Select your cookie preferences

We use essential cookies and similar tools that are necessary to provide our site and services. We use performance cookies to collect anonymous statistics, so we can understand how customers use our site and make improvements. Essential cookies cannot be deactivated, but you can choose “Customize” or “Decline” to decline performance cookies.

If you agree, AWS and approved third parties will also use cookies to provide useful site features, remember your preferences, and display relevant content, including relevant advertising. To accept or decline all non-essential cookies, choose “Accept” or “Decline.” To make more detailed choices, choose “Customize.”

Preferences
Contact Us
Feedback
AWS Documentation
Create an AWS Account

Creating a collaboration for queries

PDF
RSS
Focus mode
Creating a collaboration for queries - AWS Clean Rooms

In this procedure, you as the collaboration creator perform the following tasks:

Before you begin, make sure that you have completed the following prerequisites:

  • You've determined the type of analytics engine you want to use.

  • You have the name and AWS account ID for each member that you want to invite to the collaboration.

  • You have permission to share the name and AWS account ID for each member with all members of the collaboration.

    Note

    You can’t add more members after you create the collaboration.

For information about how to create a collaboration using the AWS SDKs, see the AWS Clean Rooms API Reference.

To create a collaboration for queries

  1. Sign in to the AWS Management Console and open the AWS Clean Rooms console with the AWS account that will function as the collaboration creator.

  2. In the left navigation pane, choose Collaborations.

  3. In the upper right corner, choose Create collaboration.

  4. For Step 1: Define collaboration, do the following:

    1. For Details, enter the Name and Description of the collaboration.

      This information will be visible to collaboration members who are invited to participate in the collaboration. The Name and Description helps them understand what the collaboration is in reference to.

    2. Choose the Analytics engine you want to use.

      For more information, see Selecting an analytics engine type in AWS Clean Rooms.

      Note

      If you want to change the analytic engine after the collaboration is created, you must either re-create the collaboration or submit a support ticket.

    3. For Members:

      1. For Member 1: You, enter your Member display name as you want it to appear for the collaboration.

        Note

        Your AWS account ID is included automatically for Member AWS account ID.

      2. For Member 2, enter the Member display name and Member AWS account ID for the member that you want to invite to the collaboration.

        The Member display name and Member AWS account ID will be visible to everyone invited to the collaboration. After you enter and save the values for these fields, you can't edit them.

        Note

        You must inform the collaboration member that their Member AWS account ID and Member display name will be visible to all invited and active collaborators in the collaboration.

      3. If you want to add another member, choose Add another member. Then enter the Member display name and Member AWS account ID for each member who can contribute data that you want to invite to the collaboration.

    4. If you want to enable Analysis logging, select the Enable analysis logging checkbox.

      1. Choose the Logs from queries checkbox under the Supported log types.

        You will receive logs generated from SQL queries in your Amazon CloudWatch Logs account.

    5. (Optional) If you want to enable the Cryptographic computing capability, select the Enable cryptographic computing checkbox.

      1. Choose the following Cryptographic coverage parameters:

        • Allow plaintext columns

          Choose No if you require fully encrypted tables.

          Choose Yes if you want cleartext columns allowed in the encrypted table.

          To run SUM or AVG on certain columns, the columns must be in cleartext.

        • Preserve NULL values

          Choose No if you don't want to preserve NULL values. NULL values won't appear as NULL in an encrypted table.

          Choose Yes if you want to preserve NULL values. NULL values will appear as NULL in an encrypted table.

      2. Choose the following Fingerprinting parameters:

        • Allow duplicates

          Choose No if you don't want duplicate entries allowed in a fingerprint column.

          Choose Yes if you want duplicate entries allowed in a fingerprint column.

        • Allow JOIN of columns with different names

          Choose No if you don't want to join fingerprint columns with different names.

          Choose Yes if you want to join fingerprint columns with different names.

      For more information about Cryptographic computing parameters, see Cryptographic computing parameters.

      For more information about how to encrypt your data for use in AWS Clean Rooms, see Preparing encrypted data tables with Cryptographic Computing for Clean Rooms.

      Note

      Verify these configurations carefully before completing the next step. After you create the collaboration, you can only edit the collaboration name, description, and whether the logs are stored in Amazon CloudWatch Logs.

    6. If you want to enable Tags for the collaboration resource, choose Add new tag and then enter the Key and Value pair.

    7. Choose Next.

  5. For Step 2: Specify member abilities, for Analysis using queries and jobs, under the Supported analysis types leave the Queries checkbox selected and take the recommended action, based on your goal.

