# Setting up AWS Clean Rooms
The following topics explain how to set up AWS Clean Rooms.
**Topics**
+ [Sign up for AWS](setting-up-aws-sign-up.md)
+ [Set up service roles for AWS Clean Rooms](setting-up-roles.md)
+ [Set up service roles for AWS Clean Rooms ML](ml-roles.md)
# Sign up for AWS
Before you can use AWS Clean Rooms, or any AWS service, you must sign up for AWS with an AWS account.
If you don't have an AWS account, complete the following steps to create one.
**To sign up for an AWS account**
1. Open [https://portal.aws.amazon.com/billing/signup](https://portal.aws.amazon.com/billing/signup).
1. Follow the online instructions.
During the sign-up procedure, you'll receive a phone call with a verification code that you'll enter on the phone keypad.
1. When you sign up for an AWS account, an *AWS account root user* is created. The root user has access to all AWS services and resources in the account. As a security best practice, [assign administrative access to an administrative user](https://docs.aws.amazon.com//singlesignon/latest/userguide/getting-started.html), and use only the root user to perform [tasks that require root user access](https://docs.aws.amazon.com/IAM/latest/UserGuide/security-creds.html#aws_tasks-that-require-root).
# Set up service roles for AWS Clean Rooms
The following sections describe the roles needed to perform each task.
**Topics**
+ [Create an administrator user](#setting-up-create-iam-user)
+ [Create an IAM role for a collaboration member](#create-role-DP)
+ [Create a service role to read data from Amazon S3](#create-service-role-procedure)
+ [Create a service role to read data from Amazon Athena](#create-service-role-athena)
+ [Create a service role to read data from Snowflake](#create-service-role-third-party)
+ [Create a service role to read code from an S3 bucket (PySpark analysis template role)](#create-role-pyspark-analysis-template)
+ [Create a service role to write results of a PySpark job](#create-role-pyspark-job)
+ [Create a service role to receive results](#create-role-write-results)
## Create an administrator user
To use AWS Clean Rooms, you need to create an administrator user for yourself and add the administrator user to an administrators group.
To create an administrator user, choose one of the following options.
****
| Choose one way to manage your administrator | To | By | You can also |
| --- | --- | --- | --- |
| In IAM Identity Center (Recommended) | Use short-term credentials to access AWS.This aligns with the security best practices. For information about best practices, see [Security best practices in IAM](https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#bp-users-federation-idp) in the *IAM User Guide*. | Following the instructions in [Getting started](https://docs.aws.amazon.com//singlesignon/latest/userguide/getting-started.html) in the AWS IAM Identity Center User Guide. | Configure programmatic access by [Configuring the AWS CLI to use AWS IAM Identity Center](https://docs.aws.amazon.com//cli/latest/userguide/cli-configure-sso.html) in the AWS Command Line Interface User Guide. |
| In IAM (Not recommended) | Use long-term credentials to access AWS. | Following the instructions in [ Create an IAM user for emergency access](https://docs.aws.amazon.com/IAM/latest/UserGuide/getting-started-emergency-iam-user.html) in the IAM User Guide. | Configure programmatic access by [Manage access keys for IAM users](https://docs.aws.amazon.com//IAM/latest/UserGuide/id_credentials_access-keys.html) in the IAM User Guide. |
## Create an IAM role for a collaboration member
A member is an AWS customer who is a participant in a collaboration.
**To create an IAM role for a collaboration member**
1. Follow the [Creating a role to delegate permissions to an IAM user](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-user.html) procedure in the *AWS Identity and Access Management User Guide*.
1. For the **Create policy** step, select the **JSON** tab in the **Policy editor**, and then add policies depending on the abilities granted to the collaboration member.
AWS Clean Rooms offers the following managed policies based on common use cases.
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/clean-rooms/latest/userguide/setting-up-roles.html)
For information about the different managed policies offered by AWS Clean Rooms, see [AWS managed policies for AWS Clean Rooms](security-iam-awsmanpol.md),
## Create a service role to read data from Amazon S3
AWS Clean Rooms uses a service role to read the data from Amazon S3.
There are two ways to create this service role.
+ If you have the necessary IAM permissions to create a service role, use the AWS Clean Rooms console to create a service role.
+ If you don't have `iam:CreateRole`, `iam:CreatePolicy` and `iam:AttachRolePolicy` permissions or want to create the IAM roles manually, do one of the following:
+ Use the following procedure to create a service role using custom trust policies.
+ Ask your administrator to create the service role using the following procedure.
**Note**
You or your IAM administrator should follow this procedure only if you don't have the necessary permissions to create a service role using the AWS Clean Rooms console.
**To create a service role to read data from Amazon S3 using custom trust policies**
1. Create a role using custom trust policies. For more information, see the [Creating a role using custom trust policies (console)](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-custom.html) procedure in the *AWS Identity and Access Management User Guide*.
1. Use the following custom trust policy according to the [Creating a role using custom trust policies (console)](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-custom.html) procedure.
**Note**
If you want to help ensure that the role is used only in the context of a certain collaboration membership, you can scope down the trust policy further. For more information, see [Cross-service confused deputy prevention](cross-service-confused-deputy-prevention.md).
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "RoleTrustPolicyForCleanRoomsService",
"Effect": "Allow",
"Principal": {
"Service": "cleanrooms.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
```
------
1. Use the following permissions policy according to the [Creating a role using custom trust policies (console)](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-custom.html) procedure.
**Note**
The following example policy supports the permissions needed to read AWS Glue metadata and its corresponding Amazon S3 data. However, you might need to modify this policy depending on how you've set up your Amazon S3 data. For instance, if you have set up a custom KMS key for your Amazon S3 data, you may need to amend this policy with additional AWS Key Management Service (AWS KMS) permissions.
Your AWS Glue resources and underlying Amazon S3 resources must be in the same AWS Region as the AWS Clean Rooms collaboration.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "NecessaryGluePermissions",
"Effect": "Allow",
"Action": [
"glue:GetDatabase",
"glue:GetDatabases",
"glue:GetTable",
"glue:GetTables",
"glue:GetPartition",
"glue:GetPartitions",
"glue:BatchGetPartition"
],
"Resource": [
"arn:aws:glue:us-east-1:111122223333:database/databaseName",
"arn:aws:glue:us-east-1:111122223333:table/databaseName/tableName",
"arn:aws:glue:us-east-1:111122223333:catalog"
]
},
{
"Effect": "Allow",
"Action": [
"glue:GetSchema",
"glue:GetSchemaVersion"
],
"Resource": [
"*"
]
},
{
"Sid": "NecessaryS3BucketPermissions",
"Effect": "Allow",
"Action": [
"s3:GetBucketLocation",
"s3:ListBucket"
],
"Resource": [
"arn:aws:s3:::bucket"
],
"Condition": {
"StringEquals": {
"s3:ResourceAccount": [
"444455556666"
]
}
}
},
{
"Sid": "NecessaryS3ObjectPermissions",
"Effect": "Allow",
"Action": [
"s3:GetObject"
],
"Resource": [
"arn:aws:s3:::bucket/prefix/*"
],
"Condition": {
"StringEquals": {
"s3:ResourceAccount": [
"444455556666"
]
}
}
}
]
}
```
------
**Note**
This policy references two different AWS account IDs to support a AWS Clean Rooms collaboration where data catalog metadata and actual data storage are managed by different parties:
**111122223333** - This is the account that owns the AWS Glue Data Catalog resources (databases, tables, and catalog). The first statement grants permissions to access table schemas, partition information, and metadata from this account's AWS Glue catalog.
