Security & IAM reference

This page documents exactly what LakeSail asks for when you connect an AWS account, and why. It's the reference your security team will want before approving a connection.

The trust model in one sentence

LakeSail never holds long-lived AWS credentials. You deploy a CloudFormation stack that creates an IAM role in your account with a scoped trust policy; LakeSail assumes that role on demand via sts:AssumeRole with an external ID. If you delete the role, LakeSail loses access immediately.

What the CloudFormation stack creates

The stack provisions one IAM role and a set of managed policies attached to it. The role:

• Name — you choose (parameter IamRoleName).
• Trust policy — allows only the LakeSail platform principal to assume the role, and requires the correct external ID as a sts:ExternalId condition.
• Permissions boundary — a managed policy (lakesail-<connection-id>-RoleBoundary) that caps what the role can ever do, even if a policy is later mis-scoped.
• Explicit Deny policy — prevents anyone from removing or altering the permissions boundary while LakeSail is connected.
• Tags — Service: LakeSail, LakeSail-Connection: <id>, LakeSail-Tenant: <id> for easy audit in CloudTrail and Cost Explorer.

The role is the only new identity. No users, no access keys.

Parameter summary

Parameter	Meaning
IamRoleName	You pick the role name. Useful if you want it to match an internal convention.
IamPermissionBoundaryName	Name for the permission-boundary policy.
LakeSailAccountID	AWS account of the LakeSail control plane. Read-only.
LakeSailVPCID	LakeSail's platform VPC, used for peering restrictions. Read-only.
LakeSailTenantID	Your LakeSail tenant identifier. Read-only.
LakeSailConnectionID	Internal connection identifier (10 chars). Read-only.
LakeSailExternalID	The STS external ID used in the trust policy. Must not leak — it's the second factor preventing confused-deputy attacks.
LakeSailPrincipal	The LakeSail IAM principal allowed to assume the role.

The "read-only" parameters are filled in for you when you launch the stack from the LakeSail UI. If you deploy manually, don't change them — the trust only works with the values LakeSail recorded for your connection.

Permissions granted

Permissions are split across managed policies so you can audit them individually. Each policy is scoped as tightly as possible; where broader rights are needed, the permissions boundary caps the effective reach.

EKS (PolicyEKS)

Create and manage EKS clusters, node groups, add-ons, and access entries. Required because LakeSail provisions the Kubernetes cluster that runs your compute.

Auto-scaling (PolicyAutoScaling)

Manage EC2 instances, launch templates, and auto-scaling groups. Required for Karpenter to scale compute nodes in response to job demand.

Networking, read + tag (PolicyNetworkReadAndTag)

Read-only access to EC2 and ELB, plus the ability to tag resources. Used to discover existing VPC state and mark resources with the LakeSail tags above.

Networking, compute (PolicyNetworkCompute)

Create and modify load balancers and target groups. Required for cluster endpoints.

Networking, manage (PolicyNetworkManage)

Create and modify EC2 resources, but scoped by ARN pattern — only resources whose names match the LakeSail pattern. LakeSail cannot modify your other VPC resources.

IAM + CloudWatch (PolicyIAMAndCloudwatch)

Create and manage IAM roles and policies scoped to the LakeSail role name (*<IamRoleName>*), and write to CloudWatch Logs. The IAM scope means LakeSail can only manage IAM objects related to clusters it provisioned; it cannot touch arbitrary roles in your account.

CloudFormation + observability + identity

Read CloudFormation stacks (tagged resources only), emit cluster metrics, read the Pricing API for cost attribution, and call sts:GetCallerIdentity for identity verification.

S3 + Glue for workloads (WorkloadBoundary)

Full S3 access, but restricted by the workload boundary to buckets matching lakesail-<connection-id>-* and lakesail-<connection-id-lower>-* patterns. Used for workspace data, job artifacts, and the default Glue catalog.

Permissions boundary

The RoleBoundary managed policy caps the effective permissions of the LakeSail role — even if a subsequent policy is mis-scoped, the boundary prevents the role from exceeding:

• EKS, EC2, IAM, CloudFormation, STS, S3 — scoped to LakeSail-managed resources.

A second, explicit-deny policy prevents anyone from removing the boundary or modifying the role's policies while the connection is active.

What LakeSail cannot do

• Assume the role without the external ID recorded at connection time.
• Modify IAM roles or policies not created by the LakeSail connection.
• Access S3 buckets outside the lakesail-<connection-id>-* naming pattern.
• Read from or write to your VPC resources not matching the LakeSail ARN pattern.
• Remove its own permissions boundary (explicit Deny).

Rotating or revoking access

• Rotate: delete the CloudFormation stack and redeploy it with the same connection ID. The trust policy is re-established atomically; no downtime if done quickly.
• Revoke: delete the stack. LakeSail's next AssumeRole call fails, which surfaces as the cloud account moving to disconnected / failed in the UI. Any dependent networks and clusters are effectively frozen until the connection is repaired or deleted.

Audit

Every LakeSail action inside your account is a role-assumed API call, which shows up in CloudTrail with:

• userIdentity.sessionContext.sessionIssuer.userName = your role name.
• Session name prefixed with lakesail-.
• Resources tagged with Service: LakeSail and the connection/tenant IDs above.

Filter CloudTrail on your role name to see every action LakeSail has taken, with timestamps and caller session.

Manual deployment

If you prefer not to use the one-click launch:

1. In LakeSail, open Settings → Cloud Accounts → Add AWS Account, expand Advanced, and click Download Template. The template is pre-filled with the correct parameter values for your connection.
2. Apply it through the AWS Console, aws cloudformation deploy, or your IaC tool.
3. Copy the resulting role ARN from the stack's Outputs tab.
4. Paste it back into LakeSail and click Verify Connection.

The manual path and the one-click path produce an identical role — the template is the source of truth.

API reference

• Cloud accounts — GetExternalConnectionTemplate for the template, CreateExternalConnection to record an ARN, VerifyExternalConnection for the assume-role check.