Table of Contents

Search

  1. Preface
  2. Introducing Administrator
  3. Organizations
  4. Licenses
  5. Ecosystem single sign-on
  6. SAML single sign-on
  7. Metering
  8. Source control and service upgrade settings
  9. Users and user groups
  10. User roles
  11. Permissions
  12. Runtime environments
  13. Serverless runtime environments
  14. Secure Agent services
  15. Secure Agent installation
  16. Schedules
  17. Bundle management
  18. Event monitoring
  19. File transfer
  20. Troubleshooting

Administrator

Administrator

Step 3. Set up an IAM role

Step 3. Set up an IAM role

Create an IAM role to establish trust between your AWS account and the Informatica AWS account so that the serverless runtime environment can create an ENI and securely connect to data sources in your cloud environment.
Create a cross-account IAM role in your AWS account that identifies Informatica as a trusted entity.
  1. Create a role for another AWS account.
  2. In the trust relationship, specify the Informatica account number and the external ID.
    For example, specify the following policy in the trust relationship:
    { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::<Informatica account>:root" }, "Action": "sts:AssumeRole", "Condition": { "StringEquals": { "sts:ExternalId": "<External ID>" } } } ] }
  3. Edit the role permissions and specify a policy to grant the serverless runtime environment a minimal set of permissions on your account.
    Use the following template for the policy:
    { "Version": "2012-10-17", "Statement": [ { "Sid": "VisualEditor0", "Effect": "Allow", "Action": [ "ec2:DetachNetworkInterface", "ec2:DeleteTags", "ec2:DescribeTags", "ec2:CreateTags", "ec2:DeleteNetworkInterface", "ec2:DescribeSecurityGroups", "ec2:CreateNetworkInterface", "ec2:DeleteNetworkInterfacePermission", "ec2:DescribeNetworkInterfaces", "ec2:DescribeAvailabilityZones", "ec2:CreateNetworkInterfacePermission", "ec2:AttachNetworkInterface", "ec2:DescribeNetworkInterfacePermissions", "ec2:DescribeSubnets", "ec2:DescribeNetworkAcls" ], "Resource": "*" }, { "Sid": "VisualEditor1", "Effect": "Allow", "Action": [ "s3:PutObject", "s3:GetObject", "s3:ListBucket", "s3:DeleteObject", "s3:GetBucketAcl" ], "Resource": [ "arn:aws:s3:::<S3 location for supplementary files>", "arn:aws:s3:::<S3 location for supplementary files>/*" ] } ] }
For more information about setting up cross-account IAM roles, refer to the AWS documentation.


Updated November 30, 2020