Set up service roles for lookalike modeling Set up service roles for custom modeling

Set up service roles for AWS Clean Rooms ML

The roles needed to perform lookalike modeling differ from those needed to use a custom model. The following sections describe the roles needed to perform each task.

Topics

Set up service roles for lookalike modeling
Set up service roles for custom modeling

Set up service roles for lookalike modeling

Topics

Create a service role to read training data
Create a service role to write a lookalike segment
Create a service role to read seed data

Create a service role to read training data

AWS Clean Rooms uses a service role to read training data. You can create this role using the console if you have the necessary IAM permissions. If you don't have CreateRole permissions, ask your administrator to create the service role.

To create a service role to train a dataset

Sign in to the IAM console (https://console.aws.amazon.com/iam/) with your administrator account.
Under Access management, choose Policies.
Choose Create policy.

In the Policy editor, select the JSON tab, and then copy and paste the following policy.

Note

The following example policy supports the permissions needed to read AWS Glue metadata and its corresponding Amazon S3 data. However, you might need to modify this policy depending on how you've set up your S3 data. This policy doesn't include a KMS key to decrypt data.

Your AWS Glue resources and underlying Amazon S3 resources must be in the same AWS Region as the AWS Clean Rooms collaboration.


{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "glue:GetDatabase",
                "glue:GetDatabases",
                "glue:GetTable",
                "glue:GetTables",
                "glue:GetPartitions",
                "glue:GetPartition",
                "glue:BatchGetPartition", 
                "glue:GetUserDefinedFunctions"
            ],
            "Resource": [
                "arn:aws:glue:region:accountId:database/databases",
                "arn:aws:glue:region:accountId:table/databases/tables",
                "arn:aws:glue:region:accountId:catalog",
                "arn:aws:glue:region:accountId:database/default"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "glue:CreateDatabase"
            ],
            "Resource": [
                "arn:aws:glue:region:accountId:database/default"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "s3:ListBucket",
                "s3:GetBucketLocation"
            ],
            "Resource": [
                "arn:aws:s3:::bucket"
            ],
            "Condition":{
                "StringEquals":{
                    "s3:ResourceAccount":[
                        "accountId"
                    ]
                }
            }
        },
        {
            "Effect": "Allow",
            "Action": [
                "s3:GetObject"
            ],
            "Resource": [
                "arn:aws:s3:::bucketFolders/*"
            ],
            "Condition":{
                "StringEquals":{
                    "s3:ResourceAccount":[
                        "accountId"
                    ]
                }
            }
        }
    ]
}

If you need to use a KMS key to decrypt data, add this AWS KMS statement to the previous template:


{
            "Effect": "Allow",
            "Action": [
                "kms:Decrypt",
            ],
            "Resource": [
                "arn:aws:kms:region:accountId:key/keyId"
            ],
            "Condition": {
                "ArnLike": {
                        "kms:EncryptionContext:aws:s3:arn": "arn:aws:s3:::bucketFolders*"
                }
            }
        }
    ]
}

Choose Next.
For Review and create, enter a Policy name and Description, and review the Summary.
Choose Create policy.

You have created a policy for AWS Clean Rooms.
Under Access management, choose Roles.

With Roles, you can create short-term credentials, which is recommended for increased security. You can also choose Users to create long-term credentials.
Choose Create role.
In the Create role wizard, for Trusted entity type, choose Custom trust policy.

Copy and paste the following custom trust policy into the JSON editor.


{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AllowAssumeRole",
            "Effect": "Allow",
            "Principal": {
                "Service": "cleanrooms-ml.amazonaws.com"
            },
            "Action": "sts:AssumeRole",
            "Condition": {
                "StringEqualsIfExists": { 
                    "aws:SourceAccount": ["accountId"]
                },
                "StringLikeIfExists": { 
                    "aws:SourceArn": "arn:aws:cleanrooms-ml:region:account:training-dataset/*"
                }
            }
        }
    ]
}

The SourceAccount is always your AWS account. The SourceArn can be limited to a specific training dataset, but only after that dataset is created. Because you don't yet know the training dataset ARN, the wildcard is specified here.

