Creating IAM Roles

📘

Prerequisites

  1. Permission to create IAM roles and policies in AWS
  2. The desired AWS permission policy (in JSON format)

To allow Monte Carlo to securely access AWS resources on your account, you will create one or more IAM roles. These IAM roles will:

  • Allow narrow access to the precise resources and API calls you wish to grant to Monte Carlo.
  • Allow Monte Carlo's data collector to assume them while making API calls to access your resources.

You may create IAM roles for Monte Carlo by either using the CLI, or by manually going through the wizards in the AWS console.

Creating IAM roles using the CLI (recommended)

You may use the CLI to quickly create an IAM role with the desired policy.

To create the role using the CLI

  1. Please follow this guide to install and configure the CLI.
  2. Run montecarlo integrations create-role to create the role.

Creating IAM roles using the AWS console

This guide outlines instructions to:

  1. Create a role that Monte Carlo's data collector can assume
  2. Use an external ID to better secure the role [optional]
  3. Limit which principals are able to assume the role [optional]

Creating a role for Monte Carlo's data collector

  1. Go to IAM on your AWS console and navigate to roles. Click Create Role.
  1. Select “Another AWS account” and specify the Account ID where Monte Carlo’s data collector stack is deployed. If managed by Monte Carlo please reach out to Monte Carlo for details on the Account ID.
  1. Click Create Policy. This should open a new tab or window.
  1. Select the JSON tab, and paste the JSON policy necessary for the integration you are setting up.

📘

What policy should I use?

The specific policy depends on the integration you are setting up – you will find suggested policy JSONs in various data lake integration guides

  1. Click Review Policy, provide a meaningful name/description and click Create Policy.
  1. In the Create Policy wizard from step 3 refresh the policies and search for the policy you created in step 5. Review and click the checkbox next to this policy and click Next: Tags.
  1. Add a tag with the key “MonteCarloData” and click Next: Review. Please do not skip this step as the tag is required for authentication.
  1. Give the role a meaningful name and description and click Create Role. It’s important to keep track of this name.
  1. Search for the role created in step 8 and click when found. The format is as follows:
arn:aws:iam::<ACCOUNT>:role/<NAME>

Save this ARN as it should be specified as part of the onboarding process.

Securing the role with an external ID

The following steps are optional, but are recommended if you want to limit the role by an external ID. See here for more details on an External ID.

  1. Go to IAM on your AWS console and navigate to roles and search for the role created in step 8 of "Create an assumable rule". Click when found.
  1. Click Trust Relationships and edit Edit Trust Relationship.
  1. Replace the existing condition section with the following (specify any ID):
"Condition": {
        "StringEquals": {
          "sts:ExternalId": "ID"
        }
      }

Save this ID as it should be specified as part of the onboarding process.

Limiting principals that can access the role

The following steps are optional, but are recommended if you want to limit the role to the Data Collector's lambdas.

  1. Go to CloudFormation on your AWS console and click Monte Carlo’s data collector stack (typically named “monte-carlo”).
  1. Go into Resources and search for the term “LambdaExecutionRole”. There should be two entries. Click on the Physical ID and save the Role ARNs. If the Data Collector is managed by Monte Carlo please reach out to Monte Carlo for the ARNs.

📘

What if I see three resources?

If you enabled a hive/glue integration you might see three resources. Save all three ARNs in this case. These will be used in step 5.

  1. Go to IAM on your AWS console and navigate to roles and search for the role created in step 8 of "Create an assumable rule". Click when found.
  1. Click Trust Relationships and edit Edit Trust Relationship.
  1. replace the existing relationship with the following (use ARNS from Step 2 in this section) and click update Trust Policy:
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": [
          "<REPLACE WITH ROLE ARN FROM FIRST ENTRY>",
          "<REPLACE WITH ROLE ARN FROM SECOND ENTRY>"
        ]
      },
      "Action": "sts:AssumeRole",
      "Condition": {}
    }
  ]
}

Did this page help you?