Skip to main content
Several Streamkap connectors need access to resources in your AWS account. Instead of sharing long-lived access keys, Streamkap uses cross-account IAM role assumption — a secure, auditable mechanism built into AWS.

When You Need Cross-Account Access

Cross-account IAM configuration is required when Streamkap needs to interact with AWS resources that live in your AWS account:
  • S3 destination — writing CDC data to your S3 bucket
  • Apache Iceberg with AWS Glue catalog — managing Glue catalog tables and writing to your S3 storage
  • Redshift — loading data into a Redshift cluster in your account
  • BYOC deployments — provisioning and managing infrastructure in your AWS sub-account
  • Any AWS resource not hosted in Streamkap’s managed account
Some connectors (such as S3) also support AWS Access Key / Secret Access Key authentication. Cross-account IAM role assumption is the recommended approach for production environments because it avoids long-lived credentials.

How It Works

Cross-account role assumption follows a trust-based model:
  1. You create an IAM role in your AWS account with the permissions Streamkap needs.
  2. You attach a trust policy to that role that allows Streamkap’s AWS account to assume it.
  3. Streamkap calls sts:AssumeRole to obtain temporary credentials scoped to that role.
  4. Streamkap uses those temporary credentials to access your resources.
This means no permanent credentials are exchanged. Streamkap receives short-lived session tokens that automatically expire, and every action is logged in AWS CloudTrail under the assumed role.

Step-by-Step Setup

1

Create an IAM Role in Your AWS Account

  1. Sign in to the AWS IAM Console.
  2. Navigate to Roles in the sidebar.
  3. Click Create role.
  4. Under Trusted entity type, select Custom trust policy.
  5. Paste the trust policy from the Trust Policy Template section below.
  6. Click Next.
2

Attach Permission Policies

Attach one or more permission policies depending on which Streamkap connectors you are using. See the Permission Policies by Resource section for ready-to-use templates.
  1. On the Add permissions page, click Create policy (opens in a new tab).
  2. Switch to the JSON tab and paste the appropriate policy.
  3. Name the policy descriptively (e.g., StreamkapS3Access, StreamkapGlueAccess).
  4. Return to the role creation tab and attach the newly created policy.
  5. Click Next.
3

Name and Create the Role

  1. Enter a Role name (e.g., StreamkapConnectorAccess).
  2. Review the trust policy and permissions.
  3. Click Create role.
  4. On the role detail page, copy the Role ARN (e.g., arn:aws:iam::<your-account-id>:role/StreamkapConnectorAccess).
4

Provide the Role ARN to Streamkap

During connector configuration in the Streamkap app, paste the Role ARN into the AWS IAM Role field.For BYOC deployments, share the Role ARN with the Streamkap team directly.

Trust Policy Template

The trust policy controls who can assume the role. The following template grants Streamkap’s AWS account the ability to assume the role, with an external ID condition to prevent confused deputy attacks. 
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::300973880807:root"
      },
      "Action": "sts:AssumeRole",
      "Condition": {
        "StringEquals": {
          "sts:ExternalId": "<your-external-id>"
        }
      }
    }
  ]
}
Streamkap’s AWS account ID is 300973880807. The external ID will be provided during connector setup in the Streamkap app. If you need these values before starting the connector configuration, contact Streamkap support.
For some connectors (such as AWS Glue), the trust policy principal may reference a specific IAM role rather than the account root. In that case, use:
"Principal": {
  "AWS": "arn:aws:iam::300973880807:role/kafkaConnectTenantAccessRole"
}
The Streamkap app will indicate which principal to use during connector setup.

