--- title: "AWS" canonical_url: "https://docs.getdx.com/connectors/aws/" md_url: "https://docs.getdx.com/connectors/aws.md" last_updated: "2026-05-08" --- # AWS By integrating AWS with DX, you can securely import read-only metadata from your AWS account. This gives read access to services such as EC2, RDS, Lambda, S3, EKS, and ElastiCache. ## Prerequisites To connect AWS to DX, you need: - Access to AWS IAM to create a Policy and either a Role or User ## Setup instructions IAM role assumption is the AWS-recommended approach for cross-account access. It uses temporary credentials and supports connecting multiple AWS accounts through a single DX connection. #### Step 1 - Get your External ID from DX 1. In DX, navigate to **Settings > Data connectors > Add connector > AWS** 2. Select **IAM Role** as the authentication method 3. Copy the **External ID** displayed - you'll need this for the trust policy #### Step 2 - Create a read-only IAM policy In your AWS account, create a custom IAM policy with the required read permissions: 1. Go to **IAM > Policies > Create policy** 2. Select the **JSON** tab and paste the following: ```json { "Version": "2012-10-17", "Statement": [ { "Sid": "DXDataCloudReadOnly", "Effect": "Allow", "Action": [ "ec2:DescribeInstances", "ec2:DescribeTags", "ec2:DescribeRegions", "rds:DescribeDBInstances", "rds:ListTagsForResource", "lambda:ListFunctions", "lambda:ListTags", "lambda:GetFunction", "s3:ListAllMyBuckets", "s3:GetBucketTagging", "eks:ListClusters", "eks:DescribeCluster", "elasticache:DescribeCacheClusters", "elasticache:ListTagsForResource", "elasticache:DescribeServerlessCaches" ], "Resource": "*" } ] } ``` 3. Name the policy (e.g., `DX-Connector-Policy`) and create it #### Step 3 - Create an IAM role with trust policy Create an IAM role that DX can assume: 1. Go to **IAM > Roles > Create role** 2. Select **Custom trust policy** and paste the following (replace the placeholder values): ```json { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::703671904508:role/dx-datacloud" }, "Action": "sts:AssumeRole", "Condition": { "StringEquals": { "sts:ExternalId": "YOUR_EXTERNAL_ID_FROM_DX" } } } ] } ``` 3. Click **Next** and attach the policy you created in Step 2 4. Name the role (e.g., `DX-Connector-Role`) and create it 5. Copy the **Role ARN** (e.g., `arn:aws:iam::123456789012:role/DX-Connector-Role`) #### Step 4 - Configure the connection in DX Provide the following values in DX: - **Role ARN** - The ARN of the IAM role you created #### Connecting multiple AWS accounts To import resources from multiple AWS accounts, repeat Steps 2-3 in each AWS account, using the same External ID from DX. Then add all Role ARNs to your DX connection. Each AWS account needs: - The same IAM policy with read permissions - An IAM role with trust policy pointing to DX's AWS account - The same External ID in the trust policy condition --- ## API reference The connector uses AWS APIs via SDK with read-only actions. | Action | Documentation | |--------------------------------------|---------------------------------------------------------------------------------------------| | `sts:AssumeRole` | [Link](https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html) | | `sts:GetCallerIdentity` | [Link](https://docs.aws.amazon.com/STS/latest/APIReference/API_GetCallerIdentity.html) | | `ec2:DescribeInstances` | [Link](https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeInstances.html) | | `ec2:DescribeRegions` | [Link](https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeRegions.html) | | `rds:DescribeDBInstances` | [Link](https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_DescribeDBInstances.html) | | `rds:ListTagsForResource` | [Link](https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_ListTagsForResource.html) | | `lambda:ListFunctions` | [Link](https://docs.aws.amazon.com/lambda/latest/dg/API_ListFunctions.html) | | `lambda:ListTags` | [Link](https://docs.aws.amazon.com/lambda/latest/dg/API_ListTags.html) | | `s3:ListAllMyBuckets` | [Link](https://docs.aws.amazon.com/AmazonS3/latest/API/API_ListBuckets.html) | | `s3:GetBucketTagging` | [Link](https://docs.aws.amazon.com/AmazonS3/latest/API/API_GetBucketTagging.html) | | `eks:ListClusters` | [Link](https://docs.aws.amazon.com/eks/latest/APIReference/API_ListClusters.html) | | `eks:DescribeCluster` | [Link](https://docs.aws.amazon.com/eks/latest/APIReference/API_DescribeCluster.html) | | `elasticache:DescribeCacheClusters` | [Link](https://docs.aws.amazon.com/AmazonElastiCache/latest/APIReference/API_DescribeCacheClusters.html) | | `elasticache:DescribeServerlessCaches` | [Link](https://docs.aws.amazon.com/AmazonElastiCache/latest/APIReference/API_DescribeServerlessCaches.html) | ## Errors The table below lists potential error codes when adding a connection in DX. | Error | Description | |----------------------|------------------------------------------------------------------------------------------------------------------| | `invalid_credentials` | Your API credentials or IAM role configuration is not valid. | | `invalid_permissions` | Your IAM policy does not have the permissions required by DX. | | `access_denied` | DX cannot assume the IAM role. Check the trust policy and external ID. | | `missing_role_arns` | At least one IAM role ARN is required when using IAM role authentication. | | `invalid_role_arn` | The IAM role ARN format is invalid. Expected format: `arn:aws:iam::{account-id}:role/{role-name}` | --- ## Sitemap [Overview of all docs pages](/llms.txt)