# Using IAM role-based authentication for AWS Services

AWS IAM role authentication allows you to provide a dedicated role in your AWS instance for Workato to use. By provisioning a dedicated IAM profile, the owner of the AWS instance can grant Workato access to AWS resources without sharing AWS security credentials. This also helps to maintain permission boundaries, including controlled access to specific AWS services and actions that are permitted by the third-party application (for example, Workato). When configuring connections using IAM role-based authentication, the external ID's used can be scoped to either the workspace or project level.

Configuring the IAM role using external ID's scoped at the project level allows you to give individual projects more granular access to your AWS resources. For example, only allowing Amazon SQS access to your "DevOps" project instead of being accessible to all projects in your workspace.

We support IAM role-based authentication for the following AWS Services and universal connectors:

  • Amazon Lex
  • Amazon S3
  • Amazon SES
  • AWS Lambda
  • Cloud Watch
  • HTTP Universal Connector

# Prerequisites

You must have the following:

  • In Amazon Web Services (AWS):
    • Permissions that allow you to create and modify IAM permissions policies
    • Permissions that allow you to create and modify IAM roles

# Select the scope of IAM External ID


Log in to Workato and navigate to Settings > Advanced Settings.


Use the External ID scope drop-down menu to select either Separate external ID for each project or Single external ID for the workspace

External scope for AWS accessExternal scope

If you have existing connection credentials that use the workspace’s external ID, Workato prompts you to confirm your selection by displaying a list of active connections for which you must update the IAM roles. The converse is true if you are switching from multiple project-level external ID's to a single external ID for the workspace.

Confirm separate external IDsConfirm external ID selection


Click Use separate external IDs or Use single external ID to confirm your selection.

# Create an IAM role

To create an IAM role:


Navigate to the AWS Console and select Security Credentials.

Security CredentialsSecurity credentials


Select Roles > Create role.

Create roleCreate role


Select AWS account under Trusted entity type.


Select Another AWS account and enter the Workato AWS account ID: 353360065216.


Select the Require external ID check box and provide the Workato-generated External ID.

  • Every Workato user will have a unique External ID (for example, workato-user-84762). If you would like more granular control of how AWS is used in Workato, you may choose to configure the connection at the project level by changing the scope of the external ID. Refer to secrets management for more information.

Amazon Account IDAmazon account ID


To find the external ID in Workato: Log in to your account > select Settings > Advanced settings.

If you have switched the scope of external ID's from workspace level to project level or vice versa, you are required to update the external ID's for the role in order for your AWS connection in Workato to be valid. You may do so by selecting "Trust relationships" and changing the value of the accepted external ID. For example, replacing the external ID value from workato_iam_external_id_12345 to a project level scoped external ID like workato_iam_external_id_12345_6789.


Select appropriate permissions for Workato to run automated workflows in your account.


Provide a name and description for the IAM role.

  • Workato recommends that role name avoids using a non-guessable resource-id in the ARN and does not include the external ID.

Optional. Click the Select trusted entities Edit button to add or edit policies for trusted entities.


Optional. Click the Add permissions Edit button to add or edit permissions.


Optional. If you are using object tags, select an appropriate tag for this IAM role.

Review and createReview and create role


Click Create role.

# Create an IAM permissions policy


Navigate to the AWS Console and open the IAM console (opens new window).


Select Access management > Policies.


Click Create Policy.


Find and select the AWS service that you plan to allow Workato to access.


Select the necessary permissions in the Actions field.


Specify the resources to which you plan to allow the role access to.


Workato recommends that you grant access to specific resources. Refer to Amazon's documentation (opens new window) for more info about using condition keys to accomplish granting minimal permissions.

The page should look similar to the following:

Configured IAM access policy in the AWS Create Policy screen


Click Next until you reach the Review policy page.


Enter the Name for the policy.


Click Create policy when finished.

# Retrieve IAM role ARN

To retrieve the Role ARN required for the connection setup:


Navigate to the AWS Console > My Security Credentials > Roles.

Security CredentialsSecurity credentials


Use the search box to locate the IAM role with ARN you plan to use for the connection and then select the role to view the summary.

Select IAM roleSelect IAM role


Copy the Role ARN. You must use this in the connection setup when creating an Amazon connection in Workato.

Copy role ARNCopy role ARN

# Add the Role ARN in Workato


Log in to your Workato account and click Connections under the Assets menu.


Select IAM role from the Authorization Type drop-down menu.


Paste the ARN value in the IAM Role ARN field and complete any other required fields for the AWS service, for example Region.

Add Role ARN to Workato


Click Connect.

Last updated: 5/29/2024, 5:39:08 PM