**444455556666** - This is the account that owns the Amazon S3 bucket containing the actual data files. The Amazon S3 permissions (statements 3 and 4) are restricted to buckets owned by this account through the `s3:ResourceAccount` condition.
This configuration supports common enterprise data architectures where one team manages the data catalog and schema definitions while another team owns the underlying data storage infrastructure. The `s3:ResourceAccount` condition provides an additional security layer by ensuring Amazon S3 operations only work on buckets owned by the designated account.
1. Replace each *placeholder* with your own information.
1. Continue to follow the [Creating a role using custom trust policies (console)](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-custom.html) procedure to create the role.
## Create a service role to read data from Amazon Athena
AWS Clean Rooms uses a service role to read the data from Amazon Athena.
**To create a service role to read data from Athena using custom trust policies**
1. Create a role using custom trust policies. For more information, see the [Creating a role using custom trust policies (console)](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-custom.html) procedure in the *AWS Identity and Access Management User Guide*.
1. Use the following custom trust policy according to the [Creating a role using custom trust policies (console)](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-custom.html) procedure.
**Note**
If you want to help ensure that the role is used only in the context of a certain collaboration membership, you can scope down the trust policy further. For more information, see [Cross-service confused deputy prevention](cross-service-confused-deputy-prevention.md).
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "RoleTrustPolicyForCleanRoomsService",
"Effect": "Allow",
"Principal": {
"Service": "cleanrooms.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
```
------
1. Use the following permissions policy according to the [Creating a role using custom trust policies (console)](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-custom.html) procedure.
**Note**
The following example policy supports the permissions needed to read AWS Glue metadata and its corresponding Athena data. However, you might need to modify this policy depending on how you've set up your Amazon S3 data. For instance, if you've already set up a custom KMS key for your Amazon S3 data, you may need to amend this policy with additional AWS KMS permissions.
```
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"athena:GetWorkGroup",
"athena:GetTableMetadata",
"athena:GetDataCatalog",
"athena:StartQueryExecution",
"athena:GetQueryExecution",
"athena:GetQueryResults"
],
"Resource": [
"arn:aws:athena:region:accountId:workgroup/workgroup",
"arn:aws:athena:region:accountId:datacatalog/federatedCatalogName"
]
},
{
"Effect": "Allow",
"Action": [
"glue:GetDatabase",
"glue:GetTable",
"glue:GetCatalog"
],
"Resource": [
"arn:aws:glue:region:accountId:catalog",
"arn:aws:glue:region:accountId:catalog/federatedCatalogName",
"arn:aws:glue:region:accountId:database/federatedCatalogName/databaseName",
"arn:aws:glue:region:accountId:table/federatedCatalogName/databaseName/tableName"
]
},
{
"Effect": "Allow",
"Action": [
"s3:GetObject",
"s3:GetBucketLocation",
"s3:AbortMultipartUpload",
"s3:ListBucket",
"s3:PutObject",
"s3:ListMultipartUploadParts"
],
"Resource": [
"arn:aws:s3:::athenaResultsBucket",
"arn:aws:s3:::athenaResultsBucket/*"
],
"Condition": {
"StringEquals": {
"aws:ResourceAccount": "accountId"
}
}
},
{
"Effect": "Allow",
"Action": "lakeformation:GetDataAccess",
"Resource": "*"
}
]
}
```
1. Replace each *placeholder* with your own information.
1. Continue to follow the [Creating a role using custom trust policies (console)](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-custom.html) procedure to create the role.
### Set up Lake Formation permissions
If you query resources protected with Lake Formation permissions, the service role must have **Select** and **Describe** access permissions on the table/view/catalog and **Describe** permissions on the AWS Glue database.
For more information, see:
+ [Use Athena to query data registered with AWS Lake Formation](https://docs.aws.amazon.com/athena/latest/ug/security-athena-lake-formation.html) in the *Amazon Athena User Guide*
+ [Onboarding to Lake Formation permissions](https://docs.aws.amazon.com/lake-formation/latest/dg/onboarding-lf-permissions.html) in the *AWS Lake Formation Developer Guide*
## Create a service role to read data from Snowflake
AWS Clean Rooms uses a service role to retrieve your credentials for Snowflake to read your data from this source.
There are two ways to create this service role:
+ If you have the necessary IAM permissions to create a service role, use the AWS Clean Rooms console to create a service role.
+ If you don't have `iam:CreateRole`, `iam:CreatePolicy` and `iam:AttachRolePolicy` permissions or want to create the IAM roles manually, do one of the following:
+ Use the following procedure to create a service role using custom trust policies.
+ Ask your administrator to create the service role using the following procedure.
**Note**
You or your IAM administrator should follow this procedure only if you don't have the necessary permissions to create a service role using the AWS Clean Rooms console.
**To create a service role to read data from Snowflake using custom trust policies**
1. Create a role using custom trust policies. For more information, see the [Creating a role using custom trust policies (console)](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-custom.html) procedure in the *AWS Identity and Access Management User Guide*.
1. Use the following custom trust policy according to the [Creating a role using custom trust policies (console)](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-custom.html) procedure.
**Note**
If you want to help ensure that the role is used only in the context of a certain collaboration membership, you can scope down the trust policy further. For more information, see [Cross-service confused deputy prevention](cross-service-confused-deputy-prevention.md).
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "AllowIfSourceArnMatches",
"Effect": "Allow",
"Principal": {
"Service": "cleanrooms.amazonaws.com"
},
"Action": "sts:AssumeRole",
"Condition": {
"ForAnyValue:ArnEquals": {
"aws:SourceArn": [
"arn:aws:cleanrooms:us-east-1:111122223333:membership/membershipId",
"arn:aws:cleanrooms:us-east-1:444455556666:membership/queryRunnerMembershipId"
]
}
}
}
]
}
```
------
**Note**
This trust policy references two different AWS account IDs to support a AWS Clean Rooms collaboration where query execution responsibilities are distributed across multiple parties:
**111122223333** - This is the account that contains a membership participating in the collaboration. This membership may own data tables, analysis rules, or other collaboration resources that require role access.
**444455556666** - This is the account that contains the membership responsible for running queries (the "query runner"). This membership executes protected queries and needs to assume this role to access the necessary compute and data resources.
This configuration enables scenarios where one party provides data or analysis templates while another party runs the actual queries. Both roles require different but complementary permissions through the same execution role. The `aws:SourceArn` condition ensures that only AWS Clean Rooms operations originating from these two specific memberships can assume the role, maintaining security while supporting the distributed job execution and result management workflow.
1. Use one of the following permissions policies according to the [Creating a role using custom trust policies (console)](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-custom.html) procedure.
**Permission policy for secrets encrypted with a customer-owned KMS key**
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Action": "secretsmanager:GetSecretValue",
"Resource": "arn:aws:secretsmanager:us-east-1:111122223333:secret:secretIdentifier",
"Effect": "Allow"
},
{
"Sid": "AllowDecryptViaSecretsManagerForKey",
"Action": "kms:Decrypt",
"Resource": "arn:aws:kms:us-east-1:444455556666:key/keyIdentifier",
"Effect": "Allow",
"Condition": {
"StringEquals": {
"kms:ViaService": "secretsmanager.us-east-1.amazonaws.com",
"kms:EncryptionContext:SecretARN": "arn:aws:secretsmanager:us-east-1:111122223333:secret:secretIdentifier"
}
}
}
]
}
```
------
**Note**
This policy references two different AWS account IDs to support a cross-account secrets management scenario:
**111122223333** - This is the account that owns and stores the secret in . The first statement grants permission to retrieve the secret value from this account.