    Your goal Recommended action
    Query the data in the collaboration and receive the results

    1. Choose yourself as the member who can Run queries.

    2. Choose yourself as member who can Receive results from analyses from the dropdown list.
    Query the data in the collaboration and assign a different member to receive results

    1. Choose yourself as the member who can Run queries.

    2. Select the member who can Receive results from analyses from the dropdown list.
    Receive the results of the query in the collaboration and assign a different member to query the data

    1. Select the member who can Run queries from the dropdown list.

    2. Choose yourself as member who can Receive results from analyses from the dropdown list.
    Create and manage the collaboration, assign a different member to query the data, and assign a different member to receive results

    1. Select the member who can Run queries from the dropdown list.

    2. Select the member who can Receive results from analyses from the dropdown list.

    1. If you are using Clean Rooms ML, for ML modeling using purpose-built workflows,

      1. (Optional) Select the member who can Receive output from trained models from the dropdown list.

      2. (Optional) Select the member who can Receive output from model inference from the dropdown list.

    2. View the member abilities under ID resolution using AWS Entity Resolution.

    3. Choose Next.

  6. For Step 3: Configure payment, for Analysis using queries, take one of the following actions based on your goal.

    Your goal Recommended action
    Assign the member who can Run queries to be the member who pays for the query compute costs

    1. For Analysis using queries, choose the member who will Pay for queries to be the same as the member who can Run queries.

    2. Choose Next.
    Assign a different member to pay for the query compute costs

    1. For Analysis using queries, choose yourself as the member who will Pay for queries.

    2. Choose Next.

    For ML modeling using purpose-built workflows, the Creator of the configured lookalike model is the member who will Pay for lookalike modeling.

    For ID resolution with AWS Entity Resolution, the Creator of the ID mapping table is the member who will Pay for ID mapping table.

  7. For Step 4: Configure membership, choose one of the following options:

    Yes, join by creating membership now

    1. For Results settings defaults, for Query results settings, if you are the member who can Receive results,

      1. For the Results destination in Amazon S3, enter the Amazon S3 destination or choose Browse S3 to select an S3 bucket.

      2. For the query Result format, choose either CSV or PARQUET.

      3. (Spark only) For the Result files, choose either Multiple or Single.

      4. (Optional) For Service access, if you want to deliver queries that take up to 24 hours to your S3 destination, select the Add a service role to support queries that take up to 24 hours to complete check box.

        Large queries that take up to 24 hours to complete will be delivered to your S3 destination.

        If you don't select the check box, only queries that complete within 12 hours will be delivered to your S3 location.

      5. Specify the Service access permissions by selecting either Create and use a new service role or Use an existing service role.

        If you choose to ... Then ...
        Create and use a new service role

        • AWS Clean Rooms creates a service role with the required policy for this table.

        • The default Service role name is cleanrooms-result-receiver-<timestamp>

        • You must have permissions to create roles and attach policies.
        Use an existing service role

        1. Choose an Existing service role name from the dropdown list.

          The list of roles are displayed if you have permissions to list roles.

          If you don't have permissions to list roles, you can enter the Amazon Resource Name (ARN) of the role that you want to use.

        2. View the service role by choosing the View in IAM external link.

          If there are no existing service roles, the option to Use an existing service role is unavailable.

          By default, AWS Clean Rooms doesn't attempt to update the existing role policy to add necessary permissions.

        Note

        • AWS Clean Rooms requires permissions to query according to the analysis rules. For more information about permissions for AWS Clean Rooms, see AWS managed policies for AWS Clean Rooms.

        • If the role doesn’t have sufficient permissions for AWS Clean Rooms, you receive an error message stating that the role doesn't have sufficient permissions for AWS Clean Rooms. The role policy must be added before proceeding.

        • If you can’t modify the role policy, you receive an error message stating that AWS Clean Rooms couldn't find the policy for the service role.

    2. For Logs settings, choose one of the following options for Log storage in Amazon CloudWatch Logs:

      Note

      The Logs settings section appears if you chose to enable Query logging.

      1. Choose Turn on and the query logs relevant to you will be stored in your Amazon CloudWatch Logs account.

        Each member can receive only logs for queries that they initiated or that contain their data.

        The member who can receive results also receives logs for all queries run in a collaboration, even if their data isn't accessed in a query.

        Under Supported log types, the Query logs checkbox is turned on by default.

        Note

        After you turn on Query logging, it can take a few minutes for log storage to be set up and start receiving logs in Amazon CloudWatch Logs. During this brief period, the member who can query might run queries that don’t actually send logs.

      2. Choose Turn off and the query logs relevant to you won't be stored in your Amazon CloudWatch Logs account.

    3. If you want to enable Tags for the membership resource, choose Add new tag and then enter the Key and Value pair.

    4. If you are the member who is paying for Query compute, indicate your acceptance by selecting the I agree to pay for the compute costs in this collaboration checkbox.

      Note

      You must select this checkbox to proceed.

      For more information about how pricing is calculated, see Pricing for AWS Clean Rooms.

      If you are the member paying for query compute costs but not the member who can query, it is recommended that you use AWS Budgets to configure a budget for AWS Clean Rooms and receive notifications once the maximum budget has been reached. For more information about setting up a budget, see Managing your costs with AWS Budgets in the AWS Cost Management User Guide. For more information about setting up notifications, see Creating an Amazon SNS topic for budget notifications in the AWS Cost Management User Guide. If the maximum budget has been reached, you can contact the member who can run queries or leave the collaboration. If you leave the collaboration, no more queries will be allowed to run, and therefore you will no longer be billed for query compute costs.