Choose Next and under Add permissions, enter the name of the policy you just created. (You might need to reload the page.)
Select the check box next to the name of the policy you created, and then choose Next.
For Name, review, and create, enter the Role name and Description.

Note
The Role name must match the pattern in the passRole permissions granted to the member who can query and receive results and member roles.
1. Review Select trusted entities, and edit if necessary.
2. Review the permissions in Add permissions, and edit if necessary.
3. Review the Tags, and add tags if necessary.
4. Choose Create role.

You have created the service role for AWS Clean Rooms.

Create a service role to write a lookalike segment

AWS Clean Rooms uses a service role to write lookalike segments to a bucket. You can create this role using the console if you have the necessary IAM permissions. If you don't have CreateRole permissions, ask your administrator to create the service role.

To create a service role to write a lookalike segment

Sign in to the IAM console (https://console.aws.amazon.com/iam/) with your administrator account.
Under Access management, choose Policies.
Choose Create policy.

In the Policy editor, select the JSON tab, and then copy and paste the following policy.

Note

The following example policy supports the permissions needed to read AWS Glue metadata and its corresponding Amazon S3 data. However, you might need to modify this policy depending on how you've set up your Amazon S3 data. This policy doesn't include a KMS key to decrypt data.

Your AWS Glue resources and underlying Amazon S3 resources must be in the same AWS Region as the AWS Clean Rooms collaboration.


{
    "Version": "2012-10-17",
    "Statement": [
    {
            "Effect": "Allow",
            "Action": [
                "s3:ListBucket",
                "s3:GetBucketLocation"
            ],
            "Resource": [
                "arn:aws:s3:::buckets"
            ],
            "Condition":{
                "StringEquals":{
                    "s3:ResourceAccount":[
                        "accountId"
                    ]
                }
            }
        },
        {
            "Effect": "Allow",
            "Action": [
                "s3:PutObject"
            ],
            "Resource": [
                "arn:aws:s3:::bucketFolders/*"
            ],
            "Condition":{
                "StringEquals":{
                    "s3:ResourceAccount":[
                        "accountId"
                    ]
                }
            }
        }
  ]
}

If you need to use a KMS key to encrypt data, add this AWS KMS statement to the template:


{
            "Effect": "Allow",
            "Action": [
                "kms:Encrypt",
                "kms:GenerateDataKey*",
                "kms:ReEncrypt*",
            ],
            "Resource": [
                "arn:aws:kms:region:accountId:key/keyId"
            ],
            "Condition": {
                "ArnLike": {
                        "kms:EncryptionContext:aws:s3:arn": "arn:aws:s3:::bucketFolders*"
                }
            }
        }
  ]
}

Choose Next.
For Review and create, enter a Policy name and Description, and review the Summary.
Choose Create policy.

You have created a policy for AWS Clean Rooms.
Under Access management, choose Roles.

With Roles, you can create short-term credentials, which is recommended for increased security. You can also choose Users to create long-term credentials.
Choose Create role.
In the Create role wizard, for Trusted entity type, choose Custom trust policy.

Copy and paste the following custom trust policy into the JSON editor.


{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AllowAssumeRole",
            "Effect": "Allow",
            "Principal": {
                "Service": "cleanrooms-ml.amazonaws.com"
            },
            "Action": "sts:AssumeRole",
            "Condition": {
                "StringEqualsIfExists": { 
                    "aws:SourceAccount": ["accountId"]

                },
                "StringLikeIfExists": { 
                    "aws:SourceArn": "arn:aws:cleanrooms-ml:region:account:configured-audience-model/*"
                }
            }
        }
    ]
}

Choose Next.
Select the check box next to the name of the policy you created, and then choose Next.
For Name, review, and create, enter the Role name and Description.

Note
The Role name must match the pattern in the passRole permissions granted to the member who can query and receive results and member roles.
1. Review Select trusted entities, and edit if necessary.
2. Review the permissions in Add permissions, and edit if necessary.
3. Review the Tags, and add tags if necessary.
4. Choose Create role.

You have created the service role for AWS Clean Rooms.