**444455556666** - This is the account that owns the AWS KMS key used to encrypt the secret. The second statement grants permission to decrypt the secret using the AWS KMS key from this account.
This configuration is common in enterprise environments where:
Secrets are centrally managed in one account (Account 1)
Encryption keys are managed by a separate security or shared services account (Account 2)
The AWS KMS key policy in Account 2 must also allow the service in Account 1 to use the key for encryption/decryption operations
The `kms:EncryptionContext:SecretARN` condition ensures that the AWS KMS key can only be used to decrypt this specific secret, providing an additional layer of security for cross-account access.
**Permission policy for secrets encrypted with an AWS managed key**
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Action": "secretsmanager:GetSecretValue",
"Resource": "arn:aws:secretsmanager:us-east-1:111122223333:secret:secretIdentifier",
"Effect": "Allow"
}
]
}
```
------
1. Replace each *placeholder* with your own information.
1. Continue to follow the [Creating a role using custom trust policies (console)](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-custom.html) procedure to create the role.
## Create a service role to read code from an S3 bucket (PySpark analysis template role)
AWS Clean Rooms uses a service role to read code from a collaboration member's specified S3 bucket when using a PySpark analysis template.
**To create a service role to read code from an S3 bucket**
1. Create a role using custom trust policies. For more information, see the [Creating a role using custom trust policies (console)](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-custom.html) procedure in the *AWS Identity and Access Management User Guide*.
1. Use the following custom trust policy according to the [Creating a role using custom trust policies (console)](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-custom.html) procedure.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "cleanrooms.amazonaws.com"
},
"Action": "sts:AssumeRole",
"Condition": {
"ForAnyValue:ArnEquals": {
"aws:SourceArn": [
"arn:aws:cleanrooms:us-east-1:111122223333:membership/jobRunnerMembershipId",
"arn:aws:cleanrooms:us-east-1:444455556666:membership/analysisTemplateOwnerMembershipId"
]
}
}
}
]
}
```
------
**Note**
This trust policy references two different AWS account IDs to support a multi-party AWS Clean Rooms collaboration scenario:
**111122223333** - This is the account that contains the membership responsible for running queries (the "job runner"). This membership executes the analysis jobs and needs to assume this role to access the necessary resources.
**444455556666** - This is the account that owns the analysis template and its associated membership (the "analysis template owner"). This membership defines what queries can be run and also needs to assume this role to manage and execute the analysis.
This configuration is typical in AWS Clean Rooms collaborations where multiple parties participate in the same collaboration, each with their own AWS account and membership. Both the query executor and the analysis template owner need access to shared resources. The `aws:SourceArn` condition ensures that only AWS Clean Rooms operations originating from these two specific memberships can assume the role, providing precise access control for the multi-party collaboration.
1. Use the following permissions policy according to the [Creating a role using custom trust policies (console)](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-custom.html) procedure.
**Note**
The following example policy supports the permissions needed to read your code from Amazon S3. However, you might need to modify this policy depending on how you've set up your S3 data.
Your Amazon S3 resources must be in the same AWS Region as the AWS Clean Rooms collaboration.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:GetObject",
"s3:GetObjectVersion"
],
"Resource": ["arn:aws:s3:::s3Path"],
"Condition":{
"StringEquals":{
"s3:ResourceAccount":[
"s3BucketOwnerAccountId"
]
}
}
}
]
}
```
------
1. Replace each *placeholder* with your own information:
+ *s3Path* – The S3 bucket location of your code.
+ *s3BucketOwnerAccountId* – The AWS account ID of the S3 bucket owner.
+ *region* – The name of the AWS Region. For example, **us-east-1**.
+ *jobRunnerAccountId* – The AWS account ID of the member who can run queries and jobs.
+ *jobRunnerMembershipId* – The **Membership ID** of the member who can query and run jobs. The **Membership ID** can be found on the **Details** tab of the collaboration. This ensures that AWS Clean Rooms is assuming the role only when this member runs the analysis in this collaboration.
+ *analysisTemplateAccountId* – The AWS account ID of the analysis template.
+ *analysisTemplateOwnerMembershipId* – The **Membership ID** of the member who owns the analysis template. The **Membership ID** can be found on the **Details** tab of the collaboration.
1. Continue to follow the [Creating a role using custom trust policies (console)](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-custom.html) procedure to create the role.
## Create a service role to write results of a PySpark job
AWS Clean Rooms uses a service role to write the results of a PySpark job to a specified S3 bucket.
**To create a service role to write results of a PySpark job**
1. Create a role using custom trust policies. For more information, see the [Creating a role using custom trust policies (console)](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-custom.html) procedure in the *AWS Identity and Access Management User Guide*.
1. Use the following custom trust policy according to the [Creating a role using custom trust policies (console)](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-custom.html) procedure.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "cleanrooms.amazonaws.com"
},
"Action": "sts:AssumeRole",
"Condition": {
"ForAnyValue:ArnEquals": {
"aws:SourceArn": [
"arn:aws:cleanrooms:us-east-1:111122223333:membership/jobRunnerMembershipId",
"arn:aws:cleanrooms:us-east-1:444455556666:membership/rrMembershipId"
]
}
}
}
]
}
```
------
**Note**
This trust policy references two different AWS account IDs to support a AWS Clean Rooms collaboration with distinct operational roles:
**111122223333** - This is the account that contains the membership responsible for running analysis jobs (the "job runner"). This membership executes the computational workloads and needs to assume this role to access processing resources.
**444455556666** - This is the account that contains the membership with result receiver (RR) responsibilities. This membership is authorized to receive and access the output of analysis jobs, and needs role access to write results to designated locations.
This configuration enables AWS Clean Rooms scenarios where one party runs the computational analysis while another party receives and manages the results. Both roles require different but complementary permissions through the same execution role. The `aws:SourceArn` condition ensures that only AWS Clean Rooms operations originating from these two specific memberships can assume the role, maintaining security while supporting the distributed job execution and result management workflow.
1. Use the following permissions policy according to the [Creating a role using custom trust policies (console)](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-custom.html) procedure.
**Note**
The following example policy supports the permissions needed to write to Amazon S3. However, you might need to modify this policy depending on how you've set up S3.
Your Amazon S3 resources must be in the same AWS Region as the AWS Clean Rooms collaboration.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:PutObject"
],
"Resource": "arn:aws:s3:::bucket/optionalPrefix/*",
"Condition":{
"StringEquals":{
"s3:ResourceAccount":[
"s3BucketOwnerAccountId"
]
}
}
},
{
"Effect": "Allow",
"Action": [
"s3:GetBucketLocation",
"s3:ListBucket"
],
"Resource": "arn:aws:s3:::bucket",
"Condition":{
"StringEquals":{
"s3:ResourceAccount":[
"s3BucketOwnerAccountId"
]
}
}
}
]
}
```
------
1. Replace each *placeholder* with your own information:
+ *region* – The name of the AWS Region. For example, **us-east-1**.
+ *jobRunnerAccountId* – The AWS account ID in which the S3 bucket is located.
