LCA as AWS Lambda: Identity and Access Management
You can use AWS Lambda: Identity and Access Management to implement LCA.
Access to AWS Lambda Functions
To invoke the Lambda functions hosted in a customer AWS account, Reltio can use:
- AWS credentials (Access Key, Secret Key) provided by the customer.
- IAM roles for delegate access. This is the recommended approach.
Access with AWS Credentials
To use the regular credentials-based access to your LCA Handlers implemented as AWS Lambda Functions, file a ticket with Reltio Support. Include the following information in your request:
- Environment name (Dev, Test, Prod, Preview)
- Tenant name (Reltio Tenant ID)
- AWS Access Key and AWS Secret Key of the AWS Account where the Lambda Functions are hosted.
Access with IAM Role
To use the IAM role-based access to your LCA Handlers implemented as AWS Lambda Functions, create the AssumeRole in your AWS account, with access to the particular AWS services (S3, Lambda).
Use External ID in AssumeRole requests
The Reltio Platform secures interaction with AWS Lambda functions using AccessKeys and IAM Role-Based Access, optionally combined with an External ID for enhanced security.
- External ID: A security feature for cross-account role assumption to prevent unauthorized access. For detailed guidance, see the AWS documentation on External IDs.
- AWS Lambda Access: The execution of Lambda functions within an AWS account using Access Keys or IAM Roles, potentially enhanced by an External ID.
Secure access
Administrators set up access to AWS resources in two primary ways:
Using AWS AccessKey and SecretKey, administrators can directly invoke Lambda functions.
IAM Role-Based Access involves using an IAM role from your AWS account. This can include an External ID for additional security, which should be a unique identifier like a UUID and adhere to the regular expression pattern (regex)
[\\w+=,.@:/-]*
.
To establish secure access, create an IAM role within the AWS account with necessary permissions for Lambda and S3 access, including an External ID if needed. Ensure the role grants the appropriate permissions and establish a trust relationship with the Reltio AWS account.