Set up service roles for AWS Clean Rooms
Topics
Create an administrator user
To use AWS Clean Rooms, you need to create an administrator user for yourself and add the administrator user to an administrators group.
To create an administrator user, choose one of the following options.
| Choose one way to manage your administrator | To | By | You can also |
|---|---|---|---|
| In IAM Identity Center (Recommended) |
Use short-term credentials to access AWS. This aligns with the security best practices. For information about best practices, see Security best practices in IAM in the IAM User Guide. |
Following the instructions in Getting started in the AWS IAM Identity Center User Guide. | Configure programmatic access by Configuring the AWS CLI to use AWS IAM Identity Center in the AWS Command Line Interface User Guide. |
| In IAM (Not recommended) |
Use long-term credentials to access AWS. | Following the instructions in Create an IAM user for emergency access in the IAM User Guide. | Configure programmatic access by Manage access keys for IAM users in the IAM User Guide. |
Create an IAM role for a collaboration member
A member is an AWS customer who is a participant in a collaboration.
To create an IAM role for a collaboration member
-
Follow the Creating a role to delegate permissions to an IAM user procedure in the AWS Identity and Access Management User Guide.
-
For the Create policy step, select the JSON tab in the Policy editor, and then add policies depending on the abilities granted to the collaboration member.
AWS Clean Rooms offers the following managed policies based on common use cases:
If you want to ... Then use ... View the resources and metadata AWS managed policy: AWSCleanRoomsReadOnlyAccess Query AWS managed policy: AWSCleanRoomsFullAccess Query and receive results AWS managed policy: AWSCleanRoomsFullAccess Manage collaboration resources but do not query AWS managed policy: AWSCleanRoomsFullAccessNoQuerying For information about the different managed policies offered by AWS Clean Rooms, see AWS managed policies for AWS Clean Rooms
Create a service role to read data
AWS Clean Rooms uses a service role to read the data.
There are two ways to create this service role:
| If ... | Then |
|---|---|
| You have the necessary IAM permissions to create a service role | Use the AWS Clean Rooms console to create a service role. |
|
You don't have or You want to create the IAM roles manually |
Do one of the following:
|
To create a service role to read data
Note
You or your IAM administrator should only follow this procedure if you don't have the necessary permissions to create a service role using the AWS Clean Rooms console.
-
Follow the Creating a role using custom trust policies (console) procedure in the AWS Identity and Access Management User Guide.
-
Use the following custom trust policy according to the Creating a role using custom trust policies (console) procedure.
Note
If you want to ensure that the role can only be used in the context of a certain collaboration membership, you can scope down the trust policy further. For more information, see Cross-service confused deputy prevention.
{ "Version": "2012-10-17", "Statement": [ { "Sid": "RoleTrustPolicyForCleanRoomsService", "Effect": "Allow", "Principal": { "Service": "cleanrooms.amazonaws.com" }, "Action": "sts:AssumeRole" } ] } -
Use the following permissions policy according to the Creating a role using custom trust policies (console) procedure.
Note
The following example policy supports the permissions needed to read AWS Glue metadata and its corresponding Amazon S3 data. However, you might need to modify this policy depending on how you've set up your S3 data. For instance, if you have set up a custom KMS key for your S3 data, you may need to amend this policy with additional AWS KMS permissions.
Your AWS Glue resources and underlying Amazon S3 resources must be in the same AWS Region as the AWS Clean Rooms collaboration.
{ "Version": "2012-10-17", "Statement": [ { "Sid": "NecessaryGluePermissions", "Effect": "Allow", "Action": [ "glue:GetDatabase", "glue:GetDatabases", "glue:GetTable", "glue:GetTables", "glue:GetPartition", "glue:GetPartitions", "glue:BatchGetPartition" ], "Resource": [ "arn:aws:glue:aws-region:accountId:database/database", "arn:aws:glue:aws-region:accountId:table/table", "arn:aws:glue:aws-region:accountId:catalog" ] }, { "Effect": "Allow", "Action": [ "glue:GetSchema", "glue:GetSchemaVersion" ], "Resource": [ "*" ] }, { "Sid": "NecessaryS3BucketPermissions", "Effect": "Allow", "Action": [ "s3:GetBucketLocation", "s3:ListBucket" ], "Resource": [ "arn:aws:s3:::bucket" ], "Condition":{ "StringEquals":{ "s3:ResourceAccount":[ "s3BucketOwnerAccountId" ] } } }, { "Sid": "NecessaryS3ObjectPermissions", "Effect": "Allow", "Action": [ "s3:GetObject" ], "Resource": [ "arn:aws:s3::bucket/prefix/*" ], "Condition":{ "StringEquals":{ "s3:ResourceAccount":[ "s3BucketOwnerAccountId" ] } } } ] } -
Replace each
placeholderwith your own information. -
Continue to follow the Creating a role using custom trust policies (console) procedure to create the role.
