Set up service roles for AWS Clean Rooms - AWS Clean Rooms

Set up service roles for AWS Clean Rooms

Create an administrator user

To use AWS Clean Rooms, you need to create an administrator user for yourself and add the administrator user to an administrators group.

To create an administrator user, choose one of the following options.

Choose one way to manage your administrator To By You can also
In IAM Identity Center

(Recommended)

Use short-term credentials to access AWS.

This aligns with the security best practices. For information about best practices, see Security best practices in IAM in the IAM User Guide.

Following the instructions in Getting started in the AWS IAM Identity Center User Guide. Configure programmatic access by Configuring the AWS CLI to use AWS IAM Identity Center in the AWS Command Line Interface User Guide.
In IAM

(Not recommended)

Use long-term credentials to access AWS. Following the instructions in Create an IAM user for emergency access in the IAM User Guide. Configure programmatic access by Manage access keys for IAM users in the IAM User Guide.

Create an IAM role for a collaboration member

A member is an AWS customer who is a participant in a collaboration.

To create an IAM role for a collaboration member
  1. Follow the Creating a role to delegate permissions to an IAM user procedure in the AWS Identity and Access Management User Guide.

  2. For the Create policy step, select the JSON tab in the Policy editor, and then add policies depending on the abilities granted to the collaboration member.

    AWS Clean Rooms offers the following managed policies based on common use cases.

    If you want to ... Then use ...
    View the resources and metadata AWS managed policy: AWSCleanRoomsReadOnlyAccess
    Query AWS managed policy: AWSCleanRoomsFullAccess
    Query and receive results AWS managed policy: AWSCleanRoomsFullAccess
    Manage collaboration resources but do not query AWS managed policy: AWSCleanRoomsFullAccessNoQuerying

    For information about the different managed policies offered by AWS Clean Rooms, see AWS managed policies for AWS Clean Rooms,

Create a service role to read data from Amazon S3

AWS Clean Rooms uses a service role to read the data from Amazon S3.

There are two ways to create this service role.

  • If you have the necessary IAM permissions to create a service role, use the AWS Clean Rooms console to create a service role.

  • If you don't have iam:CreateRole, iam:CreatePolicy and iam:AttachRolePolicy permissions or want to create the IAM roles manually, do one of the following:

    • Use the following procedure to create a service role using custom trust policies.

    • Ask your administrator to create the service role using the following procedure.

Note

You or your IAM administrator should follow this procedure only if you don't have the necessary permissions to create a service role using the AWS Clean Rooms console.

To create a service role to read data from Amazon S3 using custom trust policies
  1. Create a role using custom trust policies. For more information, see the Creating a role using custom trust policies (console) procedure in the AWS Identity and Access Management User Guide.

  2. Use the following custom trust policy according to the Creating a role using custom trust policies (console) procedure.

    Note

    If you want to help ensure that the role is used only in the context of a certain collaboration membership, you can scope down the trust policy further. For more information, see Cross-service confused deputy prevention.

    { "Version": "2012-10-17", "Statement": [ { "Sid": "RoleTrustPolicyForCleanRoomsService", "Effect": "Allow", "Principal": { "Service": "cleanrooms.amazonaws.com" }, "Action": "sts:AssumeRole" } ] }
  3. Use the following permissions policy according to the Creating a role using custom trust policies (console) procedure.

    Note

    The following example policy supports the permissions needed to read AWS Glue metadata and its corresponding Amazon S3 data. However, you might need to modify this policy depending on how you've set up your Amazon S3 data. For instance, if you have set up a custom KMS key for your Amazon S3 data, you may need to amend this policy with additional AWS Key Management Service (AWS KMS) permissions.

    Your AWS Glue resources and underlying Amazon S3 resources must be in the same AWS Region as the AWS Clean Rooms collaboration.

