Assume Another Role

When using instance profile or AWS access keys authentication, you can configure the Amazon S3 origin or destination to assume another IAM role.

For example, if the instance profile or the IAM user permissions do not grant access to write to Amazon S3 resources, you can configure the Amazon S3 destination to assume another role that does grant write access.

Important: Transformer supports assuming another role when the pipeline meets the stage library and cluster type requirements.

When an Amazon S3 stage assumes a role, it temporarily gives up the instance profile or IAM user permissions and uses the permissions assigned to the assumed role. To assume a role, the stage calls the AWS STS AssumeRole API operation and passes the role to use. The operation creates a new session with the temporary credentials, as long as the following conditions are true:

The IAM policy attached to the current principal - the IAM role or user - grants permission to assume the specified role.
The IAM trust policy attached to the role to be assumed permits the current principal to assume it.