Create a service role to receive results
Note
If you are the member who can only receive results (in the console, Your member abilities is only Receive results), follow this procedure.
If you are a member who can both query and receive results (in the console, Your member abilities is both Query and Receive results), you can skip this procedure.
For collaboration members who can only receive results, AWS Clean Rooms uses a service role to write results of the queried data in the collaboration to the specified Amazon S3 bucket.
There are two ways to create this service role:
| If ... | Then |
|---|---|
| You have the necessary IAM permissions to create a service role | Use the AWS Clean Rooms console to create a service role. |
|
You don't have or You want to create the IAM roles manually |
Do one of the following:
|
To create a service role to receive results
Note
You or your IAM administrator should only follow this procedure if you don't have the necessary permissions to create a service role using the AWS Clean Rooms console.
-
Follow the Creating a role using custom trust policies (console) procedure in the AWS Identity and Access Management User Guide.
-
Use the following custom trust policy according to the Creating a role using custom trust policies (console) procedure.
{ "Version": "2012-10-17", "Statement": [ { "Sid": "AllowIfExternalIdMatches", "Effect": "Allow", "Principal": { "Service": "cleanrooms.amazonaws.com" }, "Action": "sts:AssumeRole", "Condition": { "ArnLike": { "sts:ExternalId": "arn:aws:*:region:*:dbuser:*/a1b2c3d4-5678-90ab-cdef-EXAMPLEaaaaa*" } } }, { "Sid": "AllowIfSourceArnMatches", "Effect": "Allow", "Principal": { "Service": "cleanrooms.amazonaws.com" }, "Action": "sts:AssumeRole", "Condition": { "ForAnyValue:ArnEquals": { "aws:SourceArn": [ "arn:aws:cleanrooms:us-east-1:555555555555:membership/a1b2c3d4-5678-90ab-cdef-EXAMPLEaaaaa" ] } } } ] } -
Use the following permissions policy according to the Creating a role using custom trust policies (console) procedure.
Note
The following example policy supports the permissions needed to read AWS Glue metadata and its corresponding Amazon S3 data. However, you might need to modify this policy depending on how you've set up your S3 data.
Your AWS Glue resources and underlying Amazon S3 resources must be in the same AWS Region as the AWS Clean Rooms collaboration.
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "s3:GetBucketLocation", "s3:ListBucket" ], "Resource": [ "arn:aws:s3:::bucket_name" ], "Condition": { "StringEquals": { "aws:ResourceAccount":"accountId" } } }, { "Effect": "Allow", "Action": [ "s3:PutObject" ], "Resource": [ "arn:aws:s3:::bucket_name/optional_key_prefix/*" ], "Condition": { "StringEquals": { "aws:ResourceAccount":"accountId" } } } ] } -
Replace each
placeholderwith your own information:-
region– The name of the AWS Region. For example,us-east-1. -
a1b2c3d4-5678-90ab-cdef-EXAMPLEaaaaa– The Membership ID of the member who can query. The Membership ID can be found on the Details tab of the collaboration. This ensures that AWS Clean Rooms is assuming the role only when this member runs the analysis in this collaboration. -
arn:aws:cleanrooms:us-east-1:555555555555:membership/a1b2c3d4-5678-90ab-cdef-EXAMPLEaaaaa– The single Membership ARN of the member who can query. The Membership ARN can be found on the Details tab of the collaboration. This ensures AWS Clean Rooms is assuming the role only when this member runs the analysis in this collaboration. -
bucket_name– The Amazon Resource Name (ARN) of the S3 bucket. The Amazon Resource Name (ARN) can be found on the Properties tab of the bucket in Amazon S3. -
accountId– The AWS account ID in which the S3 bucket is located.bucket_name/optional_key_prefix– The Amazon Resource Name (ARN) of the results destination in S3. The Amazon Resource Name (ARN) can be found on the Properties tab of the bucket in Amazon S3.
-
-
Continue to follow the Creating a role using custom trust policies (console) procedure to create the role.