+ *jobRunnerMembershipId* – The **Membership ID** of the member who can query and run jobs. The **Membership ID** can be found on the **Details** tab of the collaboration. This ensures that AWS Clean Rooms is assuming the role only when this member runs the analysis in this collaboration.
+ *rrAccountId* – The AWS account ID in which the S3 bucket is located.
+ *rrMembershipId* – The **Membership ID** of the member who can receive results. The **Membership ID** can be found on the **Details** tab of the collaboration. This ensures that AWS Clean Rooms is assuming the role only when this member runs the analysis in this collaboration.
+ *bucket* – The name and location of the S3 bucket.
+ *optionalPrefix* – An optional prefix if you want to save your results under a specific S3 prefix.
+ *s3BucketOwnerAccountId* – The AWS account ID of the S3 bucket owner.
1. Continue to follow the [Creating a role using custom trust policies (console)](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-custom.html) procedure to create the role.
## Create a service role to receive results
**Note**
If you are the member who can only receive results (in the console, **Your member abilities** is only **Receive results**), follow this procedure.
If you are a member who can both query and receive results (in the console, **Your member abilities** is both **Query** and **Receive results**), you can skip this procedure.
For collaboration members who can only receive results, AWS Clean Rooms uses a service role to write results of the queried data in the collaboration to the specified S3 bucket.
There are two ways to create this service role:
+ If you have the necessary IAM permissions to create a service role, use the AWS Clean Rooms console to create a service role.
+ If you don't have `iam:CreateRole`, `iam:CreatePolicy` and `iam:AttachRolePolicy` permissions or want to create the IAM roles manually, do one of the following:
+ Use the following procedure to create a service role using custom trust policies.
+ Ask your administrator to create the service role using the following procedure.
**Note**
You or your IAM administrator should follow this procedure only if you don't have the necessary permissions to create a service role using the AWS Clean Rooms console.
**To create a service role to receive results using custom trust policies**
1. Create a role using custom trust policies. For more information, see the [Creating a role using custom trust policies (console)](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-custom.html) procedure in the *AWS Identity and Access Management User Guide*.
1. Use the following custom trust policy according to the [Creating a role using custom trust policies (console)](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-custom.html) procedure.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "AllowIfExternalIdMatches",
"Effect": "Allow",
"Principal": {
"Service": "cleanrooms.amazonaws.com"
},
"Action": "sts:AssumeRole",
"Condition": {
"ArnLike": {
"sts:ExternalId": "arn:aws:*:region:*:dbuser:*/a1b2c3d4-5678-90ab-cdef-EXAMPLEaaaaa*"
}
}
},
{
"Sid": "AllowIfSourceArnMatches",
"Effect": "Allow",
"Principal": {
"Service": "cleanrooms.amazonaws.com"
},
"Action": "sts:AssumeRole",
"Condition": {
"ForAnyValue:ArnEquals": {
"aws:SourceArn": [
"arn:aws:cleanrooms:us-east-1:555555555555:membership/a1b2c3d4-5678-90ab-cdef-EXAMPLEaaaaa"
]
}
}
}
]
}
```
------
1. Use the following permissions policy according to the [Creating a role using custom trust policies (console)](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-custom.html) procedure.
**Note**
The following example policy supports the permissions needed to read AWS Glue metadata and its corresponding Amazon S3 data. However, you might need to modify this policy depending on how you've set up your S3 data.
Your AWS Glue resources and underlying Amazon S3 resources must be in the same AWS Region as the AWS Clean Rooms collaboration.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:GetBucketLocation",
"s3:ListBucket"
],
"Resource": [
"arn:aws:s3:::bucket_name"
],
"Condition": {
"StringEquals": {
"aws:ResourceAccount":"accountId"
}
}
},
{
"Effect": "Allow",
"Action": [
"s3:PutObject"
],
"Resource": [
"arn:aws:s3:::bucket_name/optional_key_prefix/*"
],
"Condition": {
"StringEquals": {
"aws:ResourceAccount":"accountId"
}
}
}
]
}
```
------
1. Replace each *placeholder* with your own information:
+ *region* – The name of the AWS Region. For example, **us-east-1**.
+ *a1b2c3d4-5678-90ab-cdef-EXAMPLEaaaaa* – The **Membership ID** of the member who can query. The **Membership ID** can be found on the **Details** tab of the collaboration. This ensures that AWS Clean Rooms is assuming the role only when this member runs the analysis in this collaboration.
+ *arn:aws:cleanrooms:us-east-1:555555555555:membership/a1b2c3d4-5678-90ab-cdef-EXAMPLEaaaaa* – The single **Membership ARN** of the member who can query. The **Membership ARN** can be found on the **Details** tab of the collaboration. This ensures AWS Clean Rooms is assuming the role only when this member runs the analysis in this collaboration.
+ *bucket\$1name* – The **Amazon Resource Name (ARN)** of the S3 bucket. The **Amazon Resource Name (ARN)** can be found on the **Properties** tab of the bucket in Amazon S3.
+ *accountId* – The AWS account ID in which the S3 bucket is located.
*bucket\$1name/optional\$1key\$1prefix* – The **Amazon Resource Name (ARN)** of the results destination in Amazon S3. The **Amazon Resource Name (ARN)** can be found on the **Properties** tab of the bucket in Amazon S3.
1. Continue to follow the [Creating a role using custom trust policies (console)](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-custom.html) procedure to create the role.
# Set up service roles for AWS Clean Rooms ML
The roles needed to perform lookalike modeling differ from those needed to use a custom model. The following sections describe the roles needed to perform each task.
**Topics**
+ [Set up service roles for lookalike modeling](#aws-model-roles)
+ [Set up service roles for custom modeling](#custom-model-roles)
## Set up service roles for lookalike modeling
**Topics**
+ [Create a service role to read training data](#ml-create-role-training)
+ [Create a service role to write a lookalike segment](#ml-create-role-write-segment)
+ [Create a service role to read seed data](#ml-create-role-read-seed)
### Create a service role to read training data
AWS Clean Rooms uses a service role to read training data. You can create this role using the console if you have the necessary IAM permissions. If you don't have `CreateRole` permissions, ask your administrator to create the service role.
**To create a service role to train a dataset**
1. Sign in to the IAM console ([https://console.aws.amazon.com/iam/](https://console.aws.amazon.com/iam/)) with your administrator account.
1. Under **Access management**, choose **Policies**.
1. Choose **Create policy**.
1. In the **Policy editor**, select the **JSON** tab, and then copy and paste the following policy.
**Note**
The following example policy supports the permissions needed to read AWS Glue metadata and its corresponding Amazon S3 data. However, you might need to modify this policy depending on how you've set up your S3 data. This policy doesn't include a KMS key to decrypt data.