Permission Policies by Resource

Attach only the permissions required for your specific use case. Each tab below provides a minimal policy template scoped to specific resources.
Required for the S3 destination connector and any connector that writes data to your S3 bucket (including Apache Iceberg).Replace <bucket_name> with your actual S3 bucket name.
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "StreamkapS3Access",
      "Effect": "Allow",
      "Action": [
        "s3:PutObject",
        "s3:GetObject",
        "s3:DeleteObject",
        "s3:ListBucket",
        "s3:AbortMultipartUpload",
        "s3:ListMultipartUploadParts",
        "s3:ListBucketMultipartUploads",
        "s3:GetBucketLocation"
      ],
      "Resource": [
        "arn:aws:s3:::<bucket_name>",
        "arn:aws:s3:::<bucket_name>/*"
      ]
    }
  ]
}

Security Best Practices

Follow these guidelines to keep your cross-account IAM configuration secure:
  • Always use an external ID condition. The external ID in the trust policy prevents confused deputy attacks, where another AWS customer could trick Streamkap into accessing your resources.
  • Scope permissions to specific resources. Avoid using "Resource": "*" in permission policies. Always specify resource-level ARNs (bucket names, database names, cluster identifiers) to limit what the role can access.
  • Use separate roles for separate concerns. If you use multiple Streamkap connectors (e.g., S3 and Glue), consider whether a single role with combined permissions or separate roles per connector better fits your security posture.
  • Enable CloudTrail logging. AWS CloudTrail records every API call made by the assumed role. Enable CloudTrail in your account to maintain a full audit trail of Streamkap’s actions.
  • Review permissions periodically. As your Streamkap usage evolves, review the attached permission policies to ensure they still follow the principle of least privilege.
  • Do not attach AWS managed policies with broad access (e.g., AmazonS3FullAccess). Use the minimal custom policies provided in this guide.

Troubleshooting

This typically means the permission policy is missing required actions or the resource ARNs are incorrect.
  1. Verify the bucket name or Glue database name in the policy matches your actual resource.
  2. Confirm both the bucket ARN (arn:aws:s3:::bucket-name) and the object ARN (arn:aws:s3:::bucket-name/*) are included.
  3. Check that all required actions are listed. For example, S3 writes require both s3:PutObject and s3:AbortMultipartUpload.
  4. In the AWS Console, use IAM Policy Simulator or check CloudTrail logs to identify the exact denied action.
Streamkap cannot assume the role if the trust policy is misconfigured.
  1. Verify the Principal in the trust policy uses the correct Streamkap account ID (300973880807).
  2. Check that the external ID matches the value provided by Streamkap during connector setup.
  3. Ensure there are no typos in the trust policy JSON. Note: the double colon in arn:aws:iam::300973880807:root is correct — IAM is a global service, so the region field is empty.
  4. If using a role-based principal (e.g., for Glue), confirm the full role ARN is correct: arn:aws:iam::300973880807:role/kafkaConnectTenantAccessRole.
If Streamkap can perform some operations but not others, the permission policy is likely incomplete.
  1. Compare your policy against the templates in the Permission Policies by Resource section.
  2. Check for missing actions. For example, Glue catalog operations require both table-level and partition-level actions.
  3. Verify the Resource ARN patterns cover all required resources. A policy scoped to a specific table will fail when the connector tries to create a new table.
  4. Review CloudTrail for AccessDenied events to identify the specific missing action and resource.
Temporary credentials obtained through role assumption have a maximum session duration.
  1. Check the Maximum session duration setting on your IAM role (default is 1 hour, configurable up to 12 hours). Streamkap automatically refreshes credentials, but very short durations may cause issues.
  2. Verify the IAM role has not been modified or had policies detached since initial setup.
  3. Check if AWS Service Control Policies (SCPs) in your organization have changed and are now blocking the required actions.
BYOC-specific IAM requirements: BYOC deployments have additional IAM requirements for infrastructure provisioning. Refer to the AWS BYOC page for the complete setup instructions, including CloudFormation templates.
Session tags and permission boundaries: Streamkap does not currently use IAM session tags or permission boundaries during role assumption. If your organization enforces permission boundaries, ensure the boundary policy permits the actions listed in the permission policies above.