Create a service role to read seed data

AWS Clean Rooms uses a service role to read seed data. You can create this role using the console if you have the necessary IAM permissions. If you don't have CreateRole permissions, ask your administrator to create the service role.

To create a service role to read seed data that is stored in an S3 bucket.

Sign in to the IAM console (https://console.aws.amazon.com/iam/) with your administrator account.
Under Access management, choose Policies.
Choose Create policy.

In the Policy editor, select the JSON tab, and then copy and paste one of the following policies.

Note

The following example policy supports the permissions needed to read AWS Glue metadata and its corresponding Amazon S3 data. However, you might need to modify this policy depending on how you've set up your Amazon S3 data. This policy doesn't include a KMS key to decrypt data.

Your AWS Glue resources and underlying Amazon S3 resources must be in the same AWS Region as the AWS Clean Rooms collaboration.


{
    "Version": "2012-10-17",
    "Statement": [
    {
            "Effect": "Allow",
            "Action": [
                "s3:ListBucket",
            ],
            "Resource": [
                "arn:aws:s3:::buckets"
            ],
            "Condition":{
                "StringEquals":{
                    "s3:ResourceAccount":[
                        "accountId"
                    ]
                }
            }
        },
        {
            "Effect": "Allow",
            "Action": [
                "s3:GetObject"
            ],
            "Resource": [
                "arn:aws:s3:::bucketFolders/*"
            ],
            "Condition":{
                "StringEquals":{
                    "s3:ResourceAccount":[
                        "accountId"
                    ]
                }
            }
        }
  ]
}

Note

The following example policy supports the permissions needed to read the results of an SQL query and use that as the input data. However, you might need to modify this policy depending on how your query is structured. This policy doesn't include a KMS key to decrypt data.


{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AllowCleanRoomsStartQuery",
            "Effect": "Allow",
            "Action": [
                "cleanrooms:GetCollaborationAnalysisTemplate",
                "cleanrooms:GetSchema", 
                "cleanrooms:StartProtectedQuery"
            ],
            "Resource": "*"
        },
        {
            "Sid": "AllowCleanRoomsGetAndUpdateQuery",
            "Effect": "Allow",
            "Action": [
                "cleanrooms:GetProtectedQuery", 
                "cleanrooms:UpdateProtectedQuery"
            ],
            "Resource": [
                "arn:aws:cleanrooms:region:queryRunnerAccountId:membership/queryRunnerMembershipId"
            ]
        }
    ]
}

If you need to use a KMS key to decrypt data, add this AWS KMS statement to the template:


{
            "Effect": "Allow",
            "Action": [
                "kms:Decrypt",
                "kms:DescribeKey"
            ],
            "Resource": [
                "arn:aws:kms:region:accountId:key/keyId"
            ],
            "Condition": {
                "ArnLike": {
                        "kms:EncryptionContext:aws:s3:arn": "arn:aws:s3:::bucketFolders*"
                }
            }
        }
  ]
}

Choose Next.
For Review and create, enter a Policy name and Description, and review the Summary.
Choose Create policy.

You have created a policy for AWS Clean Rooms.
Under Access management, choose Roles.

With Roles, you can create short-term credentials, which is recommended for increased security. You can also choose Users to create long-term credentials.
Choose Create role.
In the Create role wizard, for Trusted entity type, choose Custom trust policy.

Copy and paste the following custom trust policy into the JSON editor.


{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AllowAssumeRole",
            "Effect": "Allow",
            "Principal": {
                "Service": "cleanrooms-ml.amazonaws.com"
            },
            "Action": "sts:AssumeRole",
            "Condition": {
                "StringEqualsIfExists": {
                    "aws:SourceAccount": ["accountId"]

                },
                "StringLikeIfExists": { 
                    "aws:SourceArn": "arn:aws:cleanrooms-ml:region:account:audience-generation-job/*"
                }
            }
        }
    ]
}

Choose Next.
Select the check box next to the name of the policy you created, and then choose Next.
For Name, review, and create, enter the Role name and Description.

Note
The Role name must match the pattern in the passRole permissions granted to the member who can query and receive results and member roles.
1. Review Select trusted entities, and edit if necessary.
2. Review the permissions in Add permissions, and edit if necessary.
3. Review the Tags, and add tags if necessary.
4. Choose Create role.

