Learn how to configure IAM roles for event streaming.

1. Create an SQS queue or SNS topic for the Reltio client to stream into.
   1. SQS
   • In the AWS Console, go to Simple Queue Service (SQS).
   • Make sure the queue supports these actions:
   • sqs:SendMessage
   • sqs:GetQueueUrl
   • sqs:GetQueueAttributes
2. Create an IAM policy that defines the permissions required for streaming to the SQS destination queue.
   Following is an example of policy configuration:

   {
       "Version": "2020-01-01",
       "Statement": [
           {
               "Sid": "VisualEditor0",
               "Effect": "Allow",
               "Action": [
                   "sqs:SendMessage",
                   "sqs:GetQueueUrl",
                   "sqs:GetQueueAttributes"
               ],
               "Resource": "arn:aws:sqs:us-east-1:CUSTOMER-ACCOUNT-ID:queue-to-stream-into"
           }
       ]
   }
   

3. Configure a role in your AWS account to provide Reltio access to the SQS queue.
   Important: Reltio does not support IAM Role ARNs that include a path component, for example, service-role/ in role/service-role/ROLE_NAME.

   Use this format instead: arn:aws:iam::AWS_ACCOUNT_ID:role/ROLE_NAME

   If your Role ARN includes a path, Reltio will be unable to validate or assume the role, and connection to the external queue will fail.

   Use one of the following approaches to configure the role:

   • When creating a new role:

     • Choose Another AWS account, select Require external ID, and enter the previously acquired Account ID and External ID.

     • Open the created role, choose the Trust Relationships tab, and select Edit trust.

     • Replace arn:aws:iam:ReltioAccountID:root in the "Principal"."AWS" section with the Reltio API/Dataload AWS User ARNs provided by Reltio Support. For guidance on which users to add, see When editing an existing role.

   • When editing an existing role: Choose the Trust Relationships tab and select Edit trust relationship. Update the Statement section to match the following:

     {
         "Version": "2012-10-17",
         "Statement": [
             {
                 "Effect": "Allow",
                 "Principal": {
                     "AWS": [
                         "arn:aws:iam::123456789876:user/reltio.platform.dataload",
                         "arn:aws:iam::123456789876:user/reltio.platform.api"
                     ]
                 },
                 "Action": "sts:AssumeRole",
                 "Condition": {
                     "StringEquals": {
                         "sts:ExternalId": "{your-external-id}"
                     }
                 }
             }
         ]
     }
     

     Important: The ExternalId must be a UUID version 7 string. Older UUID formats, such as v1, may result in authentication failures. To generate a valid UUID v7, use GET https://platform-management.reltio.com/api/v1/tools/externalId.

   • Attach the previously created IAM policy to this role.

   • Use the role ARN when you configure the external queue for event streaming.

4. Complete the external queue configuration.

   Reltio supports both Amazon SQS and Amazon SNS for event streaming. If you want to configure SNS, clear the Use ARN checkbox and select the SNS option from the Type dropdown when configuring your external queue. For more information, see Add an external queue configuration.

   Additional requirements for HIPAA environments

   When configuring external queue streaming in a HIPAA environment, add your HIPAA user to your trust policy. A sample is given below, which you must add to your IAM policy:

   {
     "Effect": "Allow",
     "Principal": {
       "AWS": "arn:aws:iam::682505635934:user/reltio.platform.dev-h360"
     },
     "Action": "sts:AssumeRole"
   }