Your AWS Glue resources and underlying Amazon S3 resources must be in the same AWS Region as the AWS Clean Rooms collaboration.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"glue:GetDatabase",
"glue:GetDatabases",
"glue:GetTable",
"glue:GetTables",
"glue:GetPartitions",
"glue:GetPartition",
"glue:BatchGetPartition",
"glue:GetUserDefinedFunctions"
],
"Resource": [
"arn:aws:glue:us-east-1:111122223333:database/databases",
"arn:aws:glue:us-east-1:111122223333:table/databases/tables",
"arn:aws:glue:us-east-1:111122223333:catalog",
"arn:aws:glue:us-east-1:111122223333:database/default"
]
},
{
"Effect": "Allow",
"Action": [
"glue:CreateDatabase"
],
"Resource": [
"arn:aws:glue:us-east-1:111122223333:database/default"
]
},
{
"Effect": "Allow",
"Action": [
"s3:ListBucket",
"s3:GetBucketLocation"
],
"Resource": [
"arn:aws:s3:::bucket"
],
"Condition": {
"StringEquals": {
"s3:ResourceAccount": [
"111122223333"
]
}
}
},
{
"Effect": "Allow",
"Action": [
"s3:GetObject"
],
"Resource": [
"arn:aws:s3:::bucketFolders/*"
],
"Condition": {
"StringEquals": {
"s3:ResourceAccount": [
"111122223333"
]
}
}
}
]
}
```
------
If you need to use a KMS key to decrypt data, add this AWS KMS statement to the previous template:
```
{
"Effect": "Allow",
"Action": [
"kms:Decrypt",
],
"Resource": [
"arn:aws:kms:region:accountId:key/keyId"
],
"Condition": {
"ArnLike": {
"kms:EncryptionContext:aws:s3:arn": "arn:aws:s3:::bucketFolders*"
}
}
}
]
}
```
1. Replace each *placeholder* with your own information:
+ *region* – The name of the AWS Region. For example, **us-east-1**.
+ *accountId* – The AWS account ID in which the S3 bucket is located.
+ *database/databases*, *table/databases/tables*, *catalog*, and *database/default* – The location of the training data that AWS Clean Rooms needs to access.
+ *bucket* – The **Amazon Resource Name (ARN)** of the S3 bucket. The **Amazon Resource Name (ARN)** can be found on the **Properties** tab of the bucket in Amazon S3.
+ *bucketFolders* – The name of specific folders in the S3 bucket that AWS Clean Rooms needs to access.
1. Choose **Next**.
1. For **Review and create**, enter a **Policy name** and **Description**, and review the **Summary**.
1. Choose **Create policy**.
You have created a policy for AWS Clean Rooms.
1. Under **Access management**, choose **Roles**.
With **Roles**, you can create short-term credentials, which is recommended for increased security. You can also choose **Users** to create long-term credentials.
1. Choose **Create role**.
1. In the **Create role** wizard, for **Trusted entity type**, choose **Custom trust policy**.
1. Copy and paste the following custom trust policy into the JSON editor.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "AllowAssumeRole",
"Effect": "Allow",
"Principal": {
"Service": "cleanrooms-ml.amazonaws.com"
},
"Action": "sts:AssumeRole",
"Condition": {
"StringEqualsIfExists": {
"aws:SourceAccount": ["111122223333"]
},
"ArnLikeIfExists": {
"aws:SourceArn": "arn:aws:cleanrooms-ml:us-east-1:111122223333:training-dataset/*"
}
}
}
]
}
```
------
The `SourceAccount` is always your AWS account. The `SourceArn` can be limited to a specific training dataset, but only after that dataset is created. Because you don't yet know the training dataset ARN, the wildcard is specified here.
*accountId* is the ID of AWS account that contains the training data.
1. Choose **Next** and under **Add permissions**, enter the name of the policy you just created. (You might need to reload the page.)
1. Select the check box next to the name of the policy you created, and then choose **Next**.
1. For **Name, review, and create**, enter the **Role name** and **Description**.
**Note**
The **Role name** must match the pattern in the `passRole` permissions granted to the member who can query and receive results and member roles.
1. Review **Select trusted entities**, and edit if necessary.
1. Review the permissions in **Add permissions**, and edit if necessary.
1. Review the **Tags**, and add tags if necessary.
1. Choose **Create role**.
You have created the service role for AWS Clean Rooms.
### Create a service role to write a lookalike segment
AWS Clean Rooms uses a service role to write lookalike segments to a bucket. You can create this role using the console if you have the necessary IAM permissions. If you don't have `CreateRole` permissions, ask your administrator to create the service role.
**To create a service role to write a lookalike segment**
1. Sign in to the IAM console ([https://console.aws.amazon.com/iam/](https://console.aws.amazon.com/iam/)) with your administrator account.
1. Under **Access management**, choose **Policies**.
1. Choose **Create policy**.
1. In the **Policy editor**, select the **JSON** tab, and then copy and paste the following policy.
**Note**
The following example policy supports the permissions needed to read AWS Glue metadata and its corresponding Amazon S3 data. However, you might need to modify this policy depending on how you've set up your Amazon S3 data. This policy doesn't include a KMS key to decrypt data.
Your AWS Glue resources and underlying Amazon S3 resources must be in the same AWS Region as the AWS Clean Rooms collaboration.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:ListBucket",
"s3:GetBucketLocation"
],
"Resource": [
"arn:aws:s3:::buckets"
],
"Condition":{
"StringEquals":{
"s3:ResourceAccount":[
"accountId"
]
}
}
},
{
"Effect": "Allow",
"Action": [
"s3:PutObject"
],
"Resource": [
"arn:aws:s3:::bucketFolders/*"
],
"Condition":{
"StringEquals":{
"s3:ResourceAccount":[
"accountId"
]
}
}
}
]
}
```
------
If you need to use a KMS key to encrypt data, add this AWS KMS statement to the template:
```
{
"Effect": "Allow",
"Action": [
"kms:Encrypt",
"kms:GenerateDataKey*",
"kms:ReEncrypt*",
],
"Resource": [
"arn:aws:kms:region:accountId:key/keyId"
],
"Condition": {
"ArnLike": {
"kms:EncryptionContext:aws:s3:arn": "arn:aws:s3:::bucketFolders*"
}
}
}
]
}
```
1. Replace each *placeholder* with your own information:
+ *buckets* – The **Amazon Resource Name (ARN)** of the S3 bucket. The **Amazon Resource Name (ARN)** can be found on the **Properties** tab of the bucket in Amazon S3.
+ *accountId* – The AWS account ID in which the S3 bucket is located.
+ *bucketFolders* – The name of specific folders in the S3 bucket that AWS Clean Rooms needs to access.
+ *region* – The name of the AWS Region. For example, **us-east-1**.
+ *keyId* – The KMS key needed to encrypt your data.
1. Choose **Next**.
1. For **Review and create**, enter a **Policy name** and **Description**, and review the **Summary**.
1. Choose **Create policy**.
You have created a policy for AWS Clean Rooms.
1. Under **Access management**, choose **Roles**.
With **Roles**, you can create short-term credentials, which is recommended for increased security. You can also choose **Users** to create long-term credentials.
1. Choose **Create role**.
1. In the **Create role** wizard, for **Trusted entity type**, choose **Custom trust policy**.
1. Copy and paste the following custom trust policy into the JSON editor.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "AllowAssumeRole",
"Effect": "Allow",
"Principal": {
"Service": "cleanrooms-ml.amazonaws.com"
},
"Action": "sts:AssumeRole",
"Condition": {
"StringEqualsIfExists": {
"aws:SourceAccount": ["111122223333"]
},
"ArnLikeIfExists": {
"aws:SourceArn": "arn:aws:cleanrooms-ml:us-east-1:111122223333:configured-audience-model/*"
}
}
}
]
}
```
------
The `SourceAccount` is always your AWS account. The `SourceArn` can be limited to a specific training dataset, but only after that dataset is created. Because you don't yet know the training dataset ARN, the wildcard is specified here.
1. Choose **Next**.
1. Select the check box next to the name of the policy you created, and then choose **Next**.
1. For **Name, review, and create**, enter the **Role name** and **Description**.
**Note**
The **Role name** must match the pattern in the `passRole` permissions granted to the member who can query and receive results and member roles.
