This guide walks you through the steps for creating an IAM role for authenticating RudderStack while setting up the following destinations:

Cloud destinations

Warehouse destinations

The access keys-based authentication method is deprecated. Hence, setting up a RudderStack IAM role is strongly recommended.
This guide is only applicable for RudderStack Cloud. It is not applicable for open source or on-premise RudderStack deployments.

Creating a RudderStack IAM role

To set up a new RudderStack IAM role, follow these steps:

  1. Sign in to your AWS Management Console and open the IAM console.
  2. In the left navigation pane, click Roles followed by Create role.
  3. Under Trusted entity type, select AWS account, as shown:
Setting up AWS IAM Role for RudderStack
  1. Select Another AWS account and under Account ID, enter 422074288268, the account ID associated with RudderStack.
  2. Under Options check Require external ID and enter your workspace ID as the External ID.
RudderStack currently does not support MFA setting that restricts the role only to the users who sign in using multi-factor authentication (MFA). Hence, do not check the Require MFA option.
Setting up AWS IAM Role for RudderStack
  1. Review all the settings carefully and click Next to proceed.
  2. Select your destination-specific permission policies applicable for the RudderStack IAM role. To create a new policy from scratch, click Create policy. For more information, refer to the Creating IAM policies guide.
  3. Optional: You can also set a permissions boundary. Expand the Set permissions boundary section, choose Use a permissions boundary to control the maximum role permissions, and select the policy to use for the permissions boundary. An example is shown below:
Setting up AWS IAM Role for RudderStack
  1. Review all the settings carefully and click Next to proceed.
  2. Enter a unique name for your role. Note that this name cannot be distinguished by case. For example, you cannot create a role named RUDDERSTACK if rudderstack already exists.
You cannot edit the name of the role after it has been created.
  1. Optional: Enter the description for this role.
  2. To edit the use case or permissions for the role, click the Edit button next to the Step 1: Select trusted entities or Step 2: Add permissions, respectively.
Setting up AWS IAM Role for RudderStack
  1. Optional: You can also add metadata to the role by attaching tags as key-value pairs. For more information, refer to the Tagging IAM resources guide.
  2. Click Create role to complete the setup.
  3. Finally, note the ARN of this newly created role.
Setting up AWS IAM Role for RudderStack

This ARN is required while configuring your AWS destination when you enable the Role-based Authentication setting, as shown:

Setting up AWS IAM Role for RudderStack

Destination-specific policy permissions

Refer to the following sections for the destination-specific policy permissions:


Contact us

For more information on the topics covered on this page, email us or start a conversation in our Slack community.

On this page