Configure an IAM role
Introductionโ
Welcome to the IAM role configuration journey! This guide will walk you through setting up an AWS IAM role for use with Outerbounds to access AWS services.
๐ Learning objectivesโ
In this journey you will:
- Create an IAM role with appropriate permissions
- Configure the role for use with Outerbounds
- Test the role with S3 and other AWS services
- Learn how to make this role the default for your deployment
Create IAM roleโ
- Go to the AWS IAM console and create a new role
- Open the Outerbounds Integrations page and select "IAM Role"
- Copy the trust relationship shown in the UI and paste it into your role's trust policy
- Add the required tag to your role:
- Key:
outerbounds.com/accessible-by-deployment - Value: Copy the value shown in the Outerbounds UI form
- Key:
- Create your role and note your role ARN - you'll need it for the next steps
- Attach any AWS policies needed for your use case (e.g., S3, Athena)
Test S3 accessโ
To use your role with S3, simply specify it when creating the S3 client:
from metaflow import S3
# Use your role ARN
s3 = S3(role'arn:aws:iam::123456789012:role/my-role')
# Now you can use S3 normally
data = s3.get('s3://my-bucket/my-data.csv')
Test other AWS servicesโ
For other AWS services, use get_aws_client with your role:
from metaflow import get_aws_client
# Example with EMR
emr_client = get_aws_client('emr', role_arn='arn:aws:iam::123456789012:role/my-role')
# Example with Athena
athena_client = get_aws_client('athena', role_arn='arn:aws:iam::123456789012:role/my-role')
You can use this pattern both in workstation notebooks, and in workflow tasks.
Next stepsโ
Now that you have configured and tested your IAM role, you can:
- Add additional AWS service permissions to the role as needed
- Use the role in your Metaflow flows to access AWS services securely
- See AWS IAM best practices