    { "Version": "2012-10-17", "Statement": [ { "Sid": "NecessaryGluePermissions", "Effect": "Allow", "Action": [ "glue:GetDatabase", "glue:GetDatabases", "glue:GetTable", "glue:GetTables", "glue:GetPartition", "glue:GetPartitions", "glue:BatchGetPartition" ], "Resource": [ "arn:aws:glue:aws-region:accountId:database/database", "arn:aws:glue:aws-region:accountId:table/table", "arn:aws:glue:aws-region:accountId:catalog" ] }, { "Effect": "Allow", "Action": [ "glue:GetSchema", "glue:GetSchemaVersion" ], "Resource": [ "*" ] }, { "Sid": "NecessaryS3BucketPermissions", "Effect": "Allow", "Action": [ "s3:GetBucketLocation", "s3:ListBucket" ], "Resource": [ "arn:aws:s3:::bucket" ], "Condition":{ "StringEquals":{ "s3:ResourceAccount":[ "s3BucketOwnerAccountId" ] } } }, { "Sid": "NecessaryS3ObjectPermissions", "Effect": "Allow", "Action": [ "s3:GetObject" ], "Resource": [ "arn:aws:s3::bucket/prefix/*" ], "Condition":{ "StringEquals":{ "s3:ResourceAccount":[ "s3BucketOwnerAccountId" ] } } } ] }
  4. Replace each placeholder with your own information.

  5. Continue to follow the Creating a role using custom trust policies (console) procedure to create the role.

Create a service role to read data from Amazon Athena

AWS Clean Rooms uses a service role to read the data from Amazon Athena.

To create a service role to read data from Athena using custom trust policies
  1. Create a role using custom trust policies. For more information, see the Creating a role using custom trust policies (console) procedure in the AWS Identity and Access Management User Guide.

  2. Use the following custom trust policy according to the Creating a role using custom trust policies (console) procedure.

    Note

    If you want to help ensure that the role is used only in the context of a certain collaboration membership, you can scope down the trust policy further. For more information, see Cross-service confused deputy prevention.

    { "Version": "2012-10-17", "Statement": [ { "Sid": "RoleTrustPolicyForCleanRoomsService", "Effect": "Allow", "Principal": { "Service": "cleanrooms.amazonaws.com" }, "Action": "sts:AssumeRole" } ] }
  3. Use the following permissions policy according to the Creating a role using custom trust policies (console) procedure.

    Note

    The following example policy supports the permissions needed to read AWS Glue metadata and its corresponding Athena data. However, you might need to modify this policy depending on how you've set up your Amazon S3 data. For instance, if you've already set up a custom KMS key for your Amazon S3 data, you may need to amend this policy with additional AWS KMS permissions.

    Your AWS Glue resources and underlying Athena resources must be in the same AWS Region as the AWS Clean Rooms collaboration.

    { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "athena:GetDataCatalog", "athena:GetWorkGroup", "athena:GetTableMetadata", "athena:GetQueryExecution", "athena:GetQueryResults", "athena:StartQueryExecution" ], "Resource": [ "arn:aws:athena:region:accountId:workgroup/workgroup", "arn:aws:athena:region:accountId:datacatalog/AwsDataCatalog" ] }, { "Effect": "Allow", "Action": [ "glue:GetDatabase", "glue:GetTable", "glue:GetPartitions" ], "Resource": [ "arn:aws:glue:region:accountId:catalog", "arn:aws:glue:region:accountId:database/database name", "arn:aws:glue:region:accountId:table/database name/table name" ] }, { "Effect": "Allow", "Action": [ "s3:GetObject", "s3:GetBucketLocation", "s3:AbortMultipartUpload", "s3:ListBucket", "s3:PutObject", "s3:ListMultipartUploadParts" ], "Resource": [ "arn:aws:s3:::bucket", "arn:aws:s3:::bucket/*" ] }, { "Effect": "Allow", "Action": "lakeformation:GetDataAccess", "Resource": "*" }, { "Effect": "Allow", "Action": [ "kms:GenerateDataKey", "kms:Decrypt" ], "Resource": "arn:aws:kms:region:accountId:key/*" } ] }
  4. Replace each placeholder with your own information.

  5. Continue to follow the Creating a role using custom trust policies (console) procedure to create the role.

Set up Lake Formation permissions

The service role must have Select and Describe access permissions on the GDC View and Describe permissions on the AWS Glue database that the GDC View is stored in.