You have created the service role for AWS Clean Rooms.

Set up service roles for custom modeling

Topics

Create a service role for custom ML modeling - ML Configuration
Create a service role to provide a custom ML model
Create a service role to query a dataset
Create a service role to create a configured table association

Create a service role for custom ML modeling - ML Configuration

AWS Clean Rooms uses a service role to control who can create a custom ML configuration. You can create this role using the console if you have the necessary IAM permissions. If you don't have CreateRole permissions, ask your administrator to create the service role.

This role allows you to use the CreateMLConfiguration action.

To create a service role to allow creation of a custom ML configuration

Sign in to the IAM console (https://console.aws.amazon.com/iam/) with your administrator account.
Under Access management, choose Policies.
Choose Create policy.

In the Policy editor, select the JSON tab, and then copy and paste the following policy.

Note

The following example policy supports the permissions needed to access and write data to an S3 bucket and to publish CloudWatch metrics. However, you might need to modify this policy depending on how you've set up your Amazon S3 data. This policy doesn't include a KMS key to decrypt data.

Your Amazon S3 resources must be in the same AWS Region as the AWS Clean Rooms collaboration.


{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AllowS3ObjectWriteForExport",
            "Effect": "Allow",
            "Action": ["s3:PutObject"],
            "Resource": [
                "arn:aws:s3:::bucket/*"
            ]
        },
        {
            "Sid": "AllowS3KMSEncryptForExport",
            "Effect": "Allow",
            "Action": [
                "kms:Encrypt",
                "kms:GenerateDataKey*",
            ],
            "Resource": [
                "arn:aws:kms:region:accountId:key/keyId"
            ]
        },
        {
            "Sid": "AllowCloudWatchMetricsPublishingForTrainingJobs",
            "Action": "cloudwatch:PutMetricData",
            "Resource": "arn:aws:cloudwatch:region:accountId:namespace/aws/cleanroomsml/*",
            "Resource": "*",
            "Effect": "Allow"
       },
       {
            "Sid": "AllowCloudWatchLogsPublishingForTrainingOrInferenceJobs",
            "Effect": "Allow",
            "Action": [
                "logs:CreateLogGroup",            
                "logs:CreateLogStream",
                "logs:DescribeLogStreams",
                "logs:PutLogEvents"
            ]
        }
   ]
}

Choose Next.
For Review and create, enter a Policy name and Description, and review the Summary.
Choose Create policy.

You have created a policy for AWS Clean Rooms.
Under Access management, choose Roles.

With Roles, you can create short-term credentials, which is recommended for increased security. You can also choose Users to create long-term credentials.
Choose Create role.
In the Create role wizard, for Trusted entity type, choose Custom trust policy.

Copy and paste the following custom trust policy into the JSON editor.


{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "Service": "cleanrooms-ml.amazonaws.com"
            },
            "Action": "sts:AssumeRole",
            "Condition": {
                "StringEquals": { 
                    "aws:SourceAccount": "accountId"
                },
                "ArnLike": { 
                    "aws:SourceArn": "arn:aws:cleanrooms:region:accountId:membership/membershipID"
                }
            }
        }
    ]
}

Choose Next.
Select the check box next to the name of the policy you created, and then choose Next.
For Name, review, and create, enter the Role name and Description.

Note
The Role name must match the pattern in the passRole permissions granted to the member who can query and receive results and member roles.
1. Review Select trusted entities, and edit if necessary.
2. Review the permissions in Add permissions, and edit if necessary.
3. Review the Tags, and add tags if necessary.
4. Choose Create role.

You have created the service role for AWS Clean Rooms.

Create a service role to provide a custom ML model

AWS Clean Rooms uses a service role to control who can create a custom ML model algorithm. You can create this role using the console if you have the necessary IAM permissions. If you don't have CreateRole permissions, ask your administrator to create the service role.

This role allows you to use the CreateConfiguredModelAlgorithm action.

To create a service role to allow a member to provide a custom ML model

Sign in to the IAM console (https://console.aws.amazon.com/iam/) with your administrator account.
Under Access management, choose Policies.
Choose Create policy.
In the Policy editor, select the JSON tab, and then copy and paste the following policy.