1. Review **Select trusted entities**, and edit if necessary.
1. Review the permissions in **Add permissions**, and edit if necessary.
1. Review the **Tags**, and add tags if necessary.
1. Choose **Create role**.
You have created the service role for AWS Clean Rooms.
### Create a service role to read seed data
AWS Clean Rooms uses a service role to read seed data. You can create this role using the console if you have the necessary IAM permissions. If you don't have `CreateRole` permissions, ask your administrator to create the service role.
**To create a service role to read seed data that is stored in an S3 bucket.**
1. Sign in to the IAM console ([https://console.aws.amazon.com/iam/](https://console.aws.amazon.com/iam/)) with your administrator account.
1. Under **Access management**, choose **Policies**.
1. Choose **Create policy**.
1. In the **Policy editor**, select the **JSON** tab, and then copy and paste one of the following policies.
**Note**
The following example policy supports the permissions needed to read AWS Glue metadata and its corresponding Amazon S3 data. However, you might need to modify this policy depending on how you've set up your Amazon S3 data. This policy doesn't include a KMS key to decrypt data.
Your AWS Glue resources and underlying Amazon S3 resources must be in the same AWS Region as the AWS Clean Rooms collaboration.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:ListBucket"
],
"Resource": [
"arn:aws:s3:::buckets"
],
"Condition": {
"StringEquals": {
"s3:ResourceAccount": [
"accountId"
]
}
}
},
{
"Effect": "Allow",
"Action": [
"s3:GetObject"
],
"Resource": [
"arn:aws:s3:::bucketFolders/*"
],
"Condition": {
"StringEquals": {
"s3:ResourceAccount": [
"accountId"
]
}
}
}
]
}
```
------
**Note**
The following example policy supports the permissions needed to read the results of an SQL query and use that as the input data. However, you might need to modify this policy depending on how your query is structured. This policy doesn't include a KMS key to decrypt data.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "AllowCleanRoomsStartQuery",
"Effect": "Allow",
"Action": [
"cleanrooms:GetCollaborationAnalysisTemplate",
"cleanrooms:GetSchema",
"cleanrooms:StartProtectedQuery"
],
"Resource": "*"
},
{
"Sid": "AllowCleanRoomsGetAndUpdateQuery",
"Effect": "Allow",
"Action": [
"cleanrooms:GetProtectedQuery",
"cleanrooms:UpdateProtectedQuery"
],
"Resource": [
"arn:aws:cleanrooms:us-east-1:111122223333:membership/queryRunnerMembershipId"
]
}
]
}
```
------
If you need to use a KMS key to decrypt data, add this AWS KMS statement to the template:
```
{
"Effect": "Allow",
"Action": [
"kms:Decrypt",
"kms:DescribeKey"
],
"Resource": [
"arn:aws:kms:region:accountId:key/keyId"
],
"Condition": {
"ArnLike": {
"kms:EncryptionContext:aws:s3:arn": "arn:aws:s3:::bucketFolders*"
}
}
}
]
}
```
1. Replace each *placeholder* with your own information:
+ *buckets* – The **Amazon Resource Name (ARN)** of the S3 bucket. The **Amazon Resource Name (ARN)** can be found on the **Properties** tab of the bucket in Amazon S3.
+ *accountId* – The AWS account ID in which the S3 bucket is located.
+ *bucketFolders* – The name of specific folders in the S3 bucket that AWS Clean Rooms needs to access.
+ *region* – The name of the AWS Region. For example, **us-east-1**.
+ *queryRunnerAccountId* – The AWS account ID of the account that will run queries.
+ *queryRunnerMembershipId* – The **Membership ID** of the member who can query. The **Membership ID** can be found on the **Details** tab of the collaboration. This ensures that AWS Clean Rooms is assuming the role only when this member runs the analysis in this collaboration.
+ *keyId* – The KMS key needed to encrypt your data.
1. Choose **Next**.
1. For **Review and create**, enter a **Policy name** and **Description**, and review the **Summary**.
1. Choose **Create policy**.
You have created a policy for AWS Clean Rooms.
1. Under **Access management**, choose **Roles**.
With **Roles**, you can create short-term credentials, which is recommended for increased security. You can also choose **Users** to create long-term credentials.
1. Choose **Create role**.
1. In the **Create role** wizard, for **Trusted entity type**, choose **Custom trust policy**.
1. Copy and paste the following custom trust policy into the JSON editor.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "AllowAssumeRole",
"Effect": "Allow",
"Principal": {
"Service": "cleanrooms-ml.amazonaws.com"
},
"Action": "sts:AssumeRole",
"Condition": {
"StringEqualsIfExists": {
"aws:SourceAccount": ["111122223333"]
},
"ArnLikeIfExists": {
"aws:SourceArn": "arn:aws:cleanrooms-ml:us-east-1:111122223333:audience-generation-job/*"
}
}
}
]
}
```
------
The `SourceAccount` is always your AWS account. The `SourceArn` can be limited to a specific training dataset, but only after that dataset is created. Because you don't yet know the training dataset ARN, the wildcard is specified here.
1. Choose **Next**.
1. Select the check box next to the name of the policy you created, and then choose **Next**.
1. For **Name, review, and create**, enter the **Role name** and **Description**.
**Note**
The **Role name** must match the pattern in the `passRole` permissions granted to the member who can query and receive results and member roles.
1. Review **Select trusted entities**, and edit if necessary.
1. Review the permissions in **Add permissions**, and edit if necessary.
1. Review the **Tags**, and add tags if necessary.
1. Choose **Create role**.
You have created the service role for AWS Clean Rooms.
## Set up service roles for custom modeling
**Topics**
+ [Create a service role for custom ML modeling - ML Configuration](#ml-roles-custom-configure)
+ [Create a service role to provide a custom ML model](#ml-roles-custom-model-provider)
+ [Create a service role to query a dataset](#ml-roles-custom-query-dataset)
+ [Create a service role to create a configured table association](#ml-roles-custom-configure-table)
### Create a service role for custom ML modeling - ML Configuration
AWS Clean Rooms uses a service role to control who can create a custom ML configuration. You can create this role using the console if you have the necessary IAM permissions. If you don't have `CreateRole` permissions, ask your administrator to create the service role.
This role allows you to use the [PutMLConfiguration](https://docs.aws.amazon.com/cleanrooms-ml/latest/APIReference/API_PutMLConfiguration.html) action.
**To create a service role to allow creation of a custom ML configuration**
1. Sign in to the IAM console ([https://console.aws.amazon.com/iam/](https://console.aws.amazon.com/iam/)) with your administrator account.
1. Under **Access management**, choose **Policies**.
1. Choose **Create policy**.
1. In the **Policy editor**, select the **JSON** tab, and then copy and paste the following policy.
**Note**
The following example policy supports the permissions needed to access and write data to an S3 bucket and to publish CloudWatch metrics. However, you might need to modify this policy depending on how you've set up your Amazon S3 data. This policy doesn't include a KMS key to decrypt data.