Set up Lake Formation permissions for a GDC View
To set up Lake Formation permissions for a GDC View
  1. Open the Lake Formation console at https://console.aws.amazon.com/lakeformation/

  2. In the navigation pane, under Data Catalog, choose Databases, and then choose Views.

  3. Choose your view, and then, under Actions, choose Grant.

  4. For Principals, under IAM user and roles, choose your service role.

  5. For View permissions, under View permissions, choose Select and Describe.

  6. Choose Grant.

Set up Lake Formation permissions for the AWS Glue database that the GDC View is stored in
To set up Lake Formation permissions for the AWS Glue database that the GDC View is stored in
  1. Open the Lake Formation console at https://console.aws.amazon.com/lakeformation/

  2. In the navigation pane, under Data Catalog, choose Databases.

  3. Choose the AWS Glue database, and then, under Actions, choose Grant.

  4. For Principals, under IAM user and roles, choose your service role.

  5. For Database permissions, under Database permissions, choose Describe.

  6. Choose Grant.

Create a service role to read data from Snowflake

AWS Clean Rooms uses a service role to retrieve your credentials for Snowflake to read your data from this source.

There are two ways to create this service role:

  • If you have the necessary IAM permissions to create a service role, use the AWS Clean Rooms console to create a service role.

  • If you don't have iam:CreateRole, iam:CreatePolicy and iam:AttachRolePolicy permissions or want to create the IAM roles manually, do one of the following:

    • Use the following procedure to create a service role using custom trust policies.

    • Ask your administrator to create the service role using the following procedure.

Note

You or your IAM administrator should follow this procedure only if you don't have the necessary permissions to create a service role using the AWS Clean Rooms console.

To create a service role to read data from Snowflake using custom trust policies
  1. Create a role using custom trust policies. For more information, see the Creating a role using custom trust policies (console) procedure in the AWS Identity and Access Management User Guide.

  2. Use the following custom trust policy according to the Creating a role using custom trust policies (console) procedure.

    Note

    If you want to help ensure that the role is used only in the context of a certain collaboration membership, you can scope down the trust policy further. For more information, see Cross-service confused deputy prevention.

    { "Version": "2012-10-17", "Statement": [ { "Sid": "AllowIfSourceArnMatches", "Effect": "Allow", "Principal": { "Service": "cleanrooms.amazonaws.com" }, "Action": "sts:AssumeRole", "Condition": { "ForAnyValue:ArnEquals": { "aws:SourceArn": [ "arn:aws:cleanrooms:region:accountId:membership/membershipId", "arn:aws:cleanrooms:region:queryRunnerAccountId:membership/queryRunnerMembershipId" ] } } } ] }
  3. Use one of the following permissions policies according to the Creating a role using custom trust policies (console) procedure.

    Permission policy for secrets encrypted with a customer-owned KMS key

    { "Version": "2012-10-17", "Statement": [ { "Action": "secretsmanager:GetSecretValue", "Resource": "arn:aws:secretsmanager:region:secretAccountId:secret:secretIdentifier", "Effect": "Allow" }, { "Sid": "AllowDecryptViaSecretsManagerForKey", "Action": "kms:Decrypt", "Resource": "arn:aws:kms:region:keyOwnerAccountId:key/keyIdentifier", "Effect": "Allow", "Condition": { "StringEquals": { "kms:ViaService": "secretsmanager.region.amazonaws.com", "kms:EncryptionContext:SecretARN": "arn:aws:secretsmanager:region:secretAccountId:secret:secretIdentifier" } } } ] }

    Permission policy for secrets encrypted with an AWS managed key

    { "Version": "2012-10-17", "Statement": [ { "Action": "secretsmanager:GetSecretValue", "Resource": "arn:aws:secretsmanager:region:accountId:secret:secretIdentifier", "Effect": "Allow" } ] }
  4. Replace each placeholder with your own information.

  5. Continue to follow the Creating a role using custom trust policies (console) procedure to create the role.

Create a service role to receive results

Note

If you are the member who can only receive results (in the console, Your member abilities is only Receive results), follow this procedure.

