Configure IAM roles for event streaming

Learn how to configure IAM roles for event streaming from Reltio to an Amazon SQS queue or Amazon SNS topic.

Contact Reltio Support for these Reltio account details, which you'll need to configure access to your AWS event streaming destination:

Reltio AWS Account ID
Reltio AWS User ARNs
External IDs

Configure IAM roles for event streaming explains how to configure AWS IAM role-based authentication for event streaming to an Amazon SQS queue or Amazon SNS topic.

To configure the IAM roles for event streaming:

Create an SQS queue or SNS topic into which the Reltio client can stream data.
1. For Amazon SQS
  - In the AWS Console, go to Simple Queue Service (SQS).
  - Create or select the destination queue.
  - Make sure the queue supports these actions:
    - sqs:SendMessage
    - sqs:GetQueueUrl
    - sqs:GetQueueAttributes
2. For Amazon SNS
  - In the AWS Console, go to Simple Notification Service (SNS).
  - Create or select the destination topic.
  - Make sure the topic supports this action:
    - sns:Publish

Create an IAM policy that defines the permissions required for streaming to your AWS destination.

SQS example

{
    "Version": "2020-01-01",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "sqs:SendMessage",
                "sqs:GetQueueUrl",
                "sqs:GetQueueAttributes"
            ],
            "Resource": "arn:aws:sqs:us-east-1:CUSTOMER-ACCOUNT-ID:queue-to-stream-into"
        }
    ]
}

SNS example

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "AllowPublishToSnsTopic",
      "Effect": "Allow",
      "Action": [
        "sns:Publish"
      ],
      "Resource": "arn:aws:sns:us-east-1:CUSTOMER-ACCOUNT-ID:topic-to-stream-into"
    }
  ]
}

Configure a role in your AWS account to provide Reltio access to the SQS queue.

Important: Reltio does not support IAM Role ARNs that include a path component, for example, service-role/ in role/service-role/ROLE_NAME.
Use this format instead: arn:aws:iam::AWS_ACCOUNT_ID:role/ROLE_NAME
If your Role ARN includes a path, Reltio will be unable to validate or assume the role, and connection to the external queue will fail.

Use one of the following approaches to configure the role:
- When creating a new role:
  - Choose Another AWS account, select Require external ID, and enter the previously acquired Account ID and External ID.
  - Open the created role, choose the Trust Relationships tab, and select Edit trust.
  - Replace arn:aws:iam:ReltioAccountID:root in the "Principal"."AWS" section with the Reltio API/Dataload AWS User ARNs provided by Reltio Support. For guidance on which users to add, see When editing an existing role.
  When editing an existing role: Choose the Trust Relationships tab and select Edit trust relationship. Update the Statement section to match the following:
```
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": [
                    "arn:aws:iam::123456789876:user/reltio.platform.dataload",
                    "arn:aws:iam::123456789876:user/reltio.platform.api"
                ]
            },
            "Action": "sts:AssumeRole",
            "Condition": {
                "StringEquals": {
                    "sts:ExternalId": "{your-external-id}"
                }
            }
        }
    ]
}
```
  Important: The ExternalId must be a UUID version 7 string. Older UUID formats, such as v1, may result in authentication failures. To generate a valid UUID v7, use GET https://platform-management.reltio.com/api/v1/tools/externalId.
- Attach the previously created IAM policy to this role.
- Use the role ARN when you configure the external queue for event streaming.
Complete the external queue configuration.

Reltio supports both Amazon SQS and Amazon SNS for event streaming. If you want to configure SNS, clear the Use ARN checkbox and select the SNS option from the Type dropdown when configuring your external queue. For more information, see Add an external queue configuration.
Additional requirements for HIPAA environments
If your Reltio tenant is provisioned as a HIPAA environment, you must add an additional principal to your IAM role trust policy before Reltio can assume the role. Without this entry, streaming will fail.
Note: To determine whether your tenant uses a HIPAA environment, check the application URL. HIPAA environment URLs include h360, while non-HIPAA environment URLs do not. If the environment type is still unclear, contact Reltio Support.
If your tenant is provisioned as a HIPAA environment, complete the following steps to add the required Reltio HIPAA principal to the IAM role trust policy.
1. In the AWS Console, open your IAM role.
2. Select the Trust relationships tab.
3. Select Edit trust policy.
4. Add the following entry to the existing Statement array:
```
{
  "Effect": "Allow",
  "Principal": {
    "AWS": "arn:aws:iam::682505635934:user/reltio.platform.dev-h360"
  },
  "Action": "sts:AssumeRole"
}
```

Save the policy.

The following example shows a complete trust policy for a HIPAA environment, including the standard Reltio principals and the HIPAA principal:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": [
                    "arn:aws:iam::123456789876:user/reltio.platform.dataload",
                    "arn:aws:iam::123456789876:user/reltio.platform.api"
                ]
            },
            "Action": "sts:AssumeRole",
            "Condition": {
                "StringEquals": {
                    "sts:ExternalId": "{your-external-id}"
                }
            }
        },
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::682505635934:user/reltio.platform.dev-h360"
            },
            "Action": "sts:AssumeRole"
        }
    ]
}

Unify and manage your data

Configure IAM roles for event streaming

Footer