> ## Documentation Index
> Fetch the complete documentation index at: https://docs.ryft.io/llms.txt
> Use this file to discover all available pages before exploring further.
# AWS
> Integrate AWS services to Ryft with an IAM role. Use CloudFormation, Terraform, or configure the role manually in your account.
Ryft accesses metadata through a single IAM Role. Use CloudFormation / Terraform or create the role manually.
## Option A: Create IAM Role with CloudFormation / Terraform
For the simplest integration, we recommend using our CloudFormation template to create the role. Click [here](https://console.aws.amazon.com/cloudformation/home#/stacks/quickcreate?param_EnableAthenaAccess=true\&stackName=Ryft-Access\&templateURL=https://ryft-public-us-east-1.s3.us-east-1.amazonaws.com/integrations-templates/RyftControlPlaneRole.yaml)
to launch the CloudFormation template.
If you prefer to use Terraform, you can download and use the module [here](https://ryft-public-us-east-1.s3.us-east-1.amazonaws.com/integrations-templates/RyftControlPlaneRole.tf) to create the IAM role.
* Make sure to enter the External ID provided to you by Ryft.
* Before launching the stack, make sure to log in to the AWS account where you want to create the access role.
* To disable Glue access, set `EnableGlueAccess` to `false`.
* To disable Athena access, set `EnableAthenaAccess` to `false`.
## Option B: Create the IAM Role manually
1. Login to your AWS account
2. Security → Identity & Compliance → IAM → Roles
3. Click **Create Role**
4. Select **AWS Account**
5. Select **Another AWS Account**
6. Enter Ryft’s AWS account ID: **864981746572**
7. Enable **Require External ID**, and enter the External ID received from Ryft
8. For permissions, we are going to create the policies in the next steps
9. Give the role a name, e.g - `Ryft-ControlPlaneRole`
10. Click **Create Role**
### AWS Policies
#### AWS S3
1. IAM → Roles → Search for “**Ryft-ControlPlaneRole”** (or the name you used)
2. Add permissions → Create inline policy → Select the **JSON** tab
3. Add the following policy to provide S3 access
4. Give the policy a name and save it (e.g - `RyftS3AccessPolicy`)
5. Attach the created policy to the **Ryft-ControlPlaneRole**
```json {14,24} theme={null}
{
"Version": "2012-10-17",
"Statement": [
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowS3MetadataAccess",
"Effect": "Allow",
"Action": [
"s3:GetObject"
],
"Resource": [
"arn:aws:s3:::/*/metadata/*"
]
},
{
"Sid": "AllowListBucket",
"Effect": "Allow",
"Action": [
"s3:ListBucket"
],
"Resource": [
"arn:aws:s3:::"
]
}
]
}
]
}
```
#### AWS Glue
1. IAM → Roles → Search for “**Ryft-ControlPlaneRole”** (or the name you used)
2. Add permissions → Create inline policy → Select the **JSON** tab
3. Add the following policy to provide Glue API access
4. Give the policy a name and save it (e.g - `RyftGlueAccessPolicy`)
5. Attach the created policy to the **Ryft-ControlPlaneRole**
```json {19-21} theme={null}
{
"Version": "2012-10-17",
"Statement": [
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowGlueCatalogTableAccess",
"Effect": "Allow",
"Action": [
"glue:GetTable",
"glue:GetTables",
"glue:GetDatabase",
"glue:GetDatabases",
"glue:GetCatalog",
"glue:GetCatalogs"
],
"Resource": [
"arn:aws:glue:::table/*/*",
"arn:aws:glue:::catalog",
"arn:aws:glue:::catalog/*",
"arn:aws:glue:::database/*"
]
}
]
}
]
}
```
#### AWS Athena
1. IAM → Roles → Search for “**Ryft-ControlPlaneRole”** (or the name you used)
2. Add permissions → Create inline policy → Select the **JSON** tab
3. Add the following policy to provide Athena API access
4. Name the policy “**Ryft-AthenaMetadataAccess”**
5. Attach the created policy to the **Ryft-ControlPlaneRole**
```json theme={null}
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Ryft-AthenaMetadataAccess",
"Effect": "Allow",
"Action": [
"athena:ListWorkGroups",
"athena:GetWorkGroup",
"athena:GetQueryExecution",
"athena:GetQueryRuntimeStatistics",
"athena:BatchGetQueryExecution",
"athena:ListQueryExecutions",
"athena:ListDataCatalogs",
"athena:GetDataCatalog"
],
"Resource": "*"
}
]
}
```
You are done! Locate the ARN of the role you have just created (”**Ryft-ControlPlaneRole”)** and provide it to Ryft, we will now finish setting up the integration.
The ARN should look similar to: `arn:aws:iam:::role/Ryft-ControlPlaneRole`
## Glue Metadata Encryption
If you are using Glue Metadata Encryption, ensure that the role you created above has the necessary KMS permissions to the encryption key as well.
```json {11} theme={null}
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"kms:Decrypt",
"kms:Encrypt",
"kms:GenerateDataKey"
],
"Resource": "arn:aws:kms:us-east-1:111122223333:key/key-id"
}
]
}
```
## AWS Lake Formation
If you are using AWS Lake Formation to manage access to your Glue Catalog, ensure that the role you created above has the necessary Lake Formation permissions as well.
Follow the AWS documentation [here](https://docs.aws.amazon.com/lake-formation/latest/dg/granting-database-permissions.html) to grant the required permissions to the role.
## Amazon S3 Access Points
If you are using Amazon S3 Access Points as the storage location for your tables, ensure that the role you created above has the necessary permissions for the access point.
The policy for access points should include the same S3 actions mentioned above, with the resource in the format of `arn:aws:s3::::accesspoint/`.
For more details, see AWS documentation [here](https://docs.aws.amazon.com/AmazonS3/latest/userguide/access-points-policies.html).