{title &&

{title}

}

{children}

; }; Connecting by assuming an IAM role is only available when using Superblocks Hybrid or Cloud-Prem architectures When running the Superblocks data plane on AWS ([ECS Fargate](/enterprise/hybrid-architecture/deployment/aws_ecs_fargate), [EKS](/enterprise/hybrid-architecture/deployment/kubernetes), or [EC2 instances](/enterprise/hybrid-architecture/deployment/virtual_machine)), the container can access AWS services with an [IAM role](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles.html), instead of requiring long-term access keys. This can be used in: * Superblocks integrations like [DynamoDB](/integrations/integrations-library/aws-dynamodb) and [S3](/integrations/integrations-library/aws-s3) * Backend API steps using the Python [Boto3](https://boto3.amazonaws.com/v1/documentation/api/latest/index.html) library or JavaScript [AWS SDK](https://www.npmjs.com/package/aws-sdk) ## Auth types ### ECS task role Assign an IAM role to the agent's ECS task. If using the Superblocks Terraform module, this can be set via the `superblocks_agent_role_arn` [variable](https://github.com/superblocksteam/terraform-aws-superblocks/blob/c86beb31f119538dd9d1e97ae2ad72d0ea70a458/examples/complete/main.tf#L33). ``` superblocks_agent_role_arn = "arn:aws:iam::111111111111:role/my-iam-role" ``` Once this is set up, create AWS integrations with only the region specified (leave the default auth type set to **Access Key**, though this will not be used). The agent will use its assigned role to retrieve temporary credentials when APIs are executed.

s3 integration using iam role with data plane on ECS

### Kubernetes service account Follow the steps in the EKS docs on [IAM roles for service accounts (IRSA)](https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts.html) to associate an IAM role with a Kubernetes service account. Specify this service account in the agent's [`values.yaml`](https://github.com/superblocksteam/agent/blob/main/helm/agent/values.yaml) file, along with the annotation for the IAM role. ```yaml theme={null} #(...) serviceAccount: name: data-plane-service-account annotations: eks.amazonaws.com/role-arn: arn:aws:iam::111111111111:role/my-iam-role #(...) ``` Once this is set up, create AWS integrations with the **Token File** auth type. This will authorize the agent to connect to the AWS service using Service Account Token Volume Projection.

s3 integration using iam role with data plane on EKS

### EC2 instance metadata Create an IAM role that allows EC2 instances to call AWS services and associate this role with the EC2 instance where the Superblocks agent runs (IAM instance profile). Once this is set up, create AWS integrations with the **EC2 Instance Metadata** auth type. This will authorize the agent to connect to the AWS service using the instance's IAM role credentials, retrieved through the EC2 instance metadata endpoint ([IMDS](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/instancedata-data-retrieval.html)).

s3 integration using iam role with data plane on EC2

## Connect to AWS in Python and JavaScript The agent can also use IAM roles to connect to AWS services in backend Python ([Boto3](https://boto3.amazonaws.com/v1/documentation/api/latest/index.html)) and JavaScript ([AWS SDK](https://www.npmjs.com/package/aws-sdk)) steps. If you're using [ECS task role auth](#ecs-task-role), you must additionally set the environment variable `SB_EXECUTION_ENV_INCLUSION_LIST` to a value of `AWS_CONTAINER_CREDENTIALS_RELATIVE_URI`. For example, in the agent's Terraform module: ``` superblocks_agent_environment_variables = [ { "name" : "SB_EXECUTION_ENV_INCLUSION_LIST", "value" : "AWS_CONTAINER_CREDENTIALS_RELATIVE_URI" } ] ``` No additional configuration is required if your agent is using a [Kubernetes service account](#kubernetes-service-account) or [EC2 instance metadata](#ec2-instance-metadata) for IAM role auth. You can then write code in Superblocks to interact with AWS services that the agent's role has permission to access.