Learn how to configure IAM roles for event streaming.

1. Create an SQS queue for the Reltio client to stream into.
2. Create an IAM policy that defines the permissions required for streaming to the SQS destination queue:
   • sqs:SendMessage
   • sqs:GetQueueUrl
   • sqs:GetQueueAttributes
   Following is an example of policy configuration:

   {
       "Version": "2020-01-01",
       "Statement": [
           {
               "Sid": "VisualEditor0",
               "Effect": "Allow",
               "Action": [
                   "sqs:SendMessage",
                   "sqs:GetQueueUrl",
                   "sqs:GetQueueAttributes"
               ],
               "Resource":  "arn:aws:sqs:us-east-1:CUSTOMER-ACCOUNT-ID:queue-to-stream-into"
           }
       ]
   }
   

3. Configure a role in your AWS account to provide Reltio account access to the SQS queue.
   The following are key points about configuring the role:
   • When creating new role:

     • Choose Another AWS account option, check Require external ID. Enter the details with previously acquired Account ID and External ID.

     • Open the created role. Choose the Trust Relationships tab. Select Edit trust . Replace arn:aws:iam:ReltioAccountID:root in "Principal"."AWS" section with Reltio API/Dataload AWS User ARNs provided by Reltio Support. For more information on determining which users must be used as trusted user, see When editing existing role.

   • When editing existing role: Choose the Trust Relationships tab. Select Edit trust relationship. Edit Statement section to match the following:

     {
         "Version": "2012-10-17",
         "Statement": [
             {
                 "Effect": "Allow",
                 "Principal": {
                    "AWS": [
     	       "arn:aws:iam::123456789876:user/reltio.platform.dataload",
                       "arn:aws:iam::123456789876:user/reltio.platform.api"
             	    ]
                 },
                 "Action": "sts:AssumeRole",
                 "Condition": {
                     "StringEquals": {
                         "sts:ExternalId": "07515ab2-f3f0-4ac2-a7cf-3fe58e3b2b4d"
                     }
                 }
             }
         ]
     }
     

     Note: To configure the SQS queue in a GCP tenant, add the below role details:

     { 
     "Version": "2012-10-17", 
     "Statement": [ 
     { 
     "Effect": "Allow", 
     "Principal": { 
     "AWS": [ 
     "arn:aws:iam::930358522410:user/reltio.platform.dataload.gcp", 
     "arn:aws:iam::930358522410:role/role-reltio-platform-dataload-gcp" 
     ] 
     }, 
     "Action": "sts:AssumeRole", 
     "Condition": { 
     "StringEquals": { 
     "sts:ExternalId": "44edb12d-ca0c-4895-b90e-66d39319e13d" 
     } 
     } 
     } 
     ] 
     }

   • Attach the previously created IAM Policy to this role.

4. Contact us at Reltio and provide the ARN of the role that you created.
5. We will ensure that the following users - user/reltio.platform.dataload, user/reltio.platform.api and "user/application_key" users - are assigned the sts:AssumeRole permission for the role you created.
   Note: Reltio supports both Amazon SQS and Amazon SNS for event steaming. If you want to configure SNS, clear the Use ARN checkbox and select the SNS option from the Type dropdown when configuring your external queue. For more information, see topic Add an external queue configuration.
   Additional requirements for HIPAA environments

   When configuring external queue streaming in a HIPAA environment, add your HIPAA user to your trust policy. A sample is given below, which you must add to your IAM policy:

   {
     "Effect": "Allow",
     "Principal": {
       "AWS": "arn:aws:iam::682505635934:user/reltio.platform.dev-h360"
     },
     "Action": "sts:AssumeRole"
   }