Configuring Cross Account IAM Role Support for Amazon SQS Snaps

In this article


  • Familiarity with the SnapLogic and AWS platforms.
  • AWS Account with S3 buckets.

Key Steps

  1. Creating a Cross Account IAM Role and Policy in AWS Account.

  2. Associating the IAM Policy to the Created Role.

  3. Account Settings for Access Through SnapLogic

Creating a Cross Account IAM Role and Policy in AWS Account

Cross Account IAM Role enables a client from an AWS account to access the resources of another AWS account temporarily using the Binary Snaps that support reading from/writing into S3 buckets. This helps organizations or various teams in an organization to access each other's AWS account without compromising security by sharing AWS credentials.

You can briefly allow access to your AWS account and specify the access duration. You must create a role and policy in your AWS account. The policy created by the host is attached to the access seeker's account. This cross account IAM role enables SnapLogic to trigger the necessary APIs.


  1. Log in to the AWS Management Console and navigate to IAM > Roles.

  2. Click Create roleAnother AWS Account. Specify the account ID for the other account, that will access your account. 

  3. Enter the account number of the access seeker in the Account ID field, which is available in the Support Center. OptionalSelect Options check box to add a security layer to authenticate for each Login.

  4. Click Next: Permissions. The Attach permissions policies screen displays, where you can set the permissions. Select the check box adjacent to the applicable policy for the current role.

  5. Optional Click Next: TagsAdd tags as appropriate.

  6. Click Next: Review to skip to the next screen.

  7. Review the information, add a name for the role, and click Create role.
  8. The Summary page displays the Amazon Resource Name number. Make a note of this ARN, as you will need it when completing the AWS IAM Role account settings.


Associating the IAM Policy with the Created Role


  1. In your AWS console, click Users and select the User name to associate the IAM Policy.

  2. In the Summary screen, and click Add inline policy to attach the policy.

  3. Click the JSON tab and enter the following policy in the editor. Click the JSON tab, enter the following policy in the editor, and then click Review policy.

        "Version": "2012-10-17",
        "Statement": [
                "Effect": "Allow",
                "Action": "sts:AssumeRole",
                "Resource": "<Role ARN>"

4. Review the policy summary. Add a name and optionally, a description for this policy, and click Create policy

The policy is created and can be assigned to the cross-account IAM role. 

Amazon SQS Account Settings for Access Through SnapLogic

You can configure the cross account IAM Role in Amazon SQS Account. Enter the credentials provided for the IAM role. Enter Role ARN and External ID (if setup by the host) provided from the host S3 account.


Using Access-Key ID and Secret key:

  1. Enter the Access-Key ID, Secret key of the host S3 account. The credentials should belong to the IAM user to whom you have attached a policy previously.
  2. Enter the Role ARN and External ID provided by the S3 host account.


Using IAM role checkbox:

  1. For an account used in EC2 groundplex with IAM role configured, select the IAM role check box.
  2. Enter the Role ARN and External ID provided by the S3 host account.