    5. Choose Next.

    Both the collaboration and your membership are created.

    Your status in the collaboration is active.

    No, I will create a membership later

    1. Choose Next.

      Only the collaboration is created.

      Your status in the collaboration is inactive.

    anchoranchor

    1. For Results settings defaults, for Query results settings, if you are the member who can Receive results,

      1. For the Results destination in Amazon S3, enter the Amazon S3 destination or choose Browse S3 to select an S3 bucket.

      2. For the query Result format, choose either CSV or PARQUET.

      3. (Spark only) For the Result files, choose either Multiple or Single.

      4. (Optional) For Service access, if you want to deliver queries that take up to 24 hours to your S3 destination, select the Add a service role to support queries that take up to 24 hours to complete check box.

        Large queries that take up to 24 hours to complete will be delivered to your S3 destination.

        If you don't select the check box, only queries that complete within 12 hours will be delivered to your S3 location.

      5. Specify the Service access permissions by selecting either Create and use a new service role or Use an existing service role.

        If you choose to ... Then ...
        Create and use a new service role

        • AWS Clean Rooms creates a service role with the required policy for this table.

        • The default Service role name is cleanrooms-result-receiver-<timestamp>

        • You must have permissions to create roles and attach policies.
        Use an existing service role

        1. Choose an Existing service role name from the dropdown list.

          The list of roles are displayed if you have permissions to list roles.

          If you don't have permissions to list roles, you can enter the Amazon Resource Name (ARN) of the role that you want to use.

        2. View the service role by choosing the View in IAM external link.

          If there are no existing service roles, the option to Use an existing service role is unavailable.

          By default, AWS Clean Rooms doesn't attempt to update the existing role policy to add necessary permissions.

        Note

        • AWS Clean Rooms requires permissions to query according to the analysis rules. For more information about permissions for AWS Clean Rooms, see AWS managed policies for AWS Clean Rooms.

        • If the role doesn’t have sufficient permissions for AWS Clean Rooms, you receive an error message stating that the role doesn't have sufficient permissions for AWS Clean Rooms. The role policy must be added before proceeding.

        • If you can’t modify the role policy, you receive an error message stating that AWS Clean Rooms couldn't find the policy for the service role.

    2. For Logs settings, choose one of the following options for Log storage in Amazon CloudWatch Logs:

      Note

      The Logs settings section appears if you chose to enable Query logging.

      1. Choose Turn on and the query logs relevant to you will be stored in your Amazon CloudWatch Logs account.

        Each member can receive only logs for queries that they initiated or that contain their data.

        The member who can receive results also receives logs for all queries run in a collaboration, even if their data isn't accessed in a query.

        Under Supported log types, the Query logs checkbox is turned on by default.

        Note

        After you turn on Query logging, it can take a few minutes for log storage to be set up and start receiving logs in Amazon CloudWatch Logs. During this brief period, the member who can query might run queries that don’t actually send logs.

      2. Choose Turn off and the query logs relevant to you won't be stored in your Amazon CloudWatch Logs account.

    3. If you want to enable Tags for the membership resource, choose Add new tag and then enter the Key and Value pair.

    4. If you are the member who is paying for Query compute, indicate your acceptance by selecting the I agree to pay for the compute costs in this collaboration checkbox.

      Note

      You must select this checkbox to proceed.

      For more information about how pricing is calculated, see Pricing for AWS Clean Rooms.

      If you are the member paying for query compute costs but not the member who can query, it is recommended that you use AWS Budgets to configure a budget for AWS Clean Rooms and receive notifications once the maximum budget has been reached. For more information about setting up a budget, see Managing your costs with AWS Budgets in the AWS Cost Management User Guide. For more information about setting up notifications, see Creating an Amazon SNS topic for budget notifications in the AWS Cost Management User Guide. If the maximum budget has been reached, you can contact the member who can run queries or leave the collaboration. If you leave the collaboration, no more queries will be allowed to run, and therefore you will no longer be billed for query compute costs.

    5. Choose Next.

    Both the collaboration and your membership are created.

    Your status in the collaboration is active.

  8. For Step 5: Review and create, do the following:

    1. Review the selections that you made for the previous steps and edit if necessary.

    2. Choose one of the options.

      If you have chosen to ... Then choose ...
      Create a membership with the collaboration (Yes, join by creating membership now) Create collaboration and membership
      Create the collaboration, and not to create a membership at this time (No, I will create a membership later) Create collaboration

After your collaboration has been created successfully, you can see the collaboration details page under Collaborations.

You are now ready to:

PrivacySite termsCookie preferences
© 2025, Amazon Web Services, Inc. or its affiliates. All rights reserved.