Your Amazon S3 resources must be in the same AWS Region as the AWS Clean Rooms collaboration.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "AllowS3ObjectWriteForExport",
"Effect": "Allow",
"Action": [
"s3:PutObject"
],
"Resource": [
"arn:aws:s3:::bucket/*"
],
"Condition": {
"StringEquals": {
"s3:ResourceAccount": [
"111122223333"
]
}
}
},
{
"Sid": "AllowS3KMSEncryptForExport",
"Effect": "Allow",
"Action": [
"kms:Encrypt",
"kms:GenerateDataKey*"
],
"Resource": [
"arn:aws:kms:us-east-1:111122223333:key/keyId"
],
"Condition": {
"StringLike": {
"kms:EncryptionContext:aws:s3:arn": "arn:aws:s3:::bucket*"
}
}
},
{
"Sid": "AllowCloudWatchMetricsPublishingForTrainingJobs",
"Action": "cloudwatch:PutMetricData",
"Resource": "*",
"Effect": "Allow",
"Condition": {
"StringLike": {
"cloudwatch:namespace": "/aws/cleanroomsml/*"
}
}
},
{
"Sid": "AllowCloudWatchLogsPublishingForTrainingOrInferenceJobs",
"Effect": "Allow",
"Action": [
"logs:CreateLogGroup",
"logs:CreateLogStream",
"logs:DescribeLogStreams",
"logs:PutLogEvents"
],
"Resource": [
"arn:aws:logs:us-east-1:111122223333:log-group:/aws/cleanroomsml/*"
]
}
]
}
```
------
1. Replace each *placeholder* with your own information:
+ *bucket* – The **Amazon Resource Name (ARN)** of the S3 bucket. The **Amazon Resource Name (ARN)** can be found on the **Properties** tab of the bucket in Amazon S3.
+ *region* – The name of the AWS Region. For example, **us-east-1**.
+ *accountId* – The AWS account ID in which the S3 bucket is located.
+ *keyId* – The KMS key needed to encrypt your data.
1. Choose **Next**.
1. For **Review and create**, enter a **Policy name** and **Description**, and review the **Summary**.
1. Choose **Create policy**.
You have created a policy for AWS Clean Rooms.
1. Under **Access management**, choose **Roles**.
With **Roles**, you can create short-term credentials, which is recommended for increased security. You can also choose **Users** to create long-term credentials.
1. Choose **Create role**.
1. In the **Create role** wizard, for **Trusted entity type**, choose **Custom trust policy**.
1. Copy and paste the following custom trust policy into the JSON editor.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "cleanrooms-ml.amazonaws.com"
},
"Action": "sts:AssumeRole",
"Condition": {
"StringEquals": {
"aws:SourceAccount": "111122223333"
},
"ArnLike": {
"aws:SourceArn": "arn:aws:cleanrooms:us-east-1:111122223333:membership/membershipID"
}
}
}
]
}
```
------
The `SourceAccount` is always your AWS account. The `SourceArn` can be limited to a specific training dataset, but only after that dataset is created. Because you don't yet know the training dataset ARN, the wildcard is specified here.
1. Choose **Next**.
1. Select the check box next to the name of the policy you created, and then choose **Next**.
1. For **Name, review, and create**, enter the **Role name** and **Description**.
**Note**
The **Role name** must match the pattern in the `passRole` permissions granted to the member who can query and receive results and member roles.
1. Review **Select trusted entities**, and edit if necessary.
1. Review the permissions in **Add permissions**, and edit if necessary.
1. Review the **Tags**, and add tags if necessary.
1. Choose **Create role**.
You have created the service role for AWS Clean Rooms.
### Create a service role to provide a custom ML model
AWS Clean Rooms uses a service role to control who can create a custom ML model algorithm. You can create this role using the console if you have the necessary IAM permissions. If you don't have `CreateRole` permissions, ask your administrator to create the service role.
This role allows you to use the [CreateConfiguredModelAlgorithm](https://docs.aws.amazon.com/cleanrooms-ml/latest/APIReference/API_CreateConfiguredModelAlgorithm.html) action.
**To create a service role to allow a member to provide a custom ML model**
1. Sign in to the IAM console ([https://console.aws.amazon.com/iam/](https://console.aws.amazon.com/iam/)) with your administrator account.
1. Under **Access management**, choose **Policies**.
1. Choose **Create policy**.
1. In the **Policy editor**, select the **JSON** tab, and then copy and paste the following policy.
**Note**
The following example policy supports the permissions needed to retrieve the docker image that contains the model algorithm. However, you might need to modify this policy depending on how you've set up your Amazon S3 data. This policy doesn't include a KMS key to decrypt data.
Your Amazon S3 resources must be in the same AWS Region as the AWS Clean Rooms collaboration.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "AllowECRImageDownloadForTrainingAndInferenceJobs",
"Effect": "Allow",
"Action": [
"ecr:BatchGetImage",
"ecr:BatchCheckLayerAvailability",
"ecr:GetDownloadUrlForLayer"
],
"Resource": "arn:aws:ecr:us-east-1:111122223333:repository/repoName"
}
]
}
```
------
1. Replace each *placeholder* with your own information:
+ *region* – The name of the AWS Region. For example, **us-east-1**.
+ *accountId* – The AWS account ID in which the S3 bucket is located.
+ *repoName* – The name of the repository that contains your data.
1. Choose **Next**.
1. For **Review and create**, enter a **Policy name** and **Description**, and review the **Summary**.
1. Choose **Create policy**.
You have created a policy for AWS Clean Rooms.
1. Under **Access management**, choose **Roles**.
With **Roles**, you can create short-term credentials, which is recommended for increased security. You can also choose **Users** to create long-term credentials.
1. Choose **Create role**.
1. In the **Create role** wizard, for **Trusted entity type**, choose **Custom trust policy**.
1. Copy and paste the following custom trust policy into the JSON editor.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "cleanrooms-ml.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
```
------
The `SourceAccount` is always your AWS account The `SourceArn` can be limited to a specific training dataset, but only after that dataset is created. Because you don't yet know the training dataset ARN, the wildcard is specified here.
1. Choose **Next**.
1. Select the check box next to the name of the policy you created, and then choose **Next**.
1. For **Name, review, and create**, enter the **Role name** and **Description**.
**Note**
The **Role name** must match the pattern in the `passRole` permissions granted to the member who can query and receive results and member roles.
1. Review **Select trusted entities**, and edit if necessary.
1. Review the permissions in **Add permissions**, and edit if necessary.
1. Review the **Tags**, and add tags if necessary.
1. Choose **Create role**.
You have created the service role for AWS Clean Rooms.
### Create a service role to query a dataset
AWS Clean Rooms uses a service role to control who can query a dataset that will be used for custom ML modeling. You can create this role using the console if you have the necessary IAM permissions. If you don't have `CreateRole` permissions, ask your administrator to create the service role.
This role allows you to use the [CreateMLInputChannel](https://docs.aws.amazon.com/cleanrooms-ml/latest/APIReference/API_CreateMLInputChannel.html) action.
**To create a service role to allow a member to query a dataset**
1. Sign in to the IAM console ([https://console.aws.amazon.com/iam/](https://console.aws.amazon.com/iam/)) with your administrator account.
1. Under **Access management**, choose **Policies**.
1. Choose **Create policy**.
1. In the **Policy editor**, select the **JSON** tab, and then copy and paste the following policy.
**Note**
The following example policy supports the permissions needed to query a dataset that will be used for custom ML modeling. However, you might need to modify this policy depending on how you've set up your Amazon S3 data. This policy doesn't include a KMS key to decrypt data.
