Unify and manage your data

Configure IAM roles for event streaming

Learn how to configure IAM roles for event streaming.

Contact Reltio Support for these Reltio account details, which you'll need to configure access to the SQS queue:
  • Reltio AWS Account ID

  • Reltio AWS User ARNs

  • External IDs

This process helps you to use a streaming provider with authentication through IAM role.

To configure the IAM roles for event streaming:
  1. Create an SQS queue for the Reltio client to stream into.
  2. Create an IAM policy that defines the permissions required for streaming to the SQS destination queue:
    • sqs:SendMessage
    • sqs:GetQueueUrl
    • sqs:GetQueueAttributes
    Following is an example of policy configuration:
    {
        "Version": "2020-01-01",
        "Statement": [
            {
                "Sid": "VisualEditor0",
                "Effect": "Allow",
                "Action": [
                    "sqs:SendMessage",
                    "sqs:GetQueueUrl",
                    "sqs:GetQueueAttributes"
                ],
                "Resource":  "arn:aws:sqs:us-east-1:CUSTOMER-ACCOUNT-ID:queue-to-stream-into"
            }
        ]
    }
    
  3. Configure a role in your AWS account to provide Reltio account access to the SQS queue.
    The following are key points about configuring the role:
    • When creating new role:
      • Choose Another AWS account option, check Require external ID. Enter the details with previously acquired Account ID and External ID.

      • Open the created role. Choose the Trust Relationships tab. Select Edit trust . Replace arn:aws:iam:ReltioAccountID:root in "Principal"."AWS" section with Reltio API/Dataload AWS User ARNs provided by Reltio Support. For more information on determining which users must be used as trusted user, see When editing existing role.

    • When editing existing role: Choose the Trust Relationships tab. Select Edit trust relationship. Edit Statement section to match the following:
      {
          "Version": "2012-10-17",
          "Statement": [
              {
                  "Effect": "Allow",
                  "Principal": {
                     "AWS": [
      	       "arn:aws:iam::123456789876:user/reltio.platform.dataload",
                        "arn:aws:iam::123456789876:user/reltio.platform.api"
              	    ]
                  },
                  "Action": "sts:AssumeRole",
                  "Condition": {
                      "StringEquals": {
                          "sts:ExternalId": "07515ab2-f3f0-4ac2-a7cf-3fe58e3b2b4d"
                      }
                  }
              }
          ]
      }
      
    • Attach the previously created IAM Policy to this role.

  4. Contact us at Reltio and provide the ARN of the role that you created.
  5. We will ensure that the following users - user/reltio.platform.dataload, user/reltio.platform.api and "user/application_key" users - are assigned the sts:AssumeRole permission for the role you created.