AWS
By integrating AWS with DX, you can securely import read-only metadata from your AWS account. This gives read access to services such as EC2, RDS, Lambda, S3, EKS, and ElastiCache.
Prerequisites
To connect AWS to DX, you need:
- Access to AWS IAM to create a Policy and either a Role or User
Setup instructions
IAM role assumption is the AWS-recommended approach for cross-account access. It uses temporary credentials and supports connecting multiple AWS accounts through a single DX connection.
Step 1 - Get your External ID from DX
- In DX, navigate to Settings > Data connectors > Add connector > AWS
- Select IAM Role as the authentication method
- Copy the External ID displayed - you’ll need this for the trust policy
Step 2 - Create a read-only IAM policy
In your AWS account, create a custom IAM policy with the required read permissions:
- Go to IAM > Policies > Create policy
- Select the JSON tab and paste the following:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "DXDataCloudReadOnly",
"Effect": "Allow",
"Action": [
"ec2:DescribeInstances",
"ec2:DescribeTags",
"ec2:DescribeRegions",
"rds:DescribeDBInstances",
"rds:ListTagsForResource",
"lambda:ListFunctions",
"lambda:ListTags",
"lambda:GetFunction",
"s3:ListAllMyBuckets",
"s3:GetBucketTagging",
"eks:ListClusters",
"eks:DescribeCluster",
"elasticache:DescribeCacheClusters",
"elasticache:ListTagsForResource",
"elasticache:DescribeServerlessCaches"
],
"Resource": "*"
}
]
}- Name the policy (e.g.,
DX-Connector-Policy) and create it
Step 3 - Create an IAM role with trust policy
Create an IAM role that DX can assume:
- Go to IAM > Roles > Create role
- Select Custom trust policy and paste the following (replace the placeholder values):
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::703671904508:role/dx-datacloud"
},
"Action": "sts:AssumeRole",
"Condition": {
"StringEquals": {
"sts:ExternalId": "YOUR_EXTERNAL_ID_FROM_DX"
}
}
}
]
}- Click Next and attach the policy you created in Step 2
- Name the role (e.g.,
DX-Connector-Role) and create it - Copy the Role ARN (e.g.,
arn:aws:iam::123456789012:role/DX-Connector-Role)
Step 4 - Configure the connection in DX
Provide the following values in DX:
- Role ARN - The ARN of the IAM role you created
Connecting multiple AWS accounts
To import resources from multiple AWS accounts, repeat Steps 2-3 in each AWS account, using the same External ID from DX. Then add all Role ARNs to your DX connection.
Each AWS account needs:
- The same IAM policy with read permissions
- An IAM role with trust policy pointing to DX’s AWS account
- The same External ID in the trust policy condition
API reference
The connector uses AWS APIs via SDK with read-only actions.
| Action | Documentation |
|---|---|
sts:AssumeRole |
Link |
sts:GetCallerIdentity |
Link |
ec2:DescribeInstances |
Link |
ec2:DescribeRegions |
Link |
rds:DescribeDBInstances |
Link |
rds:ListTagsForResource |
Link |
lambda:ListFunctions |
Link |
lambda:ListTags |
Link |
s3:ListAllMyBuckets |
Link |
s3:GetBucketTagging |
Link |
eks:ListClusters |
Link |
eks:DescribeCluster |
Link |
elasticache:DescribeCacheClusters |
Link |
elasticache:DescribeServerlessCaches |
Link |
Errors
The table below lists potential error codes when adding a connection in DX.
| Error | Description |
|---|---|
invalid_credentials |
Your API credentials or IAM role configuration is not valid. |
invalid_permissions |
Your IAM policy does not have the permissions required by DX. |
access_denied |
DX cannot assume the IAM role. Check the trust policy and external ID. |
missing_role_arns |
At least one IAM role ARN is required when using IAM role authentication. |
invalid_role_arn |
The IAM role ARN format is invalid. Expected format: arn:aws:iam::{account-id}:role/{role-name} |