If you are a member who can both query and receive results (in the console, Your member abilities is both Query and Receive results), you can skip this procedure.

For collaboration members who can only receive results, AWS Clean Rooms uses a service role to write results of the queried data in the collaboration to the specified S3 bucket.

There are two ways to create this service role:

  • If you have the necessary IAM permissions to create a service role, use the AWS Clean Rooms console to create a service role.

  • If you don't have iam:CreateRole, iam:CreatePolicy and iam:AttachRolePolicy permissions or want to create the IAM roles manually, do one of the following:

    • Use the following procedure to create a service role using custom trust policies.

    • Ask your administrator to create the service role using the following procedure.

Note

You or your IAM administrator should follow this procedure only if you don't have the necessary permissions to create a service role using the AWS Clean Rooms console.

To create a service role to receive results using custom trust policies
  1. Create a role using custom trust policies. For more information, see the Creating a role using custom trust policies (console) procedure in the AWS Identity and Access Management User Guide.

  2. Use the following custom trust policy according to the Creating a role using custom trust policies (console) procedure.

    { "Version": "2012-10-17", "Statement": [ { "Sid": "AllowIfExternalIdMatches", "Effect": "Allow", "Principal": { "Service": "cleanrooms.amazonaws.com" }, "Action": "sts:AssumeRole", "Condition": { "ArnLike": { "sts:ExternalId": "arn:aws:*:region:*:dbuser:*/a1b2c3d4-5678-90ab-cdef-EXAMPLEaaaaa*" } } }, { "Sid": "AllowIfSourceArnMatches", "Effect": "Allow", "Principal": { "Service": "cleanrooms.amazonaws.com" }, "Action": "sts:AssumeRole", "Condition": { "ForAnyValue:ArnEquals": { "aws:SourceArn": [ "arn:aws:cleanrooms:us-east-1:555555555555:membership/a1b2c3d4-5678-90ab-cdef-EXAMPLEaaaaa" ] } } } ] }
  3. Use the following permissions policy according to the Creating a role using custom trust policies (console) procedure.

    Note

    The following example policy supports the permissions needed to read AWS Glue metadata and its corresponding Amazon S3 data. However, you might need to modify this policy depending on how you've set up your S3 data.

    Your AWS Glue resources and underlying Amazon S3 resources must be in the same AWS Region as the AWS Clean Rooms collaboration.

    { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "s3:GetBucketLocation", "s3:ListBucket" ], "Resource": [ "arn:aws:s3:::bucket_name" ], "Condition": { "StringEquals": { "aws:ResourceAccount":"accountId" } } }, { "Effect": "Allow", "Action": [ "s3:PutObject" ], "Resource": [ "arn:aws:s3:::bucket_name/optional_key_prefix/*" ], "Condition": { "StringEquals": { "aws:ResourceAccount":"accountId" } } } ] }
  4. Replace each placeholder with your own information:

    • region – The name of the AWS Region. For example, us-east-1.

    • a1b2c3d4-5678-90ab-cdef-EXAMPLEaaaaa – The Membership ID of the member who can query. The Membership ID can be found on the Details tab of the collaboration. This ensures that AWS Clean Rooms is assuming the role only when this member runs the analysis in this collaboration.

    • arn:aws:cleanrooms:us-east-1:555555555555:membership/a1b2c3d4-5678-90ab-cdef-EXAMPLEaaaaa – The single Membership ARN of the member who can query. The Membership ARN can be found on the Details tab of the collaboration. This ensures AWS Clean Rooms is assuming the role only when this member runs the analysis in this collaboration.

    • bucket_name – The Amazon Resource Name (ARN) of the S3 bucket. The Amazon Resource Name (ARN) can be found on the Properties tab of the bucket in Amazon S3.

    • accountId – The AWS account ID in which the S3 bucket is located.

      bucket_name/optional_key_prefix – The Amazon Resource Name (ARN) of the results destination in Amazon S3. The Amazon Resource Name (ARN) can be found on the Properties tab of the bucket in Amazon S3.

  5. Continue to follow the Creating a role using custom trust policies (console) procedure to create the role.