Skip to content

IAM Role Credentials

AWS credentials are needed by TruEra when accessing AWS resources on your behalf. One option is to provide access keys to your IAM user, but this approach is not recommended. Instead, we recommend using IAM roles to manage TruEra's access to your AWS resources. Visit the AWS documentation to read more about delegating access across AWS accounts using IAM roles.

Using IAM Roles in TruEra

To get started using IAM Roles in TruEra, we first need to create a credential in the system. 

>>> ingestion_client = tru.get_ingestion_client()
>>> credential = ingestion_client.add_credential(
...     name="iam_role_credential",
...     secret=None,
...     identity=None,
...     is_aws_iam_role=True
... )
INFO:truera.client.remote_truera_workspace:Principal AWS Account for trust policy: 123456789012.
>>> credential.id
'cc503ab0-ffa2-4fdc-bcd2-1afe62d749a7'

We need to note the Principal AWS Account (123456789012) as well as the credential id (cc503ab0-ffa2-4fdc-bcd2-1afe62d749a7), as these will be used in the trust policy of the IAM role. The credential id will be provided as the external id by TruEra when assuming the role in AWS, so it is recommended that you limit access based on external id.

Here is what an example trust policy would look like. 

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "123456789012"
      },
      "Action": "sts:AssumeRole",
      "Condition": {
        "StringEquals": {
          "sts:ExternalId": "cc503ab0-ffa2-4fdc-bcd2-1afe62d749a7"
        }
      }
    }
  ]
}

Assuming an IAM role has been created with the appropriate permissions and the trust policy above, we can now update the credential. Note the role's ARN, which will look like arn:aws:iam::123456789012:role/ExampleRole. We will need to update our credential's secret to be this ARN.

>>> credential = ingestion_client.update_credential(
...     name="iam_role_credential",
...     secret="arn:aws:iam::123456789012:role/ExampleRole",
...     identity=None
... )

Now that our credential is updated, we are ready to use it!

>>> ingestion_client.add_data_source(
...     "s3_data_source",
...     uri="s3://bucket/path/to/data.csv",
...     credential=credential
... )

Click Next below to continue.