Robocorp-hosted containers

Robocorp-hosted Cloud Workers are implemented as containers running on Amazon Elastic Container Service (ECS). The containers have a specific IAM role that can be utilized for granting permissions to AWS resources on your account.

Use cases:

  • Accessing parameters from AWS Systems Manager Parameter Store or secrets from Secret Manager
  • Accessing objects from S3
  • Interacting with Redshift DATA API
  • Installing private dependencies from AWS CodeArtifact

Technically, this is done by invoking AWS STS AssumeRole operation from the task to assume a role that grants access to your infrastructure.

  • The task is running with role arn:aws:iam::ACCOUNT_ID:role/RobocorpRobotRole. Robocorp utilizes multiple AWS accounts for hosting the containers and ACCOUNT_ID depends on your deployment. Please get in touch with your Customer Success representative to get the account ID for your deployment.
  • The task role has permission to assume any role matching the pattern arn:aws:iam::*:role/RobocorpRobotAssumableRole*. Therefore you can create any IAM role starting with RobocorpRobotAssumableRole on your account and assume it from the robot.
  • We recommend always requiring an External ID on the role to prevent unauthorized usage. External ID can be configured e.g. in Control Room Vault for the task to access.
Last edit: October 17, 2023