Configure a Role to Assume on Behalf of a User

Alation Cloud Service Applies to Alation Cloud Service instances of Alation

Customer Managed Applies to customer-managed instances of Alation

Use the information in this section if you are configuring a role to assume on behalf of an IAM user to access Secrets Manager from Alation.

Step 1: Create an AWS IAM Role for the User to Assume

This step is performed in the AWS IAM console

For the Secrets Manager integration, you’ll need an AWS IAM role granting access to AWS Secrets Manager. Here and below, a substitute name read_secrets_role is used to refer to this role.

If you haven’t established a read_secrets_role yet, create one:

  1. Log in to the AWS IAM management console.

  2. From the left-hand menu, under Access management, select Policies.

  3. Click Create policy. The policy editor will open.

  4. Under Select a service, type secrets in the search bar and select Secrets Manager. This will display actions relevant to the service.

  5. Under Actions allowed, expand the Read list and select the checkbox for the action GetSecretValue.

  6. Under Resources, select All.



    You can restrict the permissions by providing access to specific resources only:

    1. Instead of All, select Specific.

    2. Click Add ARNs to specify the resources by entering the resource’s region, ARN (Amazon Resource Name), and secret.

    You can adjust the resource permissions anytime by editing this policy.

  7. Click Next. The Review and create screen will open.

  8. Under Policy details, in the Policy name field, provide a meaningful name.

  9. Review the details, and click Create policy to create the policy. It will be added to the list of policies under your AWS account. Your policy JSON will look similar to the following:

      "Version": "2012-10-17",
      "Statement": [
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": "secretsmanager:GetSecretValue",
            "Resource": "*"
  10. From the left-hand menu, under Access management, select Roles.

  11. Click Create role. The role editor will open.

  12. Leave AWS service as the Trusted entity type (default) and select EC2 as the Use case.

  13. Click Next. The Add permissions screen will open.

  14. Under Permissions policies, search for the policy you created to allow reading secrets from Secrets Manager (steps 2-9 of this instruction). When found, select the checkbox of this policy in the policies table.

  15. Click Next. The Name, review, and create screen will open.

  16. In the Role name field, provide a meaningful name. We’ll use read_secrets_role as example.

  17. In the Description field, provide a description.

  18. Review the role information and click Create role to create the role. It will be added to the list of roles under your AWS account. This role will be assumed by the instance profile to access Secrets Manager from Alation.

  19. Open the properties of the read_secrets_role. Under Summary, locate its ARN. Save the ARN for future reference.

Step 2: Establish an IAM User Account to Access Secrets Manager

This step is performed in the AWS IAM console

You’ll need:

To establish an IAM user to access secrets manager:

  1. In the AWS user interface, open the IAM console (IAM dashboard).

  2. In the left-hand menu, under Access Management, select Users.

  3. Select the user for whom you want to create access keys or create a dedicated user for Alation.

  4. Ensure that the IAM user has permission to assume roles. It should have a permission policy that includes lines such as the following:

      "Version": "2012-10-17",
      "Statement": [
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": "sts:AssumeRole",
            "Resource": "*"

    The Resource field must be populated with the Amazon Resource Number (ARN) of the desired role or a wildcard such as * which provides the ability to assume any role. For detailed steps on creating users, refer to Creating an IAM user in your AWS account in AWS documentation.

    For example, the following screenshot shows a user with the permission policy AssumeAllRoles with the code shown above that allows it to perform AssumeRole on any role.

  5. Open the Security credentials tab of the user’s page and locate the Access keys section. Click Create access key in this section.

  6. Create an access key ID and a secret access key. See Managing access keys for IAM users - AWS Identity and Access Management for more details.

  7. Save both the values and the user’s ARN for future reference.

Step 3: Define a Trust Relationship on the IAM Role to be Assumed

This step is performed in the AWS IAM console

You’ll need:

Define a trust relationship between the read_secrets_role and the user through adding a trust relationship:

  1. In the IAM console, open the properties of the read_secrets_role.

  2. Click Trust Relationships and then click Edit trust policy.

  3. Click the Add button beside Add a principal.

  4. Click the Principal type dropdown and select IAM users.

  5. Enter the ARN of the IAM user in the ARN field, and then click Add principal:

  6. Click the Add button beside Add a condition.

  7. In the dialog that appears, click the dropdown button under Condition key and type externalId in the search box that appears.

  8. Select the result sts::ExternalId.

  9. Click the dropdown button under Operator and select StringEquals from the choices offered.

  10. Under Value, enter a unique ID. AWS suggests using one external ID per AWS account, with a randomly generated external ID.

  11. Click Add condition.

  12. Click Update policy. You will see a confirmation that the trust policy has been successfully updated.

  13. Save the value of the Maximum session length of the read_secrets_role located on the role properties page under the ARN. You will need it in the steps that follow. If you want to adjust this value before using the role in Alation, refer to Modifying a role maximum session duration (console) in AWS documentation.

Step 4: Create an Authentication Profile

This step is performed in Alation

You’ll need:

To create an authentication profile:

  1. Log in to your Alation instance as a Server Admin.

  2. Click the Admin Settings icon gear on top right to open the Admin Settings page.

  3. Under the Server Admin section, click Authentication to open the Authentication tab.

  4. Locate the section Authentication Configuration Methods for External Systems. Click Add Configuration, and then select AWS Secrets Manager as the method type. The Authentication Configuration Method page will open in a new browser tab.

  5. In Config Name, enter a unique name for the configuration.

  6. Under Region, select the appropriate AWS region for the Secrets Manager service (the region under which your secrets are stored).

  7. Under Authentication Type, select IAM Role (or the option iam_role on versions older than 2024.1.1). A number of fields will appear.

  8. Under AWS Access Key, enter the AWS access key of the IAM user.

  9. Under AWS Secret Key, enter the AWS secret access key associated with the IAM user’s access key.

  10. Under Role ARN, enter the ARN of the read_secrets_role.

  11. Under External ID, enter the External ID you specified as a condition for the read_secrets_role.

  12. Under STS Duration, enter a value in seconds greater than 900 and less than the maximum session duration specified for your read_secrets_role.

  13. Click Save. Alation attempts to create a connection, and if the connection is successful, the configuration is saved.

Now, you can use your integration with an OCF connector. See next: Configure Authentication with AWS Secrets Manager in Data Source Settings.