Your Amazon S3 resources must be in the same AWS Region as the AWS Clean Rooms collaboration.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "AllowCleanRoomsStartQueryForMLInputChannel",
"Effect": "Allow",
"Action": "cleanrooms:StartProtectedQuery",
"Resource": "*"
},
{
"Sid": "AllowCleanroomsGetSchemaAndGetAnalysisTemplateForMLInputChannel",
"Effect": "Allow",
"Action": [
"cleanrooms:GetSchema",
"cleanrooms:GetCollaborationAnalysisTemplate"
],
"Resource": "*"
},
{
"Sid": "AllowCleanRoomsGetAndUpdateQueryForMLInputChannel",
"Effect": "Allow",
"Action": [
"cleanrooms:GetProtectedQuery",
"cleanrooms:UpdateProtectedQuery"
],
"Resource": [
"arn:aws:cleanrooms:us-east-1:111122223333:membership/queryRunnerMembershipId"
]
}
]
}
```
------
1. Replace each *placeholder* with your own information:
+ *region* – The name of the AWS Region. For example, **us-east-1**.
+ *queryRunnerAccountId* – The AWS account ID of the account that will run the queries.
+ *queryRunnerMembershipId* – The **Membership ID** of the member who can query. The **Membership ID** can be found on the **Details** tab of the collaboration. This ensures that AWS Clean Rooms is assuming the role only when this member runs the analysis in this collaboration.
1. Choose **Next**.
1. For **Review and create**, enter a **Policy name** and **Description**, and review the **Summary**.
1. Choose **Create policy**.
You have created a policy for AWS Clean Rooms.
1. Under **Access management**, choose **Roles**.
With **Roles**, you can create short-term credentials, which is recommended for increased security. You can also choose **Users** to create long-term credentials.
1. Choose **Create role**.
1. In the **Create role** wizard, for **Trusted entity type**, choose **Custom trust policy**.
1. Copy and paste the following custom trust policy into the JSON editor.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "cleanrooms-ml.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
```
------
The `SourceAccount` is always your AWS account The `SourceArn` can be limited to a specific training dataset, but only after that dataset is created. Because you don't yet know the training dataset ARN, the wildcard is specified here.
1. Choose **Next**.
1. Select the check box next to the name of the policy you created, and then choose **Next**.
1. For **Name, review, and create**, enter the **Role name** and **Description**.
**Note**
The **Role name** must match the pattern in the `passRole` permissions granted to the member who can query and receive results and member roles.
1. Review **Select trusted entities**, and edit if necessary.
1. Review the permissions in **Add permissions**, and edit if necessary.
1. Review the **Tags**, and add tags if necessary.
1. Choose **Create role**.
You have created the service role for AWS Clean Rooms.
### Create a service role to create a configured table association
AWS Clean Rooms uses a service role to control who can create a configured table association. You can create this role using the console if you have the necessary IAM permissions. If you don't have `CreateRole` permissions, ask your administrator to create the service role.
This role allows you to use the CreateConfiguredTableAssociation action.
**To create a service role to allow creation of a configured table association**
1. Sign in to the IAM console ([https://console.aws.amazon.com/iam/](https://console.aws.amazon.com/iam/)) with your administrator account.
1. Under **Access management**, choose **Policies**.
1. Choose **Create policy**.
1. In the **Policy editor**, select the **JSON** tab, and then copy and paste the following policy.
**Note**
The following example policy supports the creation of a configured table association. However, you might need to modify this policy depending on how you've set up your Amazon S3 data. This policy doesn't include a KMS key to decrypt data.
Your Amazon S3 resources must be in the same AWS Region as the AWS Clean Rooms collaboration.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Action": [
"kms:Decrypt",
"kms:DescribeKey"
],
"Resource": "arn:aws:kms:us-east-1:111122223333:key/KMS-key-ID",
"Effect": "Allow"
},
{
"Action": [
"s3:ListBucket",
"s3:GetBucketLocation"
],
"Resource": "arn:aws:s3:::bucket-name",
"Effect": "Allow"
},
{
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::bucket-name/*",
"Effect": "Allow"
},
{
"Action": [
"glue:GetDatabase",
"glue:GetDatabases",
"glue:GetTable",
"glue:GetTables",
"glue:GetPartitions",
"glue:GetPartition",
"glue:BatchGetPartition"
],
"Resource": [
"arn:aws:glue:us-east-1:111122223333:catalog",
"arn:aws:glue:us-east-1:111122223333:database/Glue database name",
"arn:aws:glue:us-east-1:111122223333:table/Glue database name/Glue table name"
],
"Effect": "Allow"
},
{
"Action": [
"glue:GetSchema",
"glue:GetSchemaVersion"
],
"Resource": "*",
"Effect": "Allow"
}
]
}
```
------
**Replace Placeholder Resource ARNs**
When using this policy, you must replace the placeholder resource identifiers with the actual ARNs of your resources:
**AWS KMS Key Resource**: Replace *KMS-key-ID* with the actual AWS KMS key ID that encrypts your Amazon S3 data. The key must be in the same account (111122223333) that owns the AWS Glue catalog resources.
**Amazon S3 Bucket Resources**: Replace *bucket-name* with the actual name of the Amazon S3 bucket that contains your AWS Glue table data. Note that Amazon S3 bucket ARNs don't include account IDs since bucket names are globally unique.
**AWS Glue Resources**: Replace the following placeholders with your actual resource names:
*Glue database name* - The name of your AWS Glue database
*Glue table name* - The name of your AWS Glue table
All AWS Glue resources (catalog, database, and table) must be in the same AWS account (111122223333) to ensure consistent access permissions. This account should be the same one that owns the AWS KMS key used for data encryption, creating a unified security boundary for your AWS Clean Rooms data resources.
1. Replace each *placeholder* with your own information:
+ *KMS key used to encrypt the Amazon S3 data* – The KMS key that was used to encrypt the Amazon S3 data. In order to decrypt the data, you need to provide the same KMS key that was used to encrypt the data.
+ *Amazon S3 bucket of AWS Glue table* – The name of the Amazon S3 bucket that contains the AWS Glue table that contains your data.
+ *region* – The name of the AWS Region. For example, **us-east-1**.
+ *accountId* – The AWS account ID of the account that owns the data.
+ *AWS Glue database name* – The name of the AWS Glue database that contains your data.
+ *AWS Glue table name* – The name of the AWS Glue table that contains your data.
1. Choose **Next**.
1. For **Review and create**, enter a **Policy name** and **Description**, and review the **Summary**.
1. Choose **Create policy**.
You have created a policy for AWS Clean Rooms.
1. Under **Access management**, choose **Roles**.
With **Roles**, you can create short-term credentials, which is recommended for increased security. You can also choose **Users** to create long-term credentials.
1. Choose **Create role**.
1. In the **Create role** wizard, for **Trusted entity type**, choose **Custom trust policy**.
1. Copy and paste the following custom trust policy into the JSON editor.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "cleanrooms-ml.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
```
------
The `SourceAccount` is always your AWS account The `SourceArn` can be limited to a specific training dataset, but only after that dataset is created. Because you don't yet know the training dataset ARN, the wildcard is specified here.
1. Choose **Next**.
1. Select the check box next to the name of the policy you created, and then choose **Next**.
1. For **Name, review, and create**, enter the **Role name** and **Description**.
**Note**
The **Role name** must match the pattern in the `passRole` permissions granted to the member who can query and receive results and member roles.
1. Review **Select trusted entities**, and edit if necessary.
1. Review the permissions in **Add permissions**, and edit if necessary.
1. Review the **Tags**, and add tags if necessary.
1. Choose **Create role**.
You have created the service role for AWS Clean Rooms.