Configure an AWS IAM role for Data Loader

Learn how to configure an AWS IAM role with an External ID to securely access Amazon S3 files in the Console Data Loader.

You must have access to your AWS IAM Console or CLI with permissions to create roles and policies. Contact Reltio Support to obtain the correct AWS account ID required for the trust relationship. You must have the following information already prepared:


Field	Description	Example	Notes
`bucketName`	Name of your S3 bucket	`reltio-dataloder-sources`	The S3 bucket name must comply with AWS bucket naming rules (e.g., lowercase, no underscores, globally unique).
`sourcePath`	URI to your file	`Locations/DataSet_100_with_errors.csv`	Provide the URI of the file to be accessed.
`role`	ARN of the IAM role	`arn:aws:iam::123456789012:role/reltio.client.dataloader.reader`	This is the ARN of the IAM role provided to Reltio Data Loader service to reach defined source. Important: The role should be written in the following pattern: `arn:aws:iam::<CUSTOMER_ACCOUNT_ID>:role/reltio.client.dataloader.<some-customer-defined-role-name-postfix-ro>`.
`externalId`	External ID for the trust policy	`reltio-dataloader`	The External ID is a string chosen by the user to enhance security for cross-account role assumption in trust policies. For more information see Key points for external IDs to understand what are the allowed characters.
`region`	AWS region of your bucket	`us-east-1`	The AWS region must be selected from the list of predefined AWS region identifiers

Use this procedure to configure an AWS IAM role that Reltio's Console Data Loader can assume to securely access source files stored in your S3 bucket.

To configure a new AWS IAM role:

Open the IAM service in your AWS account and create a new role or configure an existing one, with the following ARN structure:

{
  "role": "arn:aws:iam::arn:aws:iam::123456789012:role/reltio.client.dataloader.reader",
  "externalId": "reltio-dataloader",
  "region": "us-east-1"
}

Define the trust policy to allow Reltio to assume the role using an External ID:
```
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal":  [
                "arn:aws:iam::<RELTIO_AWS_ACCOUNT_ID>:user/RW_reltio.console-jobs.internal",
                "arn:aws:iam::<RELTIO_AWS_ACCOUNT_ID>:user/reltio.platform.sc-dataloader-prod",
                "arn:aws:iam::<RELTIO_AWS_ACCOUNT_ID>:role/role-RW-reltio-console-jobs-internal",
                "arn:aws:iam::<RELTIO_AWS_ACCOUNT_ID>:role/role-reltio.platform.sc-dataloader-prod"
            ],
      "Action": "sts:AssumeRole",
      "Condition": {
        "StringEquals": {
          "sts:ExternalId": "reltio-dataloader"
        }
      }
    }
  ]
}
```
You have to configure an External ID to use on the trust policy to ensure an extra security parameter. If the External ID is provided on the configuration the access to the S3 bucket is only granted to users that present the correct External ID when trying to load data. Use the External ID on the parameter sts:ExternalID.

Important: You must always provide the four resource names under the "Principal" element. To know the the <RELTIO_AWS_ACCOUNT_ID> associated with the service you want to access, raise a support ticket. See topic Get help in Support Portal.

Important: If you attempt to use a role without configuring these principals, it returns an error similar to User: arn:aws:iam::123456789012:user/reltio.console-jobs.internal is not authorized to perform..., the account ID 123456789012 in the error message is your <RELTIO_AWS_ACCOUNT_ID>.

Attach a permissions policy to the role that grants read-only access to your S3 bucket:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "s3:GetObject",
                "s3:ListBucket"
            ],
            "Resource": [
                "arn:aws:s3:::reltio-dataloder-sources",
                "arn:aws:s3:::reltio-dataloder-sources/*"
            ]
        }
    ]
}

Important: The resource arn:aws:s3:::reltio-dataloder-sources represents the root of your S3 bucket and the resource arn:aws:s3:::reltio-dataloder-sourcess/* represents all other sub-folders and content inside of the root. Both resources are mandatory and can't be skipped on this configuration.

Encode your credentials with base64.

You can encode your credentials with base64 to generate a StorageDetails object.

Take this role as example:

{
  "role": "arn:aws:iam::arn:aws:iam::123456789012:role/reltio.client.dataloader.reader",
  "externalId": "reltio-dataloader",
  "region": "us-east-1"
}

Encoding it in base64 you have: ewogICJyb2xlIjogImFybjphd3M6aWFtOjphcm46YXdzOmlhbTo6MTIzNDU2Nzg5MDEyOnJvbGUvcmVsdGlvLmNsaWVudC5kYXRhbG9hZGVyLmxvYWRqb2IiLAogICJleHRlcm5hbElkIjogInJlbHRpby1kYXRhbG9hZGVyIiwKICAicmVnaW9uIjogInVzLWVhc3QtMSIKfQ==

This can be used in the StorageDetails object:

  "storageDetails": {
    "bucketName": "reltio-dataloder-sources",
    "shareSourceInfo": "false",
    "sourcePath": "simple_DataSet_100_with_errors.csv",
    "storageAccount": {
      "accountName": "<some human-readable name>",
      "accountType": "AWS_S3",
      "credentials": "ewogICJyb2xlIjogImFybjphd3M6aWFtOjphcm46YXdzOmlhbTo6MTIzNDU2Nzg5MDEyOnJvbGUvcmVsdGlvLmNsaWVudC5kYXRhbG9hZGVyLmxvYWRqb2IiLAogICJleHRlcm5hbElkIjogInJlbHRpby1kYXRhbG9hZGVyIiwKICAicmVnaW9uIjogInVzLWVhc3QtMSIKfQ=="
    }
  }

For more information on creating storage accounts, see our Developer Portal.

In Reltio Console > Data Loader, configure the source file location:
1. Select Amazon S3 as the source type.
2. Select the Authenticate using key/secret checkbox .
3. Enter the details requested on the page.
For more information on the Console > Data Loader see topic Data loading navigation.

After completing these steps, Reltio will be able to assume the IAM role and securely access your S3 data for data loading.

Unify and manage your data

Configure an AWS IAM role for Data Loader

Footer