Note
The following example policy supports the permissions needed to retrieve the docker image that contains the model algorithm. However, you might need to modify this policy depending on how you've set up your Amazon S3 data. This policy doesn't include a KMS key to decrypt data.
Your Amazon S3 resources must be in the same AWS Region as the AWS Clean Rooms collaboration.
```
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AllowECRImageDownloadForTrainingAndInferenceJobs",
            "Effect": "Allow",
            "Action": [
                "ecr:BatchGetImage",
                "ecr:BatchCheckLayerAvailability",
                "ecr:GetDownloadUrlForLayer"
            ],
            "Resource": "arn:aws:ecr:region:accountID:repository/repoName"
        }
    ]
}
```
Choose Next.
For Review and create, enter a Policy name and Description, and review the Summary.
Choose Create policy.

You have created a policy for AWS Clean Rooms.
Under Access management, choose Roles.

With Roles, you can create short-term credentials, which is recommended for increased security. You can also choose Users to create long-term credentials.
Choose Create role.
In the Create role wizard, for Trusted entity type, choose Custom trust policy.
Copy and paste the following custom trust policy into the JSON editor.
```
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "Service": "cleanrooms-ml.amazonaws.com"
            },
            "Action": "sts:AssumeRole"
        }
    ]
}
```
The SourceAccount is always your AWS account The SourceArn can be limited to a specific training dataset, but only after that dataset is created. Because you don't yet know the training dataset ARN, the wildcard is specified here.
Choose Next.
Select the check box next to the name of the policy you created, and then choose Next.
For Name, review, and create, enter the Role name and Description.

Note
The Role name must match the pattern in the passRole permissions granted to the member who can query and receive results and member roles.
1. Review Select trusted entities, and edit if necessary.
2. Review the permissions in Add permissions, and edit if necessary.
3. Review the Tags, and add tags if necessary.
4. Choose Create role.

You have created the service role for AWS Clean Rooms.

Create a service role to query a dataset

AWS Clean Rooms uses a service role to control who can query a dataset that will be used for custom ML modeling. You can create this role using the console if you have the necessary IAM permissions. If you don't have CreateRole permissions, ask your administrator to create the service role.

This role allows you to use the CreateMLInputChannel action.

To create a service role to allow a member to query a dataset

Sign in to the IAM console (https://console.aws.amazon.com/iam/) with your administrator account.
Under Access management, choose Policies.
Choose Create policy.

In the Policy editor, select the JSON tab, and then copy and paste the following policy.

Note

The following example policy supports the permissions needed to query a dataset that will be used for custom ML modeling. However, you might need to modify this policy depending on how you've set up your Amazon S3 data. This policy doesn't include a KMS key to decrypt data.

Your Amazon S3 resources must be in the same AWS Region as the AWS Clean Rooms collaboration.


{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AllowCleanRoomsStartQueryForMLInputChannel",
            "Effect": "Allow",
            "Action": "cleanrooms:StartProtectedQuery",
            "Resource": "*"
        },
        {
            "Sid": "AllowCleanRoomsGetSchemaForMLInputChannel",
            "Effect": "Allow",
            "Action": "cleanrooms:GetSchema",
            "Resource": "*"
        },
        {
            "Sid": "AllowCleanRoomsGetAndUpdateQueryForMLInputChannel",
            "Effect": "Allow",
            "Action": [
                "cleanrooms:GetProtectedQuery", 
                "cleanrooms:UpdateProtectedQuery"
            ],
            "Resource": [
                "arn:aws:cleanrooms:region:queryRunnerAccountId:membership/queryRunnerMembershipId"
            ]
        }
    ]
}

Choose Next.
For Review and create, enter a Policy name and Description, and review the Summary.
Choose Create policy.

You have created a policy for AWS Clean Rooms.
Under Access management, choose Roles.

