Skip to main content

Insert Trust Relationship in AWS IAM Role

If you are using per-user authentication through an AWS IAM role, you must insert a trust relationship into the role so that the Alteryx One can leverage it.

Prerequisites:

Nota

These steps should be performed by an AWS administrator.

Please acquire the following information:

  • Account ID: The AWS account identifier that the Alteryx One should use for access.

    Nota

    This value is provided to you by Alteryx.

    After it has been specified, this value is available for workspace administrators through the Admin console.

  • External ID:The external identifier is set within the Alteryx One. This value is available for workspace administrators through the Admin console.

  • IAM role: The AWS IAM role that the Alteryx One should use.

For more information on the AWS Principal options described below, please review https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_principal.html.

Steps:

  1. Log in to the AWS console.

  2. Open the IAM role for use with the Alteryx One.

  3. Insert the following AWS policy snippet to define the trust relationship for this role:

    {
      "Version": "2012-10-17",
      "Statement": [
        {
          "Effect": "Allow",
          "Principal": {
            "AWS": "<aws_account_id>"
          },
          "Action": "sts:AssumeRole",
          "Condition": {
            "StringLike": {
              "sts:ExternalId": [
                "<external_id>"
              ]
            }
          }
        }
      ]
    }

    where:

    Setting

    Description

    <aws_account_id>

    The AWS account identifier for the Alteryx One

    <external_id>

    The external identifier generated by the Alteryx One

  4. Save the IAM role definition.

    Nota

    The AWS account ID value must be applied to every user profile that requires access through this IAM role. See User Profile Page.