# Using IAM role-based authentication for AWS Services

AWS IAM role authentication allows you to provide a dedicated role in your AWS instance for Workato to use. By provisioning a dedicated IAM profile, the owner of the AWS instance can grant Workato access to AWS resources without sharing AWS security credentials. This also helps to maintain permission boundaries, including controlled access to specific AWS services and actions that are permitted by the third-party application (for example, Workato). When configuring connections using IAM role-based authentication, the external ID's used can be scoped to either the workspace or project level.

Configuring the IAM role using external ID's scoped at the project level allows you to give individual projects more granular access to your AWS resources. For example, only allowing Amazon SQS access to your "DevOps" project instead of being accessible to all projects in your workspace.

We support IAM role-based authentication for the following AWS Services and universal connectors:

  • Amazon Lex
  • Amazon S3
  • Amazon SES
  • AWS Lambda
  • Cloud Watch
  • HTTP Universal Connector

# Prerequisites

To complete the steps in this guide, you must have the following:

  • In Amazon Web Services (AWS):
    • Permissions that allow you to create and modify IAM permissions policies
    • Permissions that allow you to create and modify IAM roles

# Step 1: Select scope of IAM External ID


In Workato, Navigate to Settings > Advanced Settings.


Under Amazon Web Services (AWS) access, in the External ID scope field, select either Separate external ID for each project or Single external ID for the workspace

External scope for AWS access


If you have existing connection credentials that use the workspace’s external ID, Workato asks that you confirm your selection by displaying a list of active connections for which you must update the IAM roles. The converse is true if you are switching from multiple project-level external ID's to a single external ID for the workspace.

Confirm separate external IDs


Click Use separate external IDs or Use single external ID to confirm your selection.

# Step 2: Create an AWS IAM role to allow Workato to access your AWS Services

# Step 2.1: Create an IAM permissions policy


Sign in to your AWS Management Console and open the IAM console (opens new window).


In the navigation pane, click Access management > Policies.


Click Create Policy.


On the Create policy page, complete these tasks:

  1. In the Service field, find and select the AWS service that you would like Workato to access; for example, SQS.

  2. In the Actions field, select the necessary permissions.

  3. In the Resources field, specify the resources to which you want the role to have access, in SQS, you may want to specify the the specific queue resource by adding the queue's ARN.


Workato recommends that you grant access to specific resources. Refer to Amazon's documentation (opens new window) for more info about using condition keys to accomplish granting minimal permissions.

The page should look similar to the following:

Configured IAM access policy in the AWS Create Policy screen

  1. Click Next until you reach the Review policy page.

Enter the Name for the policy.


When finished, click Create policy.

# Step 2.2: Configure the IAM role


In the navigation pane, click Access management > Roles.


On the Roles page, click Create role.


On the Step 1 - Select trusted entity page, complete the following tasks:

  1. For Trusted entity type, select AWS account.

  2. In the An AWS account section, select Another AWS account.

  3. In the Account ID field, paste the value from the Workato’s AWS Account ID field in Workato.

  4. In the Options section, check the Require external ID box.

  5. In the External ID field, paste the value from the External ID field in Workato. This value would differ depending on the scope of external ID's you first selected. The page should look similar to this:

Select Trusted Entity Page in AWS Create Role

::: note If you have switched the scope of external ID's from workspace level to project level or vice versa, you are required to update the external ID's for the role in order for your AWS connection in Workato to be valid. You may do so by selecting "Trust relationships" and changing the value of the accepted external ID. For example, replacing the external ID value from ""workato_iam_external_id_12345"" to a project level scoped external ID like "workato_iam_external_id_12345_6789".



Click Next.


On the Step 2 - Add permissions page, select the policy you created in the previous step.


Click Next.

# Step 2.3: Create the Role

On the Step 3 - Name, review, and create page:


In the Role name field, enter a name for the role.


Review the role's configuration and make changes as needed.


When finished, click Create role.

# Step 3: Add the Role ARN in Workato

# Step 3.1: Retrieve the Role ARN in AWS

After the role has been successfully created, you'll need to retrieve its role ARN (opens new window) to complete the setup in Workato.


Navigate to the Access Management > Roles page.


Locate the role you created and click to open it.


On the role's details page, locate the Summary section and the ARN field:

Highlighted ARN field in the Summary section of the roles details page in AWS


Copy the ARN; you must have it to complete the next step.

# Step 3.2: Add the Role ARN in Workato


In Workato, navigate to the connection that you would like to authorize using IAM roles.


Under Authorization Type, select IAM role.


Paste the ARN value in the IAM Role ARN field and complete any other required fields for the AWS service like Region.

Add Role ARN to Workato


Click Connect.

Last updated: 3/29/2023, 2:00:59 PM