the AWS standard long-term credentials. For configuration details, see the AWS IAM roles documentation.

Note: This role must have a Trusted Relationship with the Reltio AWS account. Contact the Reltio Customer Success representative with a request for Reltio AWS account information.

Trust policy and permissions required for IAM role

The IAM role in your AWS account must include the following policies:

  • A trust policy that allows Reltio to assume the role
  • A permissions policy that allows the role to invoke Lambda functions

Trust policy examples

Use one of the following trust policies, depending on whether you are using an external ID for enhanced security.


// Example without external ID
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::930358522410:role/reltio.client.lca.[env].[tenant_id]"
      },
      "Action": "sts:AssumeRole"
    }
  ]
}
  

// Example with external ID
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::930358522410:role/reltio.client.lca.[env].[tenant_id]"
      },
      "Action": "sts:AssumeRole",
      "Condition": {
        "StringEquals": {
          "sts:ExternalId": "YOUR_EXTERNAL_ID"
        }
      }
    }
  ]
}

Replace [env], [tenant_id], and YOUR_EXTERNAL_ID with values specific to your environment. Contact Reltio Support if you have not received your tenant-specific role ARN.

Permissions policy example

Attach the following permissions policy to the IAM role to allow the role to invoke Lambda functions.


{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "lambda:InvokeFunction",
        "lambda:InvokeAsync"
      ],
      "Resource": "arn:aws:lambda:*:YOUR_ACCOUNT_ID:function:*"
    }
  ]
}

Replace YOUR_ACCOUNT_ID with your 12-digit AWS account ID. You can scope this policy to specific function ARNs if preferred.

Use External ID in AssumeRole requests

The Reltio Platform secures interaction with AWS Lambda functions using AccessKeys and IAM Role-Based Access, optionally combined with an External ID for enhanced security.

  • External ID: A security feature for cross-account role assumption to prevent unauthorized access. For detailed guidance, see the AWS documentation on External IDs.
  • AWS Lambda Access: The execution of Lambda functions within an AWS account using Access Keys or IAM Roles, potentially enhanced by an External ID.

Secure access

Administrators set up access to AWS resources in two primary ways:

  • Using AWS AccessKey and SecretKey, administrators can directly invoke Lambda functions.

  • IAM Role-Based Access involves using an IAM role from your AWS account. This can include an External ID for additional security, which should be a unique identifier like a UUID and adhere to the regular expression pattern (regex) [\\w+=,.@:/-]*.

To establish secure access, create an IAM role within the AWS account with necessary permissions for Lambda and S3 access, including an External ID if needed. Ensure the role grants the appropriate permissions and establish a trust relationship with the Reltio AWS account.

Note: Generate and use unique External IDs for each role to maintain secure access controls. Make the External ID visible but non-editable to prevent unauthorized changes.

Updated on February 27, 2026

Footer

You've found your way to a temporary environment. Content is not complete or final. Looking for Reltio documentation? Go to docs.reltio.com.

© 2026 The RELTIO® mark is a registered trademark of Reltio, Inc. in the United States and other countries; DataDriven and Reltio Data Cloud are trademarks of Reltio, Inc. Other names or marks are trademarks of their respective owners.

Terms and Conditions, Privacy Policy, and