Robocorp-hosted Cloud Workers are implemented as containers running on Amazon Elastic Container Service (ECS). The containers have a specific IAM role that can be utilized for granting permissions to AWS resources on your account.
- Accessing parameters from AWS Systems Manager Parameter Store or secrets from Secret Manager
- Accessing objects from S3
- Interacting with Redshift DATA API
- Installing private dependencies from AWS CodeArtifact
Technically, this is done by invoking AWS STS
AssumeRole operation from the task to assume a role that grants
access to your infrastructure.
- The task is running with role
arn:aws:iam::ACCOUNT_ID:role/RobocorpRobotRole. Robocorp utilizes multiple AWS accounts for hosting the containers and
ACCOUNT_IDdepends on your deployment. Please get in touch with your Customer Success representative to get the account ID for your deployment.
- The task role has permission to assume any role matching the pattern
arn:aws:iam::*:role/RobocorpRobotAssumableRole*. Therefore you can create any IAM role starting with
RobocorpRobotAssumableRoleon your account and assume it from the robot.
- We recommend always requiring an
External IDon the role to prevent unauthorized usage.
External IDcan be configured e.g. in Control Room Vault for the task to access.