Configure an AWS IAM role for Profiler

Learn how to configure an AWS IAM role so that the Profiler agent can securely read CSV files from your S3 bucket.

Use this configuration when your source files are stored in Amazon S3.

If you use Google Cloud Storage, Azure Blob Storage, or SFTP sources, follow the respective authentication instructions.

Prerequisites

You have permission to create IAM roles in your AWS account.
You have an Amazon S3 bucket containing the source CSV files.
You have obtained the Reltio AWS account ID from Reltio Support.
You have generated a unique External ID value. This can be any customer-defined string that meets AWS requirements (for example, uuid4).

Create the IAM role

Open the AWS IAM Console.
Select Create role.
Choose Another AWS account.
Enter the Reltio AWS account ID.
Enable Require external ID and enter the value you generated.
Name the role using the format reltio.client.<suffix>, where <suffix> is a unique identifier of your choice (for example, your company or project name).

Profiler-specific trust policy

In the role's Trust relationships tab, configure the trust policy as shown below. Replace placeholders with the values provided by Reltio Support and the External ID you generated.


{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": [
          "arn:aws:iam::<reltio-account-id>:role/role.reltio.platform.af-profiler-api.prod",
          "arn:aws:iam::<reltio-account-id>:user/RW_reltio.console-jobs.internal",
          "arn:aws:iam::<reltio-account-id>:user/reltio.platform.sc-dataloader-prod",
          "arn:aws:iam::<reltio-account-id>:role/role-RW-reltio-console-jobs-internal",
          "arn:aws:iam::<reltio-account-id>:role/role-reltio.platform.sc-dataloader-prod"
        ]
      },
      "Action": "sts:AssumeRole",
      "Condition": {
        "StringEquals": {
          "sts:ExternalId": "<external-id>"
        }
      }
    }
  ]
}

Configure an External ID in the trust policy to provide an additional security parameter. If the External ID is configured, access to the S3 bucket is granted only to users that present the correct External ID when accessing the data. Specify the External ID using the sts:ExternalId parameter.

Important: When specifying the sts:ExternalId value in your trust policy, use a UUID in version 7 format. External IDs in other formats (such as UUID v1) may result in failed access. To generate a UUID v7 External ID, use the supported endpoint: GET https://platform-management.reltio.com/api/v1/tools/externalId.

Ensure the External ID exactly matches what is configured in the IAM role trust policy.

Example of a supported UUID v7: c77f24a0-f5a6-11f0-9e2e-325096e39f47

Important: You must always provide the four resource names under the Principal element. To obtain the <RELTIO_AWS_ACCOUNT_ID> associated with the Profiler service, raise a support ticket. See topic Submit a support request.

Important: If you attempt to use a role without configuring these principals, AWS returns an error similar to User: arn:aws:iam::123456789012:user/reltio.console-jobs.internal is not authorized to perform.... The account ID 123456789012 shown in the error message corresponds to your <RELTIO_AWS_ACCOUNT_ID>.

Attach S3 read permissions

Attach a policy that grants read access to your S3 bucket:


{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "AllowS3ReadAccess",
      "Effect": "Allow",
      "Action": [
        "s3:GetObject",
        "s3:ListBucket"
      ],
      "Resource": [
        "arn:aws:s3:::<your-bucket-name>",
        "arn:aws:s3:::<your-bucket-name>/*"
      ]
    }
  ]
}

Result

The Profiler agent can assume the IAM role using AWS STS and securely read files from your S3 bucket.

Validation steps

Start a profiling job in AgentFlow.
Provide the role ARN, External ID, and region when prompted.
Confirm that the job starts without access errors.

Unify and manage your data