> ## Documentation Index
> Fetch the complete documentation index at: https://docs.ryft.io/llms.txt
> Use this file to discover all available pages before exploring further.

# Managed Deployment

> Set up Ryft managed deployment where Ryft hosts and operates everything. Create a data plane IAM role for catalog and S3 access in your account.

## Overview

Ryft offers a fully managed deployment model, for customers who want the fastest and simplest onboarding experience. In this model, Ryft hosts and operates your deployment, provisioned and fully managed on your behalf.

### Step 1: Obtain your Execution Role & External ID

Reach out to the Ryft team to begin your setup. We’ll provide you with a unique IAM role & External ID used to establish secure cross-account access via IAM.

### Step 2: Create the Data Plane Role

Create an IAM role in your AWS account:

<Tabs>
  <Tab title="CloudFormation">
    The easiest way to get started is using our provided CloudFormation template.
    Click [here](https://console.aws.amazon.com/cloudformation/home#/stacks/quickcreate?stackName=Ryft-DataPlaneRole\&templateURL=https://ryft-public-us-east-1.s3.us-east-1.amazonaws.com/integrations-templates/RyftDataPlaneRole.yaml) to launch the CloudFormation stack and deploy the required IAM role into your AWS account.
  </Tab>

  <Tab title="Terraform">
    If you prefer to use Terraform, you can download and use the module [here](https://ryft-public-us-east-1.s3.us-east-1.amazonaws.com/integrations-templates/RyftDataPlaneRole.tf) to create the IAM role.
  </Tab>

  <Tab title="Manual">
    Alternatively, you can create the role manually:

    1. Login to your AWS account
    2. Navigate to **IAM -> Roles**
    3. Click **Create Role**
    4. Give the role a name, e.g - `Ryft-DataPlaneRole`
    5. Click **Next: Permissions**
    6. Click **Attach existing policies**

    Attach the following policies:

    #### Glue Catalog Access

    ```json theme={null}
    {
        "Sid": "RyftGlueDataPlaneAccess",
        "Effect": "Allow",
        "Action": [
            "glue:GetTable",
            "glue:GetTables",
            "glue:GetDatabases",
            "glue:GetDatabase",
            "glue:UpdateTable",
            "glue:CreateTable",
            "glue:DeleteTable"
        ],
        "Resource": [
            "arn:aws:glue:<region>:<account_id>:catalog",
            "arn:aws:glue:<region>:<account_id>:database/*",
            "arn:aws:glue:<region>:<account_id>:table/*"
        ]
    }
    ```

    **Note:** Replace `<region>` and `<account_id>` with your AWS region and account ID.

    #### S3 Bucket Access

    ```json theme={null}
    {
        "Sid": "AllowRyftExecutionRoleAccess",
        "Effect": "Allow",
        "Action":[
            "s3:GetObject",
            "s3:PutObject",
            "s3:DeleteObject",
            "s3:ListBucket",
            "s3:GetBucketLocation",
            "s3:GetObjectVersion",
            "s3:GetObjectTagging",
            "s3:PutObjectTagging"
        ],
        "Resource": [
            "arn:aws:s3:::<lakehouse-bucket-name>/*",
            "arn:aws:s3:::<lakehouse-bucket-name>"
        ]
    }
    ```

    **Important:** Replace `<lakehouse-bucket-name>` with your actual S3 bucket name.
  </Tab>
</Tabs>

### Step 3: Create the Control Plane Role

If you did not yet integrate the Ryft control plane with your **lakehouse account**, make sure to create it by following the steps [here](/integrations/aws-role-setup).

### Step 4: Finalize integration

Once the IAM roles are created, share the ARNs of the roles with your Ryft representative to finalize the setup.

## Support

If you run into any issues during setup, contact your Ryft support team.

<Note>
  This article contains instructions for setting up the Managed deployment type.<br />
  For a general overview of the Ryft architecture and deployment models, refer to [System Architecture](/administration/architecture).
</Note>