Table of Contents

Search

  1. Preface
  2. Introducing Administrator
  3. Organizations
  4. Licenses
  5. Ecosystem single sign-on
  6. SAML single sign-on
  7. Source control and service upgrade settings
  8. Users and user groups
  9. User roles
  10. Permissions
  11. Runtime environments
  12. Serverless runtime environments
  13. Secure Agent services
  14. Secure Agent installation
  15. Schedules
  16. Bundle management
  17. Event monitoring
  18. File transfer
  19. Troubleshooting

Administrator

Administrator

Step 3. Set up an IAM role

Step 3. Set up an IAM role

Create an IAM role to establish trust between your AWS account and the Informatica AWS account so that the serverless runtime environment can create an ENI and securely connect to data sources in your private cloud.
Create a cross-account IAM role in your AWS account that identifies Informatica as a trusted entity.
  1. Create a role for another AWS account.
  2. In the trust relationship, specify the Informatica account number and the external ID.
    For example, specify the following policy in the trust relationship:
    { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::<Informatica account>:root" }, "Action": "sts:AssumeRole", "Condition": { "StringEquals": { "sts:ExternalId": "<External ID>" } } } ] }
  3. Edit the role permissions and specify a policy to grant the serverless runtime environment a minimal set of permissions on your account.
    Use the following template for the policy:
    { "Version": "2012-10-17", "Statement": [ { "Sid": "VisualEditor0", "Effect": "Allow", "Action": [ "ec2:DetachNetworkInterface", "ec2:DeleteTags", "ec2:DescribeTags", "ec2:CreateTags", "ec2:DeleteNetworkInterface", "ec2:DescribeSecurityGroups", "ec2:CreateNetworkInterface", "ec2:DeleteNetworkInterfacePermission", "ec2:DescribeNetworkInterfaces", "ec2:DescribeAvailabilityZones", "ec2:CreateNetworkInterfacePermission", "ec2:AttachNetworkInterface", "ec2:DescribeNetworkInterfacePermissions", "ec2:DescribeSubnets", "ec2:DescribeNetworkAcls" ], "Resource": "*" }, { "Sid": "VisualEditor1", "Effect": "Allow", "Action": [ "s3:PutObject", "s3:GetObject", "s3:ListBucket", "s3:DeleteObject", "s3:GetBucketAcl" ], "Resource": [ "arn:aws:s3:::<S3 location for supplementary files>", "arn:aws:s3:::<S3 location for supplementary files>/*" ] } ] }
For more information about setting up cross-account IAM roles, refer to the AWS documentation.


Updated August 03, 2020