With Roles, you can create short-term credentials, which is recommended for increased security. You can also choose Users to create long-term credentials.
Choose Create role.
In the Create role wizard, for Trusted entity type, choose Custom trust policy.
Copy and paste the following custom trust policy into the JSON editor.
```
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "Service": "cleanrooms-ml.amazonaws.com"
            },
            "Action": "sts:AssumeRole"
        }
    ]
}
```
The SourceAccount is always your AWS account The SourceArn can be limited to a specific training dataset, but only after that dataset is created. Because you don't yet know the training dataset ARN, the wildcard is specified here.
Choose Next.
Select the check box next to the name of the policy you created, and then choose Next.
For Name, review, and create, enter the Role name and Description.

Note
The Role name must match the pattern in the passRole permissions granted to the member who can query and receive results and member roles.
1. Review Select trusted entities, and edit if necessary.
2. Review the permissions in Add permissions, and edit if necessary.
3. Review the Tags, and add tags if necessary.
4. Choose Create role.

You have created the service role for AWS Clean Rooms.

Create a service role to create a configured table association

AWS Clean Rooms uses a service role to control who can create a configured table association. You can create this role using the console if you have the necessary IAM permissions. If you don't have CreateRole permissions, ask your administrator to create the service role.

This role allows you to use the CreateConfiguredTableAssociation action.

To create a service role to allow creation of a configured table association

Sign in to the IAM console (https://console.aws.amazon.com/iam/) with your administrator account.
Under Access management, choose Policies.
Choose Create policy.

In the Policy editor, select the JSON tab, and then copy and paste the following policy.

Note

The following example policy supports the creation of a configured table association. However, you might need to modify this policy depending on how you've set up your Amazon S3 data. This policy doesn't include a KMS key to decrypt data.

Your Amazon S3 resources must be in the same AWS Region as the AWS Clean Rooms collaboration.


{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": [
                "kms:Decrypt",
                "kms:DescribeKey"
            ],
            "Resource": "KMS key used to encrypt the S3 data",
            "Effect": "Allow"
        },
        {
            "Action": [
                "s3:ListBucket",
                "s3:GetBucketLocation"
            ],
            "Resource": "S3 bucket of Glue table",
            "Effect": "Allow"
        },
        {
            "Action": "s3:GetObject",
            "Resource": "S3 bucket of Glue table/*",
            "Effect": "Allow"
        },
        {
            "Action": [
                "glue:GetDatabase",
                "glue:GetDatabases",
                "glue:GetTable",
                "glue:GetTables",
                "glue:GetPartitions",
                "glue:GetPartition",
                "glue:BatchGetPartition"
            ],
            "Resource": [
                "arn:aws:glue:region:accountID:catalog",
                "arn:aws:glue:region:accountID:database/Glue database name",
                "arn:aws:glue:region:accountID:table/Glue database name/Glue table name"
            ],
            "Effect": "Allow"
        },
        {
            "Action": [
                "glue:GetSchema",
                "glue:GetSchemaVersion"
            ],
            "Resource": "*",
            "Effect": "Allow"
        }
    ]
}

Choose Next.
For Review and create, enter a Policy name and Description, and review the Summary.
Choose Create policy.

You have created a policy for AWS Clean Rooms.
Under Access management, choose Roles.

With Roles, you can create short-term credentials, which is recommended for increased security. You can also choose Users to create long-term credentials.
Choose Create role.
In the Create role wizard, for Trusted entity type, choose Custom trust policy.
Copy and paste the following custom trust policy into the JSON editor.
```
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "Service": "cleanrooms-ml.amazonaws.com"
            },
            "Action": "sts:AssumeRole",
        }
    ]
}
```
The SourceAccount is always your AWS account The SourceArn can be limited to a specific training dataset, but only after that dataset is created. Because you don't yet know the training dataset ARN, the wildcard is specified here.
Choose Next.
Select the check box next to the name of the policy you created, and then choose Next.
For Name, review, and create, enter the Role name and Description.

Note
The Role name must match the pattern in the passRole permissions granted to the member who can query and receive results and member roles.
1. Review Select trusted entities, and edit if necessary.
2. Review the permissions in Add permissions, and edit if necessary.
3. Review the Tags, and add tags if necessary.
4. Choose Create role.

You have created the service role for AWS Clean Rooms.

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Set up service roles for AWS Clean Rooms

Collaborations and memberships