> ## Documentation Index
> Fetch the complete documentation index at: https://docs.maia.ai/llms.txt
> Use this file to discover all available pages before exploring further.

# AWS IAM roles for Streaming runners

export const maia = "Maia";

export const s_runner = "Streaming runner";

export const RunnerMetadata = ({runnerType, platforms = []}) => {
  return <div style={{
    background: 'var(--colors-background-light, #f9fafb)',
    border: '1px solid var(--colors-border-default, #e5e7eb)',
    borderRadius: '12px',
    padding: '20px 28px',
    marginBottom: '28px',
    boxShadow: '0 1px 4px rgba(0,0,0,0.10)'
  }}>
      <table style={{
    width: '100%',
    borderCollapse: 'collapse'
  }}>
        <tbody>
          <tr>
            <td style={{
    fontWeight: '600',
    paddingRight: '32px',
    paddingBottom: '14px',
    whiteSpace: 'nowrap',
    verticalAlign: 'middle',
    width: '180px'
  }}>Runner type</td>
            <td style={{
    paddingBottom: '14px',
    verticalAlign: 'middle'
  }}>{runnerType}</td>
          </tr>
          <tr>
            <td style={{
    fontWeight: '600',
    paddingRight: '32px',
    whiteSpace: 'nowrap',
    verticalAlign: 'middle'
  }}>Runner platform</td>
            <td style={{
    verticalAlign: 'middle'
  }}>
              <div style={{
    display: 'flex',
    flexWrap: 'wrap',
    gap: '8px'
  }}>
                {platforms.map((platform, i) => <span key={i} style={{
    background: '#dcfce7',
    color: '#15803d',
    border: '1px solid #bbf7d0',
    borderRadius: '9999px',
    padding: '3px 12px',
    fontSize: '0.85rem',
    fontWeight: '500',
    whiteSpace: 'nowrap'
  }}>
                    {platform} ✅
                  </span>)}
              </div>
            </td>
          </tr>
        </tbody>
      </table>
    </div>;
};

<RunnerMetadata runnerType="Streaming" platforms={["AWS"]} />

To use your {s_runner} in AWS, two IAM roles may need to be configured to ensure the component parts of an agent installation have required access.

***

## AWS ECS Fargate

The two required roles are:

* Task role
* Task execution role

### Task role

This is the role that a running instance of an agent will use. Use an IAM role that has similar permissions to a {maia} role. If you're using the same IAM role, you might need to add `ecs-tasks.amazonaws.com` to the Service section in the **Trust Relationship** section of your IAM role to allow the role to work with the ECS service. An example trusted entity is as follows:

```json theme={null}
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "Service": [
                    "ecs-tasks.amazonaws.com",
                    "ec2.amazonaws.com"
                ]
            },
            "Action": "sts:AssumeRole"
        }
    ]
}
```

The role will need to allow access to AWS Secrets Manager for the secrets that will be used in setting up a pipeline, and S3 if using [S3 as a destination](/docs/streaming/amazon-s3-streaming-destination).

For Secrets Manager, the `ListSecrets` and `GetSecretValue` actions are required, and the resources can be restricted to just the secrets that will be used by the pipeline.

When using S3 as a destination for streaming, the `ListBucket`, `GetObject`, `PutObject`, and `DeleteObject` permissions are required.

An example role policy would be:

```json theme={null}
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": [
                "secretsmanager:GetSecretValue",
                "secretsmanager:ListSecrets"
            ],
            "Effect": "Allow",
            "Resource": "*"
        },
        {
            "Action": [
                "s3:ListBucket",
                "s3:GetObject",
                "s3:PutObject",
                "s3:DeleteObject"
            ],
            "Effect": "Allow",
            "Resource": "*"
        }
    ]
}
```

### Task execution role

This role grants the ECS container and Fargate agents permission to make AWS API calls. If you don't have an existing ECS task execution role, you will get the option to create one when creating a task definition.

In order for the agent credentials to be accessed when they are stored in AWS Secrets Manager, the ECS task execution role will need to be given permission to AWS Secrets Manager.

To make this addition:

1. Navigate to **Roles** in the AWS management console, and locate your ECS task execution role. If you don't yet have this IAM role, this will be created after you have selected **Create new role** when creating your task definition. You may need to come back to this step when this is complete.

2. Go to **Add permissions** and select **Create inline policy**.

3. Choose the **JSON** tab, and replace the JSON displayed there with the block below, substituting your secret ARNs.

   ```json theme={null}
   {
       "Version": "2012-10-17",
       "Statement": [
           {
               "Effect": "Allow",
               "Action": [
                   "secretsmanager:GetSecretValue"
               ],
               "Resource": [
                   "arn:aws:secretsmanager:eu-west-1:<your-aws-account>:secret:your-secret-arn-1>",
                   "arn:aws:secretsmanager:eu-west-1:<your-aws-account>:secret:<your-secret-arn-2>"

               ]
           }
       ]
   }
   ```

   For every set of credentials you store for an agent in a different secret entry, you will need to add the ARN of that secret here. Alternatively, you can give access to all secrets by specifying the alternative:

   ```json theme={null}
   {
       "Version": "2012-10-17",
       "Statement": [
           {
               "Effect": "Allow",
               "Action": [
                   "secretsmanager:GetSecretValue"
               ],
               "Resource": "*"
           }
       ]
   }
   ```

4. Click **Review policy** to check the results.

5. Give your inline policy a name.

6. Click on **Create policy** to complete the creation and have it added to your role.
