Journal export permissions in QLDB - Amazon Quantum Ledger Database (Amazon QLDB)

Journal export permissions in QLDB

Before submitting a journal export request in Amazon QLDB, you must provide QLDB with write permissions in your specified Amazon Simple Storage Service (Amazon S3) bucket. If you choose a customer managed AWS KMS key as the object encryption type for your Amazon S3 bucket, you must also provide QLDB with permissions to use your specified symmetric encryption key. Amazon S3 doesn't support asymmetric KMS keys.

To provide your export job with the necessary permissions, you can make QLDB assume an IAM service role with the appropriate permissions policies. A service role is an IAM role that a service assumes to perform actions on your behalf. An IAM administrator can create, modify, and delete a service role from within IAM. For more information, see Creating a role to delegate permissions to an AWS service in the IAM User Guide.


To pass a role to QLDB when requesting a journal export, you must have permissions to perform the iam:PassRole action on the IAM role resource. This is in addition to the qldb:ExportJournalToS3 permission on the QLDB ledger resource.

To learn how to control access to QLDB using IAM, see How Amazon QLDB works with IAM. For a QLDB policy example, see Identity-based policy examples for Amazon QLDB.

In this example, you create a role that allows QLDB to write objects into an Amazon S3 bucket on your behalf. For more information, see Creating a role to delegate permissions to an AWS service in the IAM User Guide.

If you're exporting a QLDB journal in your AWS account for the first time, you must first create an IAM role with the appropriate policies by doing the following. Or, you can use the QLDB console to automatically create the role for you. Otherwise, you can choose a role that you previously created.

Create a permissions policy

Complete the following steps to create a permissions policy for a QLDB journal export job. This example shows an Amazon S3 bucket policy that grants QLDB permissions to write objects into your specified bucket. If applicable, the example also shows a key policy that allows QLDB to use your symmetric encryption KMS key.

For more information about Amazon S3 bucket policies, see Using bucket policies and user policies in the Amazon Simple Storage Service User Guide. To learn more about AWS KMS key policies, see Using key policies in AWS KMS in the AWS Key Management Service Developer Guide.


Your Amazon S3 bucket and KMS key must both be in the same AWS Region as your QLDB ledger.

To use the JSON policy editor to create a policy

  1. Sign in to the AWS Management Console and open the IAM console at

  2. In the navigation column on the left, choose Policies.

    If this is your first time choosing Policies, the Welcome to Managed Policies page appears. Choose Get Started.

  3. At the top of the page, choose Create policy.

  4. Choose the JSON tab.

  5. Enter a JSON policy document.

    • If you're using a customer managed KMS key for Amazon S3 object encryption, use the following example policy document. To use this policy, replace DOC-EXAMPLE-BUCKET, us-east-1, 123456789012, and 1234abcd-12ab-34cd-56ef-1234567890ab in the example with your own information.

      { "Version": "2012-10-17", "Statement": [ { "Sid": "QLDBJournalExportS3Permission", "Action": [ "s3:PutObjectAcl", "s3:PutObject" ], "Effect": "Allow", "Resource": "arn:aws:s3:::DOC-EXAMPLE-BUCKET/*" }, { "Sid": "QLDBJournalExportKMSPermission", "Action": [ "kms:GenerateDataKey" ], "Effect": "Allow", "Resource": "arn:aws:kms:us-east-1:123456789012:key/1234abcd-12ab-34cd-56ef-1234567890ab" } ] }
    • For other encryption types, use the following example policy document. To use this policy, replace DOC-EXAMPLE-BUCKET in the example with your own Amazon S3 bucket name.

      { "Version": "2012-10-17", "Statement": [ { "Sid": "QLDBJournalExportS3Permission", "Action": [ "s3:PutObjectAcl", "s3:PutObject" ], "Effect": "Allow", "Resource": "arn:aws:s3:::DOC-EXAMPLE-BUCKET/*" } ] }
  6. Choose Review policy.


    You can switch between the Visual editor and JSON tabs any time. However, if you make changes or choose Review policy in the Visual editor tab, IAM might restructure your policy to optimize it for the visual editor. For more information, see Policy restructuring in the IAM User Guide.

  7. On the Review policy page, enter a Name and an optional Description for the policy that you are creating. Review the policy Summary to see the permissions that are granted by your policy. Then choose Create policy to save your work.

Create an IAM role

After creating a permissions policy for your QLDB journal export job, you can then create an IAM role and attach your policy to it.

To create the service role for QLDB (IAM console)

  1. Sign in to the AWS Management Console and open the IAM console at

  2. In the navigation pane of the IAM console, choose Roles, and then choose Create role.

  3. Choose the AWS service role type, and then choose QLDB.

  4. Choose the QLDB use case. Then, choose Next.

  5. Select the box next to the policy that you created in the previous steps.

  6. (Optional) Set a permissions boundary. This is an advanced feature that is available for service roles, but not service-linked roles.

    Expand the Permissions boundary section and choose Use a permissions boundary to control the maximum role permissions. IAM includes a list of the AWS managed and customer managed policies in your account. Select the policy to use for the permissions boundary or choose Create policy to open a new browser tab and create a new policy from scratch. For more information, see Creating IAM policies in the IAM User Guide. After you create the policy, close that tab and return to your original tab to select the policy to use for the permissions boundary.

  7. Choose Next.

  8. If possible, enter a role name or role name suffix to help you identify the purpose of this role. Role names must be unique within your AWS account. They are not distinguished by case. For example, you cannot create roles named both PRODROLE and prodrole. Because various entities might reference the role, you cannot edit the name of the role after it has been created.

  9. (Optional) For Description, enter a description for the new role.

  10. Choose Edit in the Step 1: Select trusted entities or Step 2: Select permissions sections to edit the use cases and permissions for the role.

  11. (Optional) Add metadata to the user by attaching tags as key-value pairs. For more information about using tags in IAM, see Tagging IAM resources in the IAM User Guide.

  12. Review the role and then choose Create role.

The following JSON document is an example of a trust policy that allows QLDB to assume an IAM role with specific permissions attached to it.

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": "" }, "Action": [ "sts:AssumeRole" ], "Condition": { "ArnEquals": { "aws:SourceArn": "arn:aws:qldb:us-east-1:123456789012:*" }, "StringEquals": { "aws:SourceAccount": "123456789012" } } } ] }

This trust policy example shows how you can use the aws:SourceArn and aws:SourceAccount global condition context keys to prevent the confused deputy problem. With this trust policy, QLDB can assume the role for any QLDB resource in the account 123456789012 only.

For more information, see Cross-service confused deputy prevention.

After creating your IAM role, return to the QLDB console and refresh the Create export